Ransomware Case Study
HOW ONE RANSOMWARE ATTACK TOOK DOWN TWO
COMPANIES & WHAT ABS DID TO RESPOND & RECOVER
ABS is notified that there’s a problem
ABS has the issue under control
Sister company goes down and ABS is asked to intervene
Ransomware issue is resolved and cybersecurity roadmap is initiated
On Tuesday morning, April 14, 2020, we were informed that one of our clients was experiencing IT issues. We were in a reactive support model with this particular client, which meant they used our services to respond to high-level needs. They relied on their own internal IT team for the majority of their IT support and processes, – like cybersecurity. This was a situation where they needed help – and fast. Their systems were not working and they were unable to run their business. They called our HelpDesk, where a ticket was created and immediately escalated. We quickly identified the problem: it was a ransomware attack.
Their systems were not working and they were unable to run their business.
After receiving an urgent call from the client to our 24/7 HelpDesk, we quickly identified the type of attack and the probable gateway for the attack. We immediately sent team members to address the issue on-site and prevent further encryption from occurring. We stayed in constant contact with their leadership team to hear their concerns and needs, and to communicate our current actions and next steps. In addition, our teams worked continuously to make sure the issue was resolved as quickly as possible.
Within 48 hours, we were able to remove the threat and regain control of the situation.
We then became aware that their sister company in Ohio had been attacked and was no longer operational. We immediately sent a team member to that location and began the process of gaining control of their servers from the cyber criminals.
As we worked on our client’s servers and their sister company’s more dire needs, we got on the phone with the corporate office, their lawyers, and their cybersecurity insurance agents to address the attack on a higher level and help them create a cybersecurity roadmap to better protect their companies from vulnerabilities and any future cyberattacks.
After seven days, our client’s business was fully operational and under complete control. They lost no revenue and did not have to pay any ransom.
Their sister company was not so lucky. They were completely unprepared for a ransomware attack and ended up having to pay the hackers to regain control of their business, in addition to the revenue lost while their business was under attack. Once we were invited to help with the situation, we were able to get their systems back under control and fully operational, but it was too late to save them from severe financial loss.
Once their networks were officially under control, both companies immediately upgraded to our Managed IT Service program where we take total ownership of all IT needs, processes, and strategy. Our first action was to begin implementing the cybersecurity roadmap we had prepared during the ransomware crisis, as well as the suggestions we had made several months prior. Though there is no cybersecurity approach that leads to complete and total protection from attack, we are confident that they are now well protected and prepared for the future.
RESPONDING TO & RESOLVING RANSOMWARE ATTACKS
7:00 a.m. – Tuesday, April 14
The phone rang. It was early, but that’s what I’m here for. I work a 24/7 HelpDesk, so I’m always ready to answer, though the phones do tend to be quieter outside of the 9-to-5 hours. I set down my coffee and picked up as quickly as I could. The voice at the other end sounded uneasy, “We have a problem…”
Tier 2 Engineer
That call was our first notice of an IT “problem” that would:
- • Capture the attention of our entire team,
- • Lead us out-of-state,
- • And require more than 600 hours of our time over the next seven days.
President and CEO- Mark Lewis also received a call – in fact, it was a literal wake-up call. The owner of the affected company was panicked, and rightfully so.
“Stuff” wasn’t working. What they needed to operate wasn’t functioning. Critical pieces to their process were disappearing. They could not operate their business.
Our team immediately went into action.
Once the call came into our HelpDesk, Chris stayed on the line with the customer while creating a ticket and reaching out to our professional services team to alert them of the issue.
From the time the call came in to the time we began working to resolve the issue, only three minutes passed, but it felt like hours. Time was of the essence.
This particular client was under a standard maintenance agreement with ABS and had been for several years. Our job was to check in occasionally and assist their internal team with anything outside of their experience level. We offered an open door to their team and even made recommendations for updating and protecting their current systems, but that was it. We didn’t have access to much of what they did, weren’t able to help them create secure processes, and couldn’t update their servers without permission.
