Ransomware Response

A global manufacturer was unprepared when they were hit with every organization’s worst nightmare: a ransomware attack.

With severe technical debt and a brand-new IT team, they were facing damages that could put them out of business. As their trusted partner, Arraya guided them through their response and recovery.

Today, they’re more protected and prepared than ever.

BACKSTORY

Our client, a global manufacturer, had severe technical debt and a new IT team.

Once a new CIO came on board, he contracted with Arraya to address vulnerabilities and improve their security posture. A new backup system had just been implemented and more changes were in the pipeline.

The Friday before Thanksgiving, we had a meeting with the client to discuss the results of our security assessment and go over identified issues, along with our recommendations for addressing these risks. Over that weekend, their enterprise resource planning (ERP) system stopped working. They would quickly come to learn that they had fallen victim to a ransomware attack.

IDENTIFICATION

On Sunday evening, Arraya was contacted. Within an hour, we had communicated with all client stakeholders to establish what the issue was, what systems were giving them trouble, and what had transpired to date. We discovered that several files had been encrypted, which were the cause of the ERP system’s issues.

Because of our previous work with the client, we already had access to their system, and we were familiar with how their organization functioned. This allowed us to act immediately, and they gave us the autonomy to make decisions on their behalf.

We brokered in our partner, SEVN-X, as the incident response and forensics team to determine how this attack happened, how far it had spread, and how it could be contained.

MITIGATION

Arraya’s team acted as the incident coordinator, effectively quarterbacking the remediation and recovery efforts.

We directed executive leadership to execute their insurance policy and get a claim filed. We maintained power for all systems to protect future forensic efforts, but disconnected the network from all known systems so the ransomware could not spread further.

We were in constant communication with all parties involved regarding the ransom demand and it was ultimately decided that it would not be paid.

By late night Monday, we had an action plan put together.

INVESTIGATION

Over the next few days, SEVN-X worked through the forensics process, which is very labor intensive as every machine had to be assessed. They started with known affected systems and worked through each individually from there.

Throughout this process, a full inventory of all systems in the network was created that all parties could access, monitor, and update. The goal was to determine what systems needed to be restored and what that process would entail. This depended on what the resources were, how much data they involved, and more.

Throughout this process, Carbon Black was rolled out as a central endpoint detection & response (EDR) platform to monitor for any issues once the systems were cleaned. As indicators of compromise (IOCs) were discovered by SEVN-X, Carbon Black was updated to detect and thwart any discovered malicious activity.

RECOVERY

Just prior to the ransomware attack, the client had begun backing up their data to an off-site location. Rather than restoring their data over the internet, we restored to this off-site location, allowing the client to get select systems online in about an hour.

As there was no predetermined incident response plan in place, Arraya was responsible for reviewing and prioritizing what systems to restore based on the critical path. This means we first identified and prioritized the minimum number of systems that would make the biggest impact in continuing operations.

REBUILDING

Arraya stood up a network connection between the client and their off-site data storage. As servers were restored, they were put into their own isolated network where they could be tested for infection before they were moved to a staging network in which they could communicate with other clean and restored data systems.

Lastly, we rebuilt the client’s Microsoft Active Directory, domain controllers, and got applications reintegrated with the new, clean systems.

Arraya worked with the client to reset every employee’s password through a coordinated effort with their service desk. We provided a script that was used to explain what had transpired and implemented a system that allowed the service desk to issue new passwords to employees over the phone after an ID verification process was completed.

LESSONS LEARNED

The client survived this cyber-attack. However, without the backups that Arraya had recently implemented, this likely wouldn’t have been the case.

Arraya’s incident coordination services drove the recovery from identification to mitigation and rebuilding. Because of our prior work with the client, we were already familiar with their network, and they trusted us to do what was right for their organization. We were able to begin our response to the attack immediately and with the autonomy to make decisions on their behalf.

Throughout the investigation, it was discovered that the ransomware attack was carried out against vulnerable, unpatched systems that were internet-facing. Their systems had been infected for over a week before the ransomware was deployed.

RESULTS

  • Continued Business Operations
  • Improved Security Posture
  • Modernized & Future-Ready Infrastructure
  • Consolidated Redundant Systems

Arraya paired the client with a managed detection and response provider to prevent attacks from going undetected again. We brought all patches up-to-date and hardened their systems. We also implemented MFA for each employee when connecting remotely.

If the client had had an established and tested incident response plan in place prior to this attack, the response and recovery costs would have easily been cut in half.

As a silver lining, the client focused on clean up following this attack. They got rid of legacy technology, revised their naming system, modernized their infrastructure, and consolidated redundant systems.

With these new processes and procedures in place, they are now better protected from cyber threats and much more prepared to respond, should they fall victim again.

SAFEGUARD YOUR DIGITAL WORLD

Don’t gamble with your business. In today’s climate, securing your business is not an option – it’s a necessity.

Uncover your vulnerabilities, protect your assets, and receive personalized recommendations from our cybersecurity experts. Act today, and together, we’ll fortify your digital assets. Contact us to get started!