Manufacturer Recovers from Costly Ransomware Attack
WWT leverages partnership with security firm CyFIR to help customer remediate ransomware attack and strengthen security hygiene.
A global manufacturer was hit with a ransomware attack that locked up its critical business systems. Despite losing $1 million per day from an inability to operate, the company wasn’t inclined to pay the ransom— even though its very survival was at stake. The company simply had no assurance the attacker would grant system access upon payment. Moreover, failure to address the underlying causes would leave the company vulnerable to similar attacks in the future, perhaps from the same threat actor.
The company’s security team worked around the clock to determine the point of attack, identify the attacker and remove the threat from their system. But after two days of unsuccessfully attempting to resolve the issue internally, the CEO contacted WWT for help. The CEO had successfully worked with WWT on various cybersecurity issues in the past. Based on those experiences and his confidence in our ability, we were the first call he made when confronted with a significant security threat to his business.
Once WWT’s Security team assessed the severity of the attack, we determined that CyFIR’s powerful investigation and incident response tool was needed to remediate the breach. We immediately contacted CyFIR’s team of computer forensic practitioners to partner with us to remediate the attack and improve our customer's security posture in the process.
Upon receiving the call from WWT on a Sunday afternoon, CyFIR jumped to action and contacted the manufacturer directly to better understand the situation. CyFIR’s team immediately began working with the customer’s security team to remotely deploy CyFIR’s forensic investigation tools across all the endpoints on the network. This enabled us to begin analysis of what was attacking the system.
WWT has a strong partnership with CyFIR thanks to past joint efforts to solve complex security issues for customers and our CyFIR Forensic Instant Response Lab in our Advanced Technology Center (ATC). This interactive CyFIR Lab provides a safe environment for organizations to evaluate the functionality of the CyFIR Enterprise suite on various Windows and Linux endpoints. It's a great starting point for anyone wanting to understand how CyFIR’s Forensic Analysis and Instant Response solution can bring cyber resiliency to an organization.
With the forensic analysis underway, the CyFIR team traveled to meet with the company’s security team on Monday morning. By the time they met, CyFIR had determined the attack came from a laptop running in the manufacturing department that hadn’t been used in some time but was still active. Unfortunately, because of the time delay in reporting the incident to WWT and CyFIR, the company’s critical files had been encrypted by the attacker and the encryption keys could not be unlocked without paying the ransom.
CyFIR worked with the company to recover most of the files that had been successfully backed up offline by Wednesday. Backing up and encrypting your critical files offline is one of the best ways to avoid the impact of ransomware attacks. This allowed the company to successfully return to normal operations. In addition, the WWT and CyFIR team completed a comprehensive threat assessment across the company’s network, identifying and removing various threats and assuring the attacker was eliminated from the network.
Upon completing the threat assessment, the company engaged CyFIR to install a continuous monitoring function across all endpoints in their network.
Working closely with CyFIR, WWT helped a valued customer get their manufacturing operations back online, which eliminated an ongoing daily loss of $1 million. In addition to remediating the ransomware threat and restoring backed up data, we helped identify and eliminate other latent threats from the customer’s network. The manufacturer has since adopted CyFIR’s continuous monitoring technology to significantly reduce the risk of loss from future cyberattacks.
To proactively prevent similar attacks from occurring and maintain a healthy security hygiene, organizations should continuously assess their levels of risk, establish metrics, make sure store encrypted backups of critical data offline, and conduct awareness training and incident response table top exercises on routine basis.
As IT becomes an increasingly important business enabler, it's imperative to apply the notion of risk management to all organizations. A risk-based approach to management can lead to greater accountability and a better change management environment.
Business impact and risk analysis are important lenses for understanding your company’s operational vulnerabilities as well as the various platforms from which to explore risk mitigation and contingency-planning activities.
Through close partnerships with leading security vendors like CyFIR, Tanium, Splunk, Fortinet, Cisco, Symantec, Check Point and many more, WWT can help you evaluate your existing security tools against industry standards to ensure you have pervasive, real-time visibility, improved operational efficiency and a mature cybersecurity program.
For more information on how to protect your company from ransomware and other cyberattacks, register your My WWT account on our website today and sign up for one of the following hands-on workshops or labs: