Avoiding Cyber Mayhem: Hard Lessons from the Catastrophic Attack on VFEmail.com

Imagine yourself as a service provider who wakes up one day, pours a cup of coffee, and checks email, Facebook, Instagram and Twitter – only to discover a flurry of panicky messages from customers about your service being unavailable. You rush to your management console to find that nothing is working; your entire operating environment is an unresponsive black hole. Racing to your data center, you discover a faceless attacker has wiped out every bit of data you own and maintain on behalf of your customers, erasing every hard drive on the premises.

What’s worse is they have also managed to destroy your backup servers. You have no recovery options.

That’s not an imaginary worst-case scenario. That’s what happened earlier this week to VFEmail.net, a US-based provider of secure email services.

On Monday, VFEmail.net was hit with a massive cyberattack that completely erased every one of its virtual machines, file servers and corresponding backup systems – vaporizing 18 years’ worth of stored customer emails. VFE’s paid account holders were able to resume using the service without the benefit of any email archives, but the software that enabled free email accounts and all of the associated emails is gone forever.

The hacker’s apparent goal was simply to create mayhem, as VFEmail.net received no extortion threats or ransom demands prior to the attack.

It’s easy to feel empathy for a small business owner who has suffered such a setback, as well as its thousands of customers who lost valuable business and personal data in the attack. One wonders what kind of cruelty, nihilism or revenge motivated the attacker to wreak such havoc.

In the wake of such an incident, you might wonder “Could that happen to us?”

As you consider the question, remember that the NotPetya cyberattack of June 2017 – initially suspected of being a for-profit ransomware attack – turned out to be a wiper attack designed to create political chaos in Ukraine. Its spread across Europe was an unintended side-effect, but NotPetya still managed to irrecoverably encrypt the data of thousands of systems, causing an estimated $10B worth of damage.

We have since seen the rise of more state-sponsored cyberattacks, including ransomware and cryptojacking, designed to rake in profits or wreak political and economic damage to rivals on the world stage. (North Korea and Iran are favorite suspects.)

So the answer to your question is: Yes, you could suffer the same fate as VFE. What’s more, the chances that you might be are growing.

To minimize your risk, now is good time to review your cyber protection strategy and probe it for the kind of weaknesses that left VFE open to attack. Here are four things to ask yourself:

1. Are we abiding by the 3-2-1 rule of backup? This is a simple but crucial backup principal: make sure you are maintaining multiple copies of your production data on diverse media types in diverse locations. If your live servers are being backed up locally to hard drives, you might also want to back them up to an off-site facility (on HDD or tape), and also to cloud storage. This approach might have thwarted VFE’s attacker, who apparently erased primary and backup VMs and physical servers, but likely would not have had access to cloud backups.
2. Are we protecting our data and that of our customers against common malware attacks? The goal of the VFE attack was not extortion, but if it were, the attacker’s access to VFE’s servers would have made it simple to mount a ransomware attack that similarly could have destroyed those servers and their backups. The FBI estimates that over half of ransomware victims never recover their data, even if they pay the extortion fee, as attackers sometimes disappear or are caught before they deliver the decryption keys necessary for data recovery, or have implemented their code so ineptly that those decryption keys don’t work.
3. Are our backup agents and services vulnerable to malware and other malicious attacks? Leading-edge data protection products and services have backup agents and cloud storage services that are hardened against a variety of attacks like ransomware and credential theft. Savvy cybercriminals know to seek out and attack backup servers and archives to thwart potential recovery efforts. Without a data protection solution that hardens its backup agents and archives (both onsite and cloud-based), those efforts can succeed.
4. Are we fully protecting our cloud-based services like email, storage and file sharing? Many businesses incorrectly assume the provider of their cloud-based productivity applications effectively protects user mailboxes and shared volumes. For example, Microsoft’s Microsoft 365 has comparatively limited data protections for user emails compared to those the typical business implements for its other production applications. It’s a good idea to scrutinize how long your cloud service provider gives you access to old emails and files it is storing for you, and how easy and granularly you can recover lost or missing data when you need it.

VFE may have suffered the IT operations manager’s worst nightmare this week, but you don’t have to let its vulnerabilities keep you from sleeping soundly. As the most secure business backup solution, Acronis Backup can help with every one of these issues.

See how Acronis Backup with Acronis Active Protection can defend your data against ransomware attacks and how Acronis backup agents and cloud services are hardened against malware attacks.

Acronis Backup can also protect your cloud-based services like Microsoft 365, One Drive for Business, and SharePoint Online.