As we began to delve into the issue, we weren’t at a total loss for what was happening. We had been concerned about their vulnerability to cyberattacks several months prior and recommended some updates that had not been addressed.
We quickly noticed encrypted files in their servers. It was as we suspected.
This was a ransomware attack.
IT Explained: Ransomware
What is a Ransomware Attack?
We like to think of security on your computer network as a castle. And, if your network security is like a castle, a ransomware attack is like a Trojan horse. Ransomware gains access to your computer network (your castle) by masquerading as something harmless. The hackers are then able to take over your network slowly. Once they have access to everything, they lock you out. They are kind enough to give you a chance to regain access – for a price.
How Does It Work?
Contrary to what you might think, hackers do not target specific businesses. They target network security vulnerabilities. They scour the internet for these vulnerabilities until they find an easy target, and that’s when they begin the attack. They masquerade as something innocent – like an email with a link that anyone in your company might click. Once they are “allowed in” or can access your network, they begin to encrypt your files so that you cannot operate your business. Once they have control, they will offer you a key to the encryption if you pay the ransom.
Although encryption can help protect your business, and is a recommended layer of protection, cybercriminals can also use encryption against you. This is why it’s essential to have multiple layers of security in place – like a castle with a moat, guards, and guidelines for how those inside the castle (your employees) are to conduct themselves.
This protects your business from the vulnerabilities that hackers look for and can save you from losing control of your “castle”.
We estimated that the accounts were accessed in late February (though the attackers had probably been working to gain access before this time) and the encryptions had been running behind the scenes until everything exploded at 4:00 a.m. on April 14 – three hours before we received the first call and went into offensive and defensive modes.
The first thing we did was protect their most essential server in order to keep the encryption from hitting information that was absolutely critical to their operation.
Once this was taken care of, our team went into action, taking the necessary steps to regain control of the network and secure the business.
Part of our team began to deal with their individual workstations and their server. They went on location to get started.
Simultaneously, we pulled whatever backups we had and were able to get mission-critical servers back up and their team back online.
Our service team, after identifying the issue and getting emergency issues addressed, put together a Standard Operating Procedure (SOP) to get every encrypted file back over time and to implement a better cybersecurity approach for the future.
They set up each employee with a new password. They blocked every remote user who was connected via VPN until our team could connect with them individually and verify if they were using a home or business computer to connect.
We made sure that everyone had an up-to-date and patched antivirus software on their computers before anyone was allowed back on the server.
We also created guidelines for employees who were using home computers – things like having a supported antivirus that’s up-to-date and patched, and making sure they were operating on a current operating system supported by Microsoft. We extended our support desk and had teams working around-the-clock to support them.
We also made sure that every person in our company was aware of the issue and knew how to respond to any additional requests that might come in during this time in relation to this client.
We initiated a call with their leadership team every 3-to-4 hours in order to provide an update on where we were at, what we were doing, what our next steps would be, and what was on our priority list. During these check-in calls, we gave them an opportunity to reprioritize our steps so that we could adjust according to the needs that they felt were best for their company.
We extended our support desk and had teams working around the clock to support them. We also made sure that every person in our company was aware of the issue and knew how to respond to any additional requests that might come in during this time in relation to this client.
Our initial presumption, which was later confirmed, was that their 2003 terminal server was the cause of the breach. This server had been out of support for almost 10 years, meaning it was not being updated with protections against today’s cybersecurity threats. Sadly, we had recommended it be removed from public internet, and even transitioned out of use, but we did not have the authority to make this happen based on our relationship at the time.
To add insult to injury, our findings showed that our client was not the only company affected by the breach. After accessing our client’s servers, the attackers were able to leap to their sister company in another state via an insecure network connection and breach that network as well.
