Client company was infected with ransomware 12 months prior and had begun implementing ProCircular security recommendations from the initial incident response and penetration test. However, the client’s IT department did not roll out ProCircular’s recommended endpoint solution to a newly acquired entity in a timely manner, leaving their systems vulnerable to a second attack.
- $295,000 USD in cryptocurrency (Bitcoin)
ProCircular arrived on site within one hour of client contact and began triaging the situation. Per our Incident Response protocols, we acted quickly to:
- Determine the nature and type of the ransomware
- Identify the path and extent of the infiltration
- Determine if/how much data could be recovered without encryption keys
ProCircular’s immediate review of the ransomware note and affected file types identified the malware as “Doppelpaymer.” We deployed a sensor to determine the spread of infection and network persistence and discovered the attacker had used a phishing email to download malware using the Emotet dropper. Once infected, they leveraged the misconfigured workstation to gain elevated permission and exploit system file shares.
While only 10% of workstations had been compromised, by exploiting network fileshares the malware successfully encrypted everything necessary to render the client incapacitated and continuously ran on a time-based schedule and after reboot.
During negotiations, ProCircular engineers determined that, while the client did have system backups, they were sent to tape—a legacy technology. The taped backups had not been regularly tested and could no longer be indexed due to file corruption. Therefore, the client’s backups were unusable.
First, ProCircular used Indicators of Compromise (IOCs) to identify and isolate all systems infected on the network, then removed network connectivity for these systems for proper containment. We then assisted with expeditious deployment of the client’s endpoint solution. Any IOCs we identified were added to the policies and we created alerts to notify us of new threat identifications and immediately block all known malicious activity.
As instructed by the ransomware, we then contacted the attacker through a Tor, an anonymity network commonly used to access the dark web. ProCircular began negotiating for more time and a reduced ransom. Over the next day and a half (12-16 hours of actual negotiations), ProCircular successfully negotiated the ransom from $295,000 USD down to $75,000 USD.
After careful risk analysis and validating the attacker’s credibility, we recommended paying the ransom to obtain the encryption keys. The client acquiesced, and we brokered the transfer of funds through ProCircular’s Bitcoin account. Upon receiving payment, the attacker provided the keys to decrypt 100% of the client’s compromised data.
After recovery, ProCircular ensured all the client’s recovered data was stored on clean servers. We then continued to help deploy our recommended endpoint antivirus software to all workstations, while simultaneously monitoring threat intel feeds from our sensor to prevent reinfection of the malware during deployment.
Once all workstations had been protected, and the malware threat eliminated, we offered the client recommendations for a modernized backup protocol and employee training to prevent future phishing vulnerability.
Between the ransom payment (approximately $75,000 USD) and ProCircular’s Incident Response rate charges, this breach resulted in roughly $120,000 USD in unplanned costs to the client. The cost of idle labor and operational downtime are not included and would likely inflate the fiscal damage substantially.
After the previous ransom incident the client already had ProCircular’s recommendations in hand. However, their rollout of the planned endpoint protection was not prioritized appropriately. This resulted in prolonged vulnerability that, unfortunately, was exploited. Had the client expedited deployment of ProCircular’s endpoint protection plan this incident would have been prevented.