Ransomware and Real-Life Lessons

Lessons Learned from a Real-Life Ransomware Attack

Ransomware attacks have increased significantly over time. However, many individuals and organizations still fail to fully understand their consequences. This is because most articles tend to focus on the attack process, types of ransomware, or suspected attackers, while providing little information beyond that.

Unfortunately, there are very few articles discussing post-attack recovery, which according to statistics can take up to 287 days. There is also limited coverage of the complex problems that arise when backup systems (the most basic defense against ransomware attacks) fail.

To better understand a ransomware attack, let’s listen to the story of Ski Kacarosky, a system administrator, who shared how he handled a school that was attacked by ransomware. The attackers encrypted critical data and shut down essential systems, including the payroll system.

A Critical Moment: Shut Down the Entire System

At 11:37 p.m. on September 20, 2019, Northshore School District in Washington State was attacked by ransomware. The district operated around 300 Windows and Linux servers and approximately 4,000 employee devices, including PCs, Macs, Chromebooks, and iPads.

Kacarosky admitted that he made a serious mistake during the first few hours after the attack: he did not disconnect the devices in time.
“If possible, unplug the power as quickly as you can,” he said. He also added that ransomware usually targets Windows machines, so priority should be given to isolating Windows systems first.

Backup System Failure

At first, Kacarosky was confident because he believed system backups were still available. However, about 4–5 hours after the attack, he discovered that the entire backup system had been disabled.

This was a devastating blow. He said:

“I realized I might have to reinstall about 180 Windows servers, rebuild the entire Active Directory with all users, groups, and countless other components. It was heartbreaking.”

The lesson learned: regularly check your backup systems to ensure they are always functioning properly and ready for recovery when needed.

So how can you make sure your backup system always works effectively?

The Attack May Have Started Six Months Earlier

According to the FBI, a hacker group had installed Emotet and taken control of servers as early as March 2019. Later, they sold this access to another group, which carried out the ransomware attack on September 20.

The lesson learned: even if your system appears to be operating normally, there may still be serious security vulnerabilities that hackers have already exploited.

To minimize the risk of attacks, organizations should regularly conduct security testing.

Regular Security Testing Helps You:

• Identify system vulnerabilities

• Understand how to fix them

• Prioritize remediation plans

• Prepare backup plans when immediate fixes are not available