Alvaka Networks Helps Two Businesses Fight Back From Ransomware

Roughly a dozen employees of the Irvine, Calif.-based MSP Alvaka Networks have been putting in 105-hour weeks since around Christmastime to get two companies back up and running following ransomware infestations.

Alvaka Networks has been busy this holiday season helping two businesses restore systems and resume normal operations following ransomware attacks.

Roughly a dozen employees of the Irvine, Calif.-based MSP have been putting in 105-hour weeks since around Christmastime to get two companies back up and running following ransomware infestations, according to Alvaka CEO Oli Thordarson. One of the affected businesses has several thousand systems while the other has a couple hundred, Thordarson said, and neither were previous clients of Alvaka.

Ransomware recovery services represented less than 5 percent of Alvaka’s total revenue last year, Thordarson said, and the engagements typically begin on weekends or holidays with no advanced notice. But Thordarson considers the work to be both a public service as well as a potential entry point into organizations that might not have been familiar with Alvaka previously. Thordarson declined to reveal the names of the two businesses that were hit by ransomware.

[Related: The 10 Biggest Ransomware Attacks of 2019]

"It's personally rewarding from the professional challenge perspective and from helping people out of a tough spot,” Thordarson said. "It's lucrative work, but it's exhausting on our staff because it's so demanding."

Businesses without cyber insurance should expect to spend at least $100,000 on ransomware recovery, Thordarson said, though costs could easily run ten or twenty times that amount depending on the size of the business, the extent of the ransomware infection, and the recoverability of the data.

Cyber insurance providers do a good job of covering recovery-related expenses after an attack, but typically won’t pay for preventative measures that reduce the likelihood of future ransomware attacks. One of the two ransomware victims being helped by Alvaka has cyber insurance, which Thordarson said saves money but can slow things down since all work has to be approved by the insurance provider.

Full restoration hasn’t yet taken place for either of the ransomware victims being helped by Alvaka, Thordarson said, though one of the businesses opted to pay a ransom to the hackers. Businesses that had their backups encrypted or don’t have access to good backups can often save time and money by paying the ransom, according to Thordarson.

"As much as I hate to support a criminal enterprise ... you owe it to your stockholders, you owe it your employees, and you owe it to your clients to get back in business,” Thordarson said. “It becomes very difficult to stick to the morality and ethics of not paying bad guys if you're talking about putting 4,000 people out of work and affecting thousands and thousands of clients.”

One of the ransomware victims has been in the active recovery process for a week but is experiencing system issues that are slowing down the recovery, Thordarson said. The other victim would like to be up and running within the next few days, but Thordarson said that might be a challenge due to the cyber insurance adding a bit of friction to the situation earlier on.

The deletion of backups by adversaries during ransomware attacks began roughly a year ago has been the biggest game-changer this space has seen, Thordarson said, and now occurs in roughly 50 percent of cases. If a business doesn’t have backups and doesn’t pay the ransom, Thordarson said they’re stuck trying to find fragments of information “Sherlock Holmes style” and piece them back together again.

Victims of ransomware suffer two types of damages, Thordarson said, the first of which is the cost associated with paying the ransom and the downtime experienced by the organization. Although hackers can encrypt hundreds of thousands of devices within 24 hours, he said the decryption process takes much longer, meaning companies don’t typically recovery fully for at least a week.

The second type of damages comes from trying to mitigate against future ransomware attacks, which at the very least requires a through scrub and forensics of the systems and often entails rebuilding the entire system from scratch, Thordarson said. Just the process of doing forensics and inspecting everything from top to bottom requires a lot of time and money to be done properly, Thordarson said.

Other major expense drivers for ransomware victims include fines and penalties from regulators, lost revenue during the period the business was down or had yet to resume full operations, and a diminished valuation and loss of faith from customers and prospects should news of the intrusion become public, according to Thordarson.

"At the end of the day,” Thordarson said, “the ransom is actually a pretty minuscule piece of the overall cost.”