ITPartners+

In the early hours of a springtime Thursday morning, ITPartners+ faced a major cybersecurity challenge: A ransomware attack that targeted one of their clients. The attack was launched by the Akira ransomware group. The threat actors didn’t waste any time and started encrypting critical servers and attempting to spread across the network as quickly as they could. The timing of the attack, just before the Memorial Day holiday weekend, was a common strategic move used by attackers to increase the likelihood of a ransom payment.

Chad McDonald, CTO of ITPartners+, recalls, “We’ve had other cyber incidents, but not on the scale of a ransomware attack. This was our first time seeing ransomware actively attacking an environment.”

The initial alert came through the RocketCyber platform, a critical component of the company’s cybersecurity defenses.

Casey Postma, the Cybersecurity Lead at ITPartners+, was the first to respond. He discovered the attack when he woke up early and checked his emails. Casey stated, “I woke up about an hour before my alarm and decided to check my email. I found that Datto Managed SOC submitted an emergency ticket and had called us.” This early detection was crucial in mitigating the damage.

With Datto’s advanced threat detection capabilities at work, there was the first indicator of compromise identified at 4:59AM. Then between 5AM and 5:15AM Datto and its veteran SOC team isolated over 30 devices to stop the spread while killing malicious processes. “The response time was a little over a minute from the start of the encryption that triggered the alert and the response of the ransomware policy. That was extremely impressive,” said Casey. This swift isolation prevented the ransomware from spreading to other parts of the network.

Once the immediate threat was contained, ITPartners+ coordinated a comprehensive response. This included contacting the client’s cybersecurity insurance provider, who would bring in a forensic team to assess the situation further. “It was the obvious indicators of the Akira ransomware that drove home the fact that you are truly going through a serious incident,” explained Casey.

The recovery process was intense and required the coordinated efforts of multiple team members. By leveraging Datto EDR and the assistance of Datto’s SOC professionals, ITPartners+ successfully isolated the affected servers, ensuring the ransomware was contained and minimizing damage. Chad highlighted the critical role of those tools: “The power of our team and that of the toolset we had at our disposal — Datto Managed SOC, Datto EDR, Datto BCDR, RMM — were instrumental in stopping the spread and recovering the affected systems.”

During the recovery, the team restored servers from backups using Datto BCDR, ensuring that the client’s data was intact and that operations could resume. ITPartners+’s client was fully operational by the first day back in the office after the holiday weekend. This quick turnaround was vital in slashing  downtime, minimizing loss and ensuring business continuity.

The collaboration between ITPartners+ and Kaseya proved to be a robust defense against the Akira ransomware attack, where the rapid detection and isolation of infected systems prevented extensive damage and allowed for a speedy recovery. ITPartners+’s client praised them for their effective response, which significantly reduced the attack’s potential impact.

Chad reflected on the incident, saying, “This is one of those incidents where you really get to test that theory, where you get to walk away with either yes, it did what we wanted; we have a positive result, or you walk away feeling like you made the wrong choice. In this case, we walked away saying we picked the right product and the right vendor.”

ITPartners+ successfully handled what could have been a devastating ransomware attack, demonstrating their commitment to their core values: Do great work, make it fun and think big. Their proactive approach, combined with the advanced capabilities of Datto Managed SOC and Datto EDR, ensured that their client could resume normal operations with minimal disruption.

This case study highlights the importance of having a skilled team and reliable cybersecurity tools to combat evolving cyberthreats effectively.