By Davis Merrey
April 4, 2023

How does cybersecurity prevent ransomware?

Dissect how a ransomware attack works and how to mitigate the damage to your business.

Recently, a company—we’ll call it Company A—that had data held for ransom via a cyberattack reached out to us for help. Although we were able to help them recover the data, they weren’t able to use their IT systems for over a week. Here’s a timeline of the events surrounding the attack and eventual service restoration:  

Tuesday: Company A receives and opens a OneNote document via email from a hacked email account of one of their suppliers.

Wednesday: The hacker receives a notification that their malware has been installed on one of Company A’s computers and moves laterally on the network to a server.

Thursday Morning: The hacker analyzes Company A’s systems and data sets and eventually finds personal, identifiable information about Company A’s employees and customers. After copying and uploading the information to his system, the hacker encrypts Company A’s main server hard drives, which also encrypts all drives on Company A’s virtual servers. 

Thursday Afternoon: The hacker demands almost $500,000 to provide the encryption key. Company A can no longer access its IT systems. Company A engages its cybersecurity insurance company and an incident response consultant that brings in a forensics expert. They then contacted our company to restore data and access and remediate the vulnerability that allowed the breach. 

Friday: Our engineers deployed cybersecurity software that allowed us to remove any “back doors” to the system and to monitor for additional suspect behavior. In addition, we collected forensics to determine which user opened the email and what data the hacker collected. This process helped Company A assess its position relative to the “ransom value” of the data while we began to help restore IT systems access.

Saturday: Negotiations begin with the hacker over their ransom demand and continue over the weekend.

Monday Afternoon: Company A can access its IT systems. Our engineers deploy endpoint detection and response (EDR) software to prevent future attacks of this type. 

Tuesday:  Company A successfully negotiates ransom payment to the hacker. 

If Company A had followed cybersecurity best practices and had EDR deployed before this attack, the EDR service would have detected the attack and isolated the compromised computer from the network. The hacker would have ceased further breach attempts on the first day. Instead, Company A couldn’t use its IT systems for over a week and unnecessarily spent thousands of dollars on recovery. The annual investment for EDR protection for Company A would be less than 1% of the loss sustained by this cyber attack. 

Subscribe to Email Updates


Get Edmond Business news in your inbox.

  • This field is for validation purposes and should be left unchanged.

About Davis Merrey

Davis, is Owner/CEO of TeamLogic IT of Oklahoma City, part of an international network of franchisees providing IT support for businesses. He brings many years of experience in a variety of technology related industries, leading teams in providing technical solutions that respond to critical customer needs. The company culture is defined by its Mission Statement: “To help our fellow employees and clients be successful”.

Davis earned a BS in Electrical Engineering from the Virginia Military Institute and an MBA in Management from Golden Gate University in San Francisco. He serves on several business related and non-profit boards of directors.