RANSOMWARE

An Engineering and Construction firm with roughly 80 employees installing cell towers all around the country. They have a support agreement with BrenTech as their IT department.

At three a.m. a notice came in from their server’s intrusion prevention saying that someone maybe hacking in. at 5:30am a BrenTech Engineer logged into the server and verified that the server had been hacked and all files had been encrypted by ransomware. The engineer cut access to the server and network from the hacker’s IP.

After discovery performed, the tally was 5 servers and 8 workstations were infected with ransomware.

BrenTech policy and protocols in place were the following:

  1. ESET antimalware protection running on the servers and workstations
  2. Cyber Reason Ransomware protection running on servers and workstations
  3. Malwarebytes running on servers.
  4. Three backups running daily, two shadow copies (7am and 12pm) and one system image (11pm)
  5. SonicWALL Gateway Device with only ports 25, 80, 143, 443, and RDP ports per client’s request

Forensic investigation was executed by BrenTech and results were that a hacker from an IP address in the Russian Federation hacked into a local users remote desktop. The local user had a simple password and username against recommendations from BrenTech many times over the past 5 years of service.

The hacker uninstalled eset, Malwarebytes, cyberreason and installed hacking tools. The hacker then used the tools installed to get the administrator password on the domain. They then proceed to systematically log into 5 servers and 8 workstations removing protection and installing ransomware.

The hacker put a “how to get my files back” file on the desktop of all systems with reference to using bitcoin to pay the reference. The ransom asked for at the time equated to $175,000.

BrenTech was able to get client approval to lock down network, disable all remote access ports, install sonicwall gateway protection services to blocked malicious code at the gateway and block countries in GEO-IP blocking.

Then BrenTech started restoring server images from backup the night before the incident. The DC was up and running in about 4 hours, the file server was up and running in 7 hours. All servers were restored and operational within 24 hours. The workstations that were infected were wiped and reinstalled to clear. Everything was back operational in 24 hours.

The FBI was contacted and the senior engineer met with the forensic team. All data and traces were given to the FBI who over the next two weeks collaborated with BrenTech to gather more details and forensic evidence. The FBI commented to the owner of the construction company in question, that they were surprised with how well BrenTech had recovery processes in place and that being back up and running within 24 hours of a major attack is impressive.  The case is still open and being investigated by the FBI.