Manufacturer Recovers from Costly Ransomware Attack

This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

WWT leverages partnership with security firm CyFIR to help customer remediate ransomware attack and strengthen security hygiene.

CASE STUDY IN PARTNERSHIP WITH

Challenge

A global manufacturer was hit with a ransomware attack that locked up its critical business systems. Despite losing $1 million per day from an inability to operate, the company wasn’t inclined to pay the ransom— even though its very survival was at stake. The company simply had no assurance the attacker would grant system access upon payment. Moreover, failure to address the underlying causes would leave the company vulnerable to similar attacks in the future, perhaps from the same threat actor.

The company’s security team worked around the clock to determine the point of attack, identify the attacker and remove the threat from their system. But after two days of unsuccessfully attempting to resolve the issue internally, the CEO contacted WWT for help. The CEO had successfully worked with WWT on various cybersecurity issues in the past. Based on those experiences and his confidence in their ability, they were the first call he made when confronted with a significant security threat to his business.

Solution

Once WWT’s Security team assessed the severity of the attack, they determined that CyFIR’s powerful investigation and incident response tool was needed to remediate the breach. They immediately contacted CyFIR’s team of computer forensic practitioners to partner with them to remediate the attack and improve our customer's security posture in the process.

Upon receiving the call from WWT on a Sunday afternoon, CyFIR jumped to action and contacted the manufacturer directly to better understand the situation. CyFIR’s team immediately began working with the customer’s security team to remotely deploy CyFIR’s forensic investigation tools across all the endpoints on the network. This enabled them to begin analysis of what was attacking the system.

WWT has a strong partnership with CyFIR thanks to past joint efforts to solve complex security issues for customers and our CyFIR Forensic Instant Response Lab in our Advanced Technology Center (ATC). This interactive CyFIR Lab provides a safe environment for organizations to evaluate the functionality of the CyFIR Enterprise suite on various Windows and Linux endpoints. It's a great starting point for anyone wanting to understand how CyFIR’s Forensic Analysis and Instant Response solution can bring cyber resiliency to an organization.

With the forensic analysis underway, the CyFIR team traveled to meet with the company’s security team on Monday morning. By the time they met, CyFIR had determined the attack came from a laptop running in the manufacturing department that hadn’t been used in some time but was still active. Unfortunately, because of the time delay in reporting the incident to WWT and CyFIR, the company’s critical files had been encrypted by the attacker and the encryption keys could not be unlocked without paying the ransom.

Backing up and encrypting your critical files offline is one of the best ways to avoid the impact of ransomware attacks.

CyFIR worked with the company to recover most of the files that had been successfully backed up offline by Wednesday. Backing up and encrypting your critical files offline is one of the best ways to avoid the impact of ransomware attacks. This allowed the company to successfully return to normal operations. In addition, the WWT and CyFIR team completed a comprehensive threat assessment across the company’s network, identifying and removing various threats and assuring the attacker was eliminated from the network.

Upon completing the threat assessment, the company engaged CyFIR to install a continuous monitoring function across all endpoints in their network.

Outcomes

Working closely with CyFIR, WWT helped a valued customer get their manufacturing operations back online, which eliminated an ongoing daily loss of $1 million. In addition to remediating the ransomware threat and restoring backed up data, they helped identify and eliminate other latent threats from the customer’s network. The manufacturer has since adopted CyFIR’s continuous monitoring technology to significantly reduce the risk of loss from future cyberattacks.

To proactively prevent similar attacks from occurring and maintain a healthy security hygiene, organizations should continuously assess their levels of risk, establish metrics, make sure store encrypted backups of critical data offline, and conduct awareness training and incident response table top exercises on routine basis.

Risk Management

As IT becomes an increasingly important business enabler, it's imperative to apply the notion of risk management to all organizations. A risk-based approach to management can lead to greater accountability and a better change management environment.

Business impact and risk analysis are important lenses for understanding your company’s operational vulnerabilities as well as the various platforms from which to explore risk mitigation and contingency-planning activities.

Through close partnerships with leading security vendors like CyFIR, WWT can help you evaluate your existing security tools against industry standards to ensure you have pervasive, real-time visibility, improved operational efficiency and a mature cybersecurity program.