A Midwest-based national food manufacturer suffered a ransomware attack in February 2021. While IT technicians should have been home watching one of America’s most beloved sporting events, they were instead scrambling to identify and fend off the attack after a user with executive-level systems permissions opened an email and clicked on a virus infected attachment.
Soon after, the real nightmare began. Systems went offline, file names started to change, and data became inaccessible across their network. The evidence… a text file which was left with instructions for ransom, demanding close to $1M, with the note; “your company’s virtual and discreet storage data is encrypted and being held hostage.”
While the ransomware attack didn’t stop the company’s production machines due to their ability to run them “off-line”, the company’s ability to access shipping data and other distribution information was impacted and posed a significant threat to shipping schedules and other client-facing impacts. Further, the attack did impact their back-office business operations, and over 130 desktops were potentially compromised and in need of analysis. After internal technical and business discussions, the company chose not to pay the ransom, and instead jump started the arduous process of data retrieval and overall systems recovery. Step one was to lock down the environment and block all WAN/LAN connections. As the internal IT team proceeded, the company quickly realized the tasks were even more daunting and unachievable without additional support; it was then decided that more expertise was needed, and a call was made to bring in Netrix. From here, there were two tracks to be pursued.
1. Legal: The company went through the process of working with their business insurer along with the necessary communications and interactions with the FBI and other State and Federal agencies
2. Technical: Eradicate the breach and restore operations as soon as possible
Like most security breaches/attacks, this instance exposed many vulnerabilities that existed due to an environment that had grown in size and complexity over the years. As is common, internal technical resources were focused on serving a growing business and keeping up with business needs and user demands versus developing security processes and procedures in parallel with the network’s expansion. Some of the more glaring items were inadequately protected domain and access management, a lack of investment in multi-layer network security beyond perimeter protection, and a DR plan that was adequate and met recovery timeframes and data point intervals.
Client request came in at 4pm and Netrix first response was 5:05pm same day. First engineer access and troubleshooting began at 6:30pm. Initial remediation processes included end points lockdowns and isolations along with all LAN and WAN traffic shutdowns. Next steps included data analyses around encryptions and access to get a handle on what was in fact effected and was not. The goals were established as the following;
BACK TO BUSINESS WITH CONFIDENCE
Netrix is managing the company’s 35+ server VM’s and approximately 200 users and related compute infrastructure. With their recovered data and security now firmly in place, this manufacturer is able to focus on their core business while co-managing their network with Netrix carrying the load and delivering a secure and reliable IT environment, resulting in operational confidence.
Client updated security compliance standards and subsequent Disaster Recovery and Business Continuity plans and procedures. As part of the ability to better separate operations from compliance and oversight, services that were moved to outsourced delivery by Netrix included;