Our clients asked if we could step in and help their sister company, but it was too late. The sister company had little to no security layers and no backup plan in place. They were forced to pay the ransom because they lost everything.
After accessing our client’s servers, the attackers were able to leap to their sister company in another state via a site-to-site Virtual Private Network (VPN) and breach that network as well.
IT Explained: Layered Security
What is Layered Security?
Layered security is what it sounds like. Layered security is what happens when your business is protected by multiple forms of security. One layer of security can be a firewall and another layer can be multi-factor authentication (MFA) for your employees.
Why Does Layered Security Matter?
Much like a castle with a moat and guards is more secure than a castle standing alone, layered security is a more reliable form of cybersecurity for your business. Cyber criminals might be able to hack through one layer of security (like a firewall), but if they hit another layer and then another layer, your business is less likely to be breached.
A recent example of the need for layered security came as a result of the COVID-19 pandemic. This pandemic forced businesses to look at how their employees operate when not in the office. Many businesses used something called a Virtual Private Network (VPN) to allow employees to access to their servers remotely. The problem is, these VPNs are oftentimes not set up with the necessary layers of security, making it possible for attackers to hop from a remote user’s house, right into a business’s network.
Basically, with a VPN, if an employee is working from home and their home network is vulnerable, then your business is at risk. You have to have additional layers of protections in order to protect against these vulnerabilities and save your business from a security breach.
The Last Straw
This was the sister company’s second ransomware attack in 18 months. Thankfully, they had cyber insurance and did not have to pay out-of-pocket for either attack, but this was the last straw.
Their corporate office had recently mandated a new antivirus system across companies that they were in the process of implementing as a result of the previous ransomware attack. Simultaneously, they were trying to address how the hacker got in and how to secure the network. Let’s just say there was a lot going on…
At this point, we began a similar process for recovery that we had conducted just a few days ago with our client. We had daily calls with everyone involved – including our client, their sister company, the corporate office, their lawyers, and their insurance company.
After sending a team member on-site, we realized the company had no one on staff who could give our team member any of the information he needed. This meant that we had to start from scratch to resolve the issue and we had to act quickly.
Within just a few days, we had secured and resolved the issues our client was facing.
Their business never fully went down and were fully up and running within 48 hours. In addition to a complete and full recovery, no revenue was lost during the recovery process. Sadly, their sister company fared much worse and experienced severe financial loss, though, once involved, we were able to secure their network and get them up and running.
We now operate as both companies’ Managed Service Provider.
Our first move after making sure everything was secure and fully operational, was to create and implement a roadmap for continued cybersecurity measures over time. We began work on a server update project in order to update their out of date operating systems. We locked down their remote access and made sure anyone connecting to their server through a VPN was doing so in a secure process. We reevaluated any connectivity with third-party vendors. Finally, we made their security policy stronger.
Our quick response and the final results helped to build a trust with our client like never before.
Something that could have taken 4-to-5 months was recovered within just a few business days.
No cybersecurity measure will be 100% effective.
We believe all of this could have been prevented. First of all, a CyberSecurity Threat Analysis would have uncovered their risks. Additionally, our Technical Account Managers (TAMs) are often able to foresee and communicate IT needs early on to our clients. Sadly, though we are normally able to work seamlessly with Internal IT teams and help them bridge the gap of communication with leadership, they sometimes only serve to filter recommendations and prevent important IT needs from being put into effect in a timely manner. This was our experience in this particular situation. All that said, no cybersecurity measure will be 100% effective. There will always be vulnerabilities, which is why a layered security plan is so critical. Additionally, training employees is key because they can open the door to the castle, no matter how protected you are on the outside. How are you protected from a ransomware attack? Are you prepared to watch your business slowly lose function until it can no longer operate? Do you have backups in place, or will you be required to pay thousands, even millions of dollars, to recover your business?
Don’t wait to find out. Let’s talk about protecting your business, today.
HERE’S A GOOD PLACE TO START:
Give us a call: (502) 513-7099