We helped a major manufacturing company bring their operations back to normal post they fell prey to a Ransomware (cyber-extortion) attack

A major manufacturer of medical goods such as syringes, needles and other medical items noticed early morning one day that their staff wasn’t able to access their desktops and endpoints and upon checking their screen they further found a ransom note that said that their systems have been encrypted and that all their data is locked and can only be restored if they paid a fee to the adversary. They engaged us to help them respond to this cyber incident and help them bring their operations back to normal.

The Challenge

We began our analysis by first identifying the variant of the ransomware that was used, it was ‘zepplin’. Post this, we divided the tasks into two separate branches, recovery and forensics. While our recovery team was working with their operations team to bring their system back up from their backup, the forensics team started conducting analysis on the systems. Our forensics team within the first 24 hours was able to identify the entry point of the attack and also in the due process identified security gap in their environment, including their backups being stored on the same network as one of them. Post recovery and forensics we produced a report and helped them remediate the security gaps identified in the due process

The Solution

  • Identified the security gap that enabled the adversary to penetrate their IT environment and cause damage .
  • Identified security gaps in the due process that were addressed and remediated post the incident response process.
  • Using our threat hunting and threat intelligence platform, our TH-SOC now provides them complete visibility over all the events and activities that happen within their IT environment using.
  • Setup and configured a backup policy for them which is now stored on a secondary storage that is not a part of the existing network.

Tools and Technologies Used

  • Log Analysis
  • TH-SOC