Case Study: Ransomware Victim to Victor

Ransomware has grown tremendously in popularity among cyber criminals and is increasingly seen among organizations of all sizes. Tuearis receives calls regarding ransomware attacks on a regular basis. What follows is a true case study about one such occurrence. Of course, we always protect our clients' privacy, so some details have been withheld. However, we hope that your organization can benefit from the information shared!

Problems Begin

On a Friday morning in the first half of 2019, odd behavior was observed within a Texas organization's network. The behavior was limited to the corporate office, but the data for the organization was all housed in the corporate location. The nature of the issue was not understood by the IT staff, but it progressed in severity with several workstations becoming inoperable. By the early afternoon servers were not responding and the network was shut down, effecting all of the organizations dozens of branch locations. All of the organization's servers were encrypted as well as about a number of workstations. The ransom demand followed soon after. The amount was in line with the shocking numbers seen in recent news stories from across the country. The organization had no insurance to cover the claim and no desire to appease the criminals.

The organization did have backups that were current, but it was unknown if they had been impacted. There was an extreme financial risk to the organization as all business operations had ground to a halt. All data relating to payments and collections, active directory, and ongoing projects was lost. Staff had to resort to using personal email for client communication. The situation was dire.

The organization's owner described the event very simply; "This is the worst day of my life."

Okay, it doesn't look exactly like this when we deploy... but this is how it feels!

Tuearis Engaged

We received notification of the issue on Saturday morning with very limited information. A conference call took place between Tuearis, the organizational leadership, the IT staff, and the organization's legal team on Saturday afternoon with another conference call on Sunday. Tuearis had IR support on site Monday morning at 6:30 am to begin remediation.

Ransomware remediation is a process all its own. The spread of the malware must be stopped, the damage must be assessed, the backups must be validated, the infected devices must be investigated and/or wiped clean (or trashed) and re-evaluated, the network must be reconstructed, the most recent good backup data restored, and each system brought back online and tested systematically, all while preparing for a renewed attempt on the network by the cyber-criminals. This process can takes days or months depending upon the severity of the attack.

Thankfully, Tuearis was able to have basic operations back online by Wednesday afternoon. That means that money began to flow again, keeping the organization alive and providing security to its hundreds of employees at dozens of locations... all who had been unable to work since the network had gone down. That is our "why we do what we do"!

The organization was fully operational within two weeks and had lost only the data from the day of the attack itself.

This was a lucky client. It may not seem that way, but they were. Had the attack been more sophisticated, the backups had been failing to take place (we've seen that one before...), or the response been slower, this could have been far more disastrous. Moreover, had a breach occurred (with data removed from the environment) disclosure to the affected parties would have had to take place and fines likely.

A New Attack

Tuearis was glad, after remediation was completed, to have a conversation about becoming the Managed Security provider to this organization. Advanced tools for monitoring, behavior-based analysis, and vulnerability management we put into the environment and the Tuearis team began managing security for the organization. Based on 2019 trends, it was no surprise to us when a retaliatory attempt was made against the network a couple of months later.

Alarms began coming into the Tuearis SOC on a Friday morning and investigation was immediately performed. There were unauthorized attempts to encrypt taking place in the network. A call was made to the organization's IT staff. They were unaware of any network issues and business operations were not impacted. The Tuearis team successfully ended the processes, cleaned up the network, and moved on with their day. The advanced tools had done their job well, the Tuearis team had done their jobs well, and the organization's employees were unaware of any issues whatsoever. That's a win for us and for the organization!

The Tuearis "Why"

Everyone needs a "why." Why do you do what you do? Why do you get up in the morning? Why do you strive to be the best in your field? I'm hopeful that our "why" shines through in this brief account. We are people serving people. A cyber incident could have spelled the end of this organization, the loss of hundreds of jobs, and more stress than any metric can measure. We are passionate about protecting good people and ridding the world of those that seek to molest. "Life, liberty, and pursuit of happiness" is more than a catch phrase!

Contact us if Tuearis can help you!