Ransom Rooter was recruited as a partner to assess and recover critical business data that was being held for ransom at a Financial Services company in Ohio.
Client’s Challenges
- All client and business critical data was encrypted and held for ransom by an unknown threat actor(s) and all business was halted.
- The client had no backups of their data, and the security posture was weak with no security controls in place to prevent such an attack.
- The client did not have the correct type of insurance to cover cyber-attacks of this nature.
- Law enforcement officials advised the client not to pay the ransom.
Ransom Rooter Services and Deliverables
- Respond to the incident on premises, verify the threat, and perform initial triage.
- Identify ransomware variant and recover data
- Determine Indicator of Compromise (IoC) and how the attackers gained access to business systems
- Secure Log Structured File System (LFS) infrastructure, restore data and hardening of systems to prevent future attacks
- Create proper backup solution and migrate data to cloud storage for redundancy
Results
- Ransom Rooter was able to determine that the root cause of the incident was exploitation of default credentials on a public-facing Network Attached Storage (NAS) device.
- Ransom Rooter advised the client that the best course of action would be to pay the ransom due to the client not possessing backups and the high level of difficulty of reverse engineering the encryption algorithm.
- Ransom Rooter was able to obtain the decryption key on the client’s behalf and restore the data with the decryption key ensuring no loss of integrity.
- Ransom Rooter established a comprehensive cyber security program that included the creation of an air-gapped environment to prevent future attacks, scanning and remediation of all endpoints, and end user security awareness training.
Finally, the Ransom Rooter team created a Microsoft 365 cloud environment for the client and migrated all on premises data to the cloud. As a precautionary measure, Ransom Rooter monitored the environment for a week to ensure no further attacks.
Takeaway
This unfortunate attack resulted in a loss of the company’s revenue due to not being able to access critical business data for 36 hours and could have potentially damaged their reputation. However, a positive outcome was that the organization was made aware of the importance of hiring and retaining a professional team to manage their digital assets.
What they could have done to avoid it
- CISA Recommends employing a backup solution that automatically and continuously backs up critical data and system configurations. Store backups in an easily retrievable location that is air-gapped from the organizational network. Require multi-factor authentication (MFA) for accessing organizational systems whenever possible.
- The organization should have changed default usernames and passwords for hardware when the hardware was initially deployed on the network.
- An annual penetration test should have been performed to determine any risks to the organization’s human resources or information systems.
- Cybersecurity insurance should have been purchased in a sufficient amount to cover losses in case of an attack.
- Training should have been established for employees on how to recognize social engineering attacks through media such as e-mail, phone calls, text messages, and videos.
- The organization should have retained an IT partner with qualifications that include secure networking and cybersecurity.