Client company discovered encrypted system data and ransom demand at the morning start of business. First, they contacted the attackers directly and found them unresponsive to negotiations. Client then contacted ProCircular, Inc. for Incident Response guidance and consultation.
Ransom Terms
- 24 hours to provide approximately $15,000 USD in cryptocurrency (Bitcoin)
ProCircular Plan
Per our Incident Response protocols, we acted quickly to:
- Determine the nature and type of the ransomware
- Identify the path and extent of the infiltration
- Determine if/how much data could be recovered without encryption keys
We immediately analyzed data logs to identify a Remote Access Endpoint, misconfigured with a weak password, as the point of infiltration via the internet. This breach granted privileged system access and, using CrySIS and Dharma malware strains, the attackers moved quickly to achieve 90-95% data encryption within 8-12 hours of infection.
Research also revealed that the client’s system backups had not been adequately cordoned off on the network and were also compromised and encrypted, making data restoration from backup impossible.
Analyzing the attacker’s Bitcoin account and the malware strain, we determined they were likely both experienced and credible. Therefore, we deemed ransom negotiation and payment as a viable path to data recovery.
Breach Mitigation
First, ProCircular used Indicators of Compromise (IOCs) to identify and isolate all systems infected on the network, then removed network connectivity for these systems for proper containment. Once all infected systems were contained, ProCircular helped recover known files to get the client up and running, reducing the immediate impact on business operations.
We then began negotiating with the attacker through Proton Mail, requesting a reduced ransom amount as well as additional time to procure it and set up the Bitcoin transfer. The attacker allotted us more time but held firm on the ransom amount.
After careful risk analysis and validating the attacker’s credibility, we recommended paying the ransom to obtain the encryption keys. The client acquiesced, and we brokered the transfer of funds through ProCircular’s Bitcoin account.
Unfortunately, the attacker did not return the keys and instead demanded a second payment of roughly $14,000 USD. Again, with no useable backups and the clock ticking, we recommended paying the second ransom. Again, the client agreed. Upon receiving the second payment, the attacker provided the keys to decrypt the client’s data.
After recovery, ProCircular ensured all the client’s data was stored on clean servers and then created secure backups, adequately isolating them from the rest of the system. We also offered comprehensive recommendations to avoid future malware incursions.
Cost Summary
Between the two ransom payments (approximately $29,000 USD) and ProCircular’s Incident Response rate charges, this breach resulted in roughly $60,000 USD in unplanned costs to the client. The cost of idle labor and operational downtime are not included and would likely inflate the fiscal damage substantially.
Preventability
Based on the size of the client organization, ProCircular could have proactively provided a thorough Penetration Test, Incident Response Planning, and a detailed Risk Assessment for approximately $30,000 USD—roughly half of the cost of this single breach.
From these processes, we most certainly would have identified the endpoint weakness and discovered the vulnerability of the client’s system backups. With ProCircular’s expert analysis, a thorough deployment of complex passwords, and some network restructuring, the client could have significantly reduced its risk of an incursion and greatly limited the potential damage had a breach still occurred.
