Kentucky workers comp carrier survives ransomware

A worker at the Kentucky Workers Compensation Fund (KESA) loved to read about celebrity news. She clicked happily to find out the latest gossip. But one day she clicked on the wrong link that could have brought KESA to the front page of the tabloids.

KESA System Administrator Rubyanne O’Bryan explained that the insurance carrier was hit by the CTB-Locker virus. To her amazement, the employee minimized the screen that almost screamed “You have been infected by ransomware.”

She said the worm spread to one of their mapped and shared drives. It was looking for .txt and .doc files and then added five-digit extensions to encrypting them. However with the help of Zerto, KESA was able to keep the worm away from any of the 7,100 members personal information.

Russell Lynch, KESA’s senior systems specialist, said the virus only got a hold of letters KESA had already mailed out. It took about two to three days to give the all-clear note, but this hit did not impact the users at all.

With Zerto, KESA has the ability to backup its network within minutes to an offsite location. With that peace of mind, O’Bryan said they did not even look at the ransomware demands. They were able to go back to the minute before the link was clicked and restore their network.

KESA’s data is replicated offsite within seconds to two sites that are 300 miles apart.

“During our last ransomware attack, we were able to stop it within 15 minutes and be back up and running within 3 hours. Without Zerto, we would have had to pay the ransom and we still don’t know if we’d be able to get our data back,” O’Bryan said.

They said when a snapshot was executed in their previous solution, any large processes they may have been running in Oracle would crash. These processes would include important business operations such as the creation of claim checks and the termination of policies. 

With Zerto Virtual Replication, they can see the test happening real-time versus relying on a log file to know the test was completed. 

“With our previous solution, it took a team to pull off a DR test – and we couldn’t be 100% confident that it would work,“ O’Bryan said. “Zerto’s testing is so reliable we can schedule one test per month and know it will be 30 minutes, not days.” 

As a result of this hit, O’Bryan and her staff refocused their efforts on user training. She found some templated sample emails from SonicWall that she could send out to KESA’s workers to help them determine if an email was a phishing attack. They now send emails our periodically and try to be more open and available to users who may have questions.

It seems to be working as KESA got through WannaCry unscathed. Lynch said another byproduct of that first ransomware attack was a tightening of privileges and access. Workers no longer have any kind of carte blanche access to everything on the network.

The IT department also has plastered a written response plan on their walls so that everyone knows what to do when a breach occurs.