THE BACKGROUND.
An automotive supplier, well known for smart systems, reached out to us after they suffered a Ransomware attack (we’ll call them “Tyrel Industries” for purposes of this Case Study).
They were referred to us by a colleague in the IT industry who knows what we do and trusts us.
Because this company was relatively small, at ~100 employees (over $10M ARR), they didn’t consider themselves a target.
We see this frequently in smaller companies. Often they bring in an IT Director who is a generalist, and is tasked with including ‘security’ into her or his role. Because this person is a generalist, they’re not focused on security and are not current on the latest threats.
Tyrel Industries got attacked and ‘blackmailed’ for over $80k. This was actually a fairly low ransom rate (most ransom requests are MUCH higher).
IMPORTANTLY, however, the amount of the ‘ransom’ does not accurately reflect the COST to the company of the incident.
when accounting for lost days of work, missing quarterly sales quotas, new systems that had to be purchased (even though not budgeted for), as well as having experts come in to fix the problem and get computer systems back up and running.
HOW IT BEGAN.
In the first week after the attack, the company did not even realize they had been breached.
The first hit came over the weekend, so they didn’t realize until Monday that their computers were all encrypted.
Management received a lot of messages saying:
"My computer is acting weird"
"My computer is acting weird"
The ransom note message on the computers – as a popup.
“We encrypted your computers - pay us in bitcoin to get your files back”
“We encrypted your computers - pay us in bitcoin to get your files back”
Management called their internal IT guy who ‘refreshed their computers.’
The following week the computer troubles were back and had spread. And this time, not just the computers were down, the attack brought the phones down too.
Employees could no longer work on their computers; there was no internet.
At this point, the company knew they needed outside help.
They reached out to their trusted advisors ang brought in Block Harbor to check it out.
BLOCK HARBOR ON THE SCENE.
When our first team came in the first morning of the project, Acme Company employees were leaving. There was literally nothing the staff could do; the company work was completely on hold.
By looking at the router, we could tell immediately that their system was, in effect, open to the internet.
In this case, like many others, all the security settings were default settings. The system was set up long ago, and the IT guy had been coasting (as related to security) since. Basically, there were no affirmative steps taken to protect against a possible breach.
We found that the ransomware was an unknown variant of ‘Phobos’, a common ransomware virus, with no known data recovery tools. This meant there would be no simple way to build a decryption key.
While forensic data was lacking due to insufficient logging and lost evidence from refreshed workstations, our analysis of existing infrastructure configurations showed the likely point of attack was the Windows Remote Desktop Protocol (RDP) which was exposed to the public internet.
Exposed ports are an EXTREMELY common and very easy way to be breached. Typically there is an automated scanner that an attacker sets up to scan the web for exposed ports.
From the available forensic data, it appeared the servers were infected first, and the ransomware exploited other hosts via RDP over the local network.
