Ransomware Attack – A Case Study
It’s every organization’s worst nightmare. You arrive to a busy day at work only to see skull and crossbones as your new desktop wallpaper. There is a message on everyone’s computer, promising complete destruction of your files and leaking your organizational data in the case that you do not pay the cyber criminals. The sad reality is that this is a very common situation, and attacks like this occur multiple times a day across the world.
Cyber criminals are winning. The level of organization inherits with major ransomware groups all but ensures that they can compromise an institution with enough time and focus. The real measure of an organization’s security posture rests within its ability to recover properly from an attack and mitigate the spread and damage associated with an event.
Every attack and organization is different, however we can cover some examples of attacks on firms with the proper incident response and business continuity planning in place. Preparation is everything when a ransomware event occurs. Rapidly recovering systems and investigating the breach can be exceedingly complex tasks. Only proper preparation can prevent complete disaster when a ransomware event occurs.
Below we will outline a classic ransomware attack for a mid-sized (<1000 User) organization following proper security best practices for their industry.
How are most organizations setup before a ransomware attack?
Our sample organization, CyberVictim Inc., works in an industry that often faces ransomware attacks due to the size of contracts and clients dealt with. Due to this knowledge, CyberVictim Inc. has been taking proactive steps in improving their security posture. This multi-year improvement roadmap has emphasized Disaster Recovery and Business Continuity (DRBC) first, leaving advanced security solutions such as EDR, application whitelisting, and comprehensive security services for later stages of the roadmap.
Security is an ever-changing field and no organization can ever be “secure”, just less vulnerable. CyberVictim Inc. prioritized DRBC by moving beyond the standard backups into cloud-replicated disaster recovery sites and hybrid backups. Their endpoints still relied on standard Anti-Virus, and their critical assets were protected primarily by a managed SIEM and Security Operations team. They are in the process of rolling out enhanced detection capabilities when our example attack occurs. Fortunately, in addition to managed cybersecurity and incident response services, they also have cyber-liability insurance with a ransomware clause.
What happens right after a ransomware attack starts?
CyberVictim Inc. employees arrive to work one day to see their systems displaying a message requesting payment and demanding immediate contact. There is also a dynamic timer on their display, indicating the date in which the private key necessary to save their data will be permanently deleted. For such a security-conscious organization, this comes as a shock to their IT staff.
It’s a very common misconception for IT staff to believe their systems to be immune to a ransomware event. The truth is – ransomware is generally created and launched by incredibly skilled malware engineers. These engineers dedicate as-much or more time to their craft relative to the anti-malware security teams. When ransomware is executed within an environment, skilled attackers will already have years-worth of company data stolen and downloaded. They will also have established backdoors throughout the environment to establish persistence after the attack is launched.
Escalation to Insurance and IR
As mentioned, in addition to managed cybersecurity and incident response services CyberVictim Inc. also holds a cyber-liability insurance policy with a ransomware clause. Immediately, CyberVictim Inc. engages their third-party Incident Response and Managed Security team alongside their insurance provider. The teams all coordinate to setup secure file shares and communications, established bridges for incident response, shared incident details, and contact trees.
Within a couple of hours, all incident response roles have been assigned, legal counsel has been engaged, forensic investigations have started to hunt for stolen data, and managed detection and response teams have begun preserving data and scoping the incident.
Recovery Environment/Evidence Preservation
Core to a forensic investigation is the preservation of evidence. Fortunately, CyberVictim Inc. has cloud-replicated disaster recovery. Basically, they can spin-up their entire environment from a backup point entirely within the cloud in a new location. The old, infected environment can be left intact for evidence preservation while the new environment is prepared for deployment.
Evidence preservation is a key security necessity due to the legal implications of stolen data alongside the wealth of threat indicators available in the data. Just remember – all the systems that have been infected likely contain a full log of connections, events, etc. that can be used to determine (and block) the root cause of the infection.
Indicators of Compromise and Managed Detection and Response
The managed cybersecurity services team works alongside the Incident Response and Cyber Hunt teams in this situation to ensure all indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) are account for within the relevant security systems. Immediately, CyberVictim Inc. decided to rollout full Managed Detection and Response services with a cutting-edge EDR solution to help prevent reinfection.
Whereas the managed cybersecurity services provider (MSSP)provides a vast majority of the cybersecurity service for CyberVictim Inc., cyber liability insurance has also engaged a forensic incident response unit to gather evidence and perform triage. This co-managed cybersecurity scenario leads to rapid information sharing and environmental recovery since roles are preserved across units.
Continued Negotiations and Remediations
Legal counsel advises CyberVictim Inc. about potential liabilities associated with stolen data. Forensic Incident Response helps find data that was truly compromised vs. false claims by attackers. Insurance teams work to optimize the negotiation process. In the case of CyberVictim Inc., no ransom was paid due to their robust cybersecurity preparations and incident response planning.
CyberVictim Inc. recovered limited business operations within just a single business day, and maintained an aggressive emergency operations stance while the investigation and subsequent environmental cleanse occurred. Their preparations with cyber insurance and DRBC caused a catastrophic event to simply register as a speed bump. Security posture was rapidly improved and the attack was staved-off.
This is a real case study of an event that commonly occurs at organizations of all sizes. Names, timelines, dates, and security coverage has been changed to preserve the anonymity of the organization. Their story is considered a resounding success due to the strategic preparation by their leadership.
Not everyone gets as lucky as CyberVictim Inc. Some organizations don’t have proper disaster recovery, security detections, or insurance. Risking solo-navigation through the treacherous world of ransomware can be a major mistake. There is no guarantee that your data can be recovered, and a shocking number of organizations will go out of business within a few months of a ransomware event. Prepare properly and ensure that your team knows what an actual event looks like.
Speak with the Scarlett Cybersecurity team for more information regarding Managed and Co-Managed Cybersecurity Incident Response.