Managing Multiple Stakeholders During Ransomware Response

Introduction

The network of a small, privately held provider of heating, ventilation and air conditioning (HVAC) services was infected with Ryuk ransomware, leaving the company unable to run backend sales processes such as quoting and billing. Quorum Cyber was called in to clear the malware from all affected devices and restore their systems.

The challenge

The customer’s entire IT environment was managed by a regional managed service provider (MSP), which was found to be running legacy systems on the customer’s servers, including Windows 2003. In addition, the only risk management measures in place were a firewall and basic anti-virus software. Ten months prior to the incident, two banking trojans, Emotet and Trickbot, had been installed on the system via a phishing email. These enabled the attackers to subsequently install the Ryuk ransomware variant in late January 2020.

The MSP detected the ransomware attack and notified the company, which then contacted their insurer. By the time Quorum Cyber became involved, 12 servers were encrypted and 58 workstations were infected with either banking trojans or ransomware. This represented about 75% of the customer’s total endpoints, and left them unable to perform crucial financial transactions. No customer data was accessed or stolen.

Quorum Cyber’s response and solution

The majority of Quorum Cyber’s work was conducted remotely, linking to the customer’s onsite data centre via secure online connections. Quorum Cyber coordinated communication between the customer and the MSP, which struggled to provide system information and backups due to insufficient technical expertise. During the engagement:

Quorum Cyber sent two incident response (IR) analysts for the initial IR phase, followed by five PBR responders for the remediation phase
The IR team ran forensic imaging, collected evidence, and deployed KECT and endpoint detection and response (EDR) software
The PBR team reimaged and decrypted the servers and workstations, ultimately deploying the backups to restore the company’s systems.

Outcome

Despite the incurred costs, the overall business interruption was significantly reduced by Quorum Cyber’s quick IR and remediation work paired with EDR deployment. In summary:

No ransom had to be paid, as Quorum Cyber restored systems from backups
EDR was installed and ran for a month to prevent secondary attacks
Fifty-eight workstations were restored within four days over the weekend and were back online and fully operational by close of business on Monday
The period of loss caused by business interruption was reduced by three weeks.

Want to know more?

Get in touch to speak to our experts

Ready to talk?

Customer Success Stories