war stories

Ransomware Retail Case

With 90% of its servers encrypted with ransomware and backups deleted by threat actors, see how Blue Team Alpha stood this company back up after disaster hit.

TYPE OF ATTACK

Ransomware

INDUSTRY

Retail

COMPANY SIZE

350 employees

attack details

A company that produced point-of-sale systems for major retailers was the victim of a ransomware attack on their servers. The ransomware encrypted roughly 90 percent of their 110 servers. When they went to check their backups, they actually saw the attacker at work, deleting their previous backup jobs from Veeam.

what we did

Given the urgency of the situation, we went to a 24-hour schedule. Fortunately, the company had SAN (storage-area network)  snapshots. We deployed all of our incident response tooling measures to contain the outbreak and limit further damage.

In ransomware cases, it’s important to make sure you identify any persistence mechanisms the attacker may leave behind. Every door must be closed. Often, ransomware attackers will try to leave a way to get back in. Even after you have survived this attack, and regained your data, they can sell or trade the access information to someone else, leaving you susceptible to another attack. Antivirus products can’t find most of these mechanisms, which is why you can’t rely on software alone to detect and prevent ransomware attacks.

We took their entire production environment offline and restored everything from their SAN snapshots. We evicted the attacker, changed all of their passwords, conducted a full Office 365 review, and got them back up and running within a work week.

lessons learned

Attacks are changing and morphing at a rapid pace. Antivirus software cannot keep up with these changes. Four out of five attacks are not detected by a company’s anti-malware suite. In addition, most antivirus software only protects against identified code that has been found to be dangerous. Hackers have moved far beyond that simplistic approach to much more sophisticated methods. Advanced tooling and cybersecurity guidance from an expert team that is up-to-date on the latest threats is the fastest and most cost-effective way to hunt down, detect, and evict an attacker.

Request more information about Anti-Ransomware Services