Type of Attack: Ransomware
Company Size: 350 employees
A company that produced point-of-sale systems for major retailers was the victim of a ransomware attack on their servers. The ransomware encrypted roughly 90 percent of their 110 servers. When they went to check their backups, they actually saw the attacker at work, deleting their previous backup jobs from Veeam.
What We Did
Given the urgency of the situation, we went to a 24-hour schedule. Fortunately, the company had SAN (storage-area network) snapshots. We deployed all of our incident response tooling measures to contain the outbreak and limit further damage.
In ransomware cases, it’s important to make sure you identify any persistence mechanisms the attacker may leave behind. Every door must be closed. Often, ransomware attackers will try to leave a way to get back in. Even after you have survived this attack, and regained your data, they can sell or trade the access information to someone else, leaving you susceptible to another attack. Antivirus products can’t find most of these mechanisms, which is why you can’t rely on software alone to detect and prevent ransomware attacks.
We took their entire production environment offline and restored everything from their SAN snapshots. We evicted the attacker, changed all of their passwords, conducted a full Office 365 review, and got them back up and running within a work week.
Attacks are changing and morphing at a rapid pace. Antivirus software cannot keep up with these changes. Four out of five attacks are not detected by a company’s anti-malware suite. In addition, most antivirus software only protects against identified code that has been found to be dangerous. Hackers have moved far beyond that simplistic approach to much more sophisticated methods. Advanced tooling and cybersecurity guidance from an expert team that is up-to-date on the latest threats is the fastest and most cost-effective way to hunt down, detect, and evict an attacker.