Ransomware Recovery: Langs Building Supplies “We’ve Been Hacked!”

Every CIO’s Worst Nightmare

It was 4:00 in the morning, May 20, 2021. Matthew Day, CIO of Langs Building Supplies (Langs) was excited for a long-anticipated holiday after 14 months of lockdown due to COVID-19. His wife was thrilled. His friends, ecstatic. But the day took an unexpected turn. Instead of waking up delighted to leave for his getaway, Day woke up to every CIO’s worst nightmare, the dreaded phone call: “We’ve been hacked.”

Upon arrival at his office, he tried to bring up the system. Nothing. Instead, what came up was a ransom note, “You’ve been hacked.” This is when he realized this was not just an unplanned outage. It was a targeted attack. Langs was profiled. The hackers looked at their business, and they took their time. They found a source that Langs trusted implicitly. 

When you think of ransomware attacks, it’s easy to imagine squads of shadow-dwelling hackers circumventing impregnable firewalls behind black screens of darting green text. The reality is that something as devastating as a ransomware attack can start as simple as an everyday phishing attack that any IT team would be familiar with.

The attack on Langs started with just another phishing email. The gang behind the attack began by composing an email intended to appear ordinary. In this email, recipients were encouraged to click a web link that would allow them to access a purchase order. While the link did take users to a web portal with a login prompt that appeared normal, it was actually a convincing impersonation of the real thing. As the hackers intended, the email slipped under the radar, and in an instant they had acquired user credentials from a Langs user who tried to log into the fake portal.

Once user credentials were obtained, the gang could enter the Langs network via the user account. Throughout a fortnight, they continued to access Langs systems until they were ready to launch an attack that could paralyze the organization.

Rubrik Zero Trust Data Security™

Leveraging the Rubrik Zero Trust Data Security platform, Langs could see they were compromised. Pulling up their Rubrik Ransomware Investigation dashboard, they noticed hundreds of thousands of files were deleted, and thousands were modified in the span of minutes. This helped Langs assess the scope of the threat and where they needed to start targeting their recoveries.

With Rubrik, Langs was able to quickly identify what data was impacted and where it resided in their environment. They did not have to pay the $15 million ransom. They experienced zero data loss and were fully recovered, up and running in less than 24 hours. 

Best-in-Class Support

Rubrik’s Ransomware Response Team (RRT) is a 24x7x365 organization made up of Support, Support Escalations, and Management. Langs notified Rubrik of the ransomware attack, and the Support team immediately jumped into action. Support drove the recovery efforts, while the Escalations team assisted with resolving roadblocks. Management (Support Management and Customer Experience Managers) maintained consistent communication with Langs.

Thousands of files were impacted due to the attack, and Rubrik seamlessly leveraged its API-first architecture to automate recovery of all files. Support identified key engineers who took charge of the recovery effort by assuming end-to-end ownership of the support ticket. 

After successfully recovering and verifying the integrity of the restored files, the restore of the vCenter was initiated. While the Langs team worked through the process of vCenter recovery using the guidelines provided by Rubrik Support, the support engineers worked in the backend to update the respective metadata to have their VMware environment connected back to Rubrik. This enabled Live Mount of their production VMs in order of priority outlined by the Langs team. 

Post-VM recovery, another round of validation was performed to ensure the VMs were stable and not infected. Lastly, the TOTP Based 2-Step verification was leveraged to provide an additional layer of security to Rubrik logins and further lock down the Rubrik CDM cluster. 

The commitment from Support, Customer Experience Managers, and Management by relentlessly working day and night with a customer-first strategy ensured recovery from the attack was as smooth and efficient as possible. 

“The War is Won. People’s Jobs are Safe.”

There is an extreme amount of pressure facing CIOs, especially when there is no production happening in a factory that employs thousands of people and they are all sent home. Not only do the implications of a ransomware attack hit home personally, it also implies revenue loss, production delays, and brand damage.

Organizations need to be prepared for when ransomware strikes. Learn more from leaders across the public and private sectors on how to develop a ransomware recovery and cyber resilience plan at the Rubrik Data Security Summit on-demand.