The backup that wasn’t, or how to age 10 years in a month

We've all been there right? You have deleted an important document only to find that you needed it a week later but have already emptied your recycle bin or what if you are one of the 64% of SMB’s that experienced a cyber-attack in the first half of 2018 and lost access to data? 

Some of us use email as our backup, but as we saw from last blog email storage is not as safe as you might think.

Flashback(up)


To be accurate, they weren’t actually our client when we first received a frantic call one fateful Monday morning – the reason for the call?  All of their server files were locked thanks to a cryptolocker attack and they were now being held to ransom by the hackers. 

As a small family owned retail business, they needed access to their data to keep running, without it they were totally in the dark as to who would be picking up orders that week, stock levels in the warehouse, even what to charge for items. In a nutshell, their entire livelihood was on the line.

They thought they had been doing the right thing for business continuity, they had a physical firewall and disk backups, but the firewall subscription wasn’t up to date and didn’t scan for current threats – critical in an ever-changing fight against hackers and their backups were reporting as complete but no test restore of the data ever been undertaken.  They were up the proverbial creek without a paddle.


We headed out to their site where our first goal once there was to get them operational. The one saving grace in this case was that our client had recently copied data from their ERP to a USB - don't ask us why, we were just thankful they did. It meant that we were able to then copy the contents of the USB to a desktop PC to create a makeshift temporary server. This allowed them to get access to their stock levels, pricing and to use one sales till to limp along.

We were able to set them up with email by exporting the mail (PST) files from each of the desktop PC’s (unaffected by the attack), converting them and then uploading to Office 365 accounts.

After the first day they were able to keep trading.

The next thing to tackle was to assess whether the file server was recoverable, in this instance it wasn’t recoverable as it was a 2003 SBS server and the backups would not restore. We manually recovered individual files and folders from each of the backup disks, it was a very tedious and time consuming task, all up, it took a month to get them to the point where they had a fully functioning environment, and even then, some data was lost due to the incomplete backup's. Imagine your business going through the same experience, believe me, it wasn't a fun time.

So, what was the cost of all of this? It wasn’t just our fees. There was the limitation of operating from the desktop PC with only partial functionality, staff were underutilised, a couple of customers were inconvenienced when their orders weren't moved from the warehouse to the retail store in time for them to collect and I’m pretty sure our client and I both aged about 10 years from the stress.

The cost of business downtime is nearly 10X greater than the cost of the ransom requested by hackers in such instances as this. The average requested ransom for SMBs is $6,000 while the average cost of downtime related to a ransomware attack is $58,000.

After the restoration they joined us as a new Managed Services Client, they now have a fully updated firewall,  email backups and a backup appliance for their business continuity, the appliance replicates every 15 minutes, and we can get a business back up and running on the appliance in 5 minutes.

Our client is now evangelical about business continuity, which is great, but we would rather they had skipped the cryptolocker part to get there - it might have saved a few grey hairs!