Going above and beyond when an organisation is held to ransom

Early one morning a ransomware payload had been deployed in an organisation’s system – something they hadn’t expected and didn’t know how to handle. They asked us for urgent help to:

• Ensure full containment of the ransomware infection
• Identify the root cause of the infection, if possible
• Identify any evidence of data exfiltration
• Secure and monitor the infrastructure that had not been affected.

We immediately got to work setting up our Tactical Managed Detection & Response (Tactical MDR) service which provides rapid emergency monitoring and holistic protection via the Microsoft Security ecosystem. The Tactical MDR service was up and running within 4 hours to help contain the situation via Microsoft Defender and provide widespread visibility to the IR team to enable them to swiftly investigate whilst keeping the organisation safe from further attack activity.

But what was the extent of the breach, what damage had already been done and why had it happened?

Realising their worst fears

Our highly experienced incident responders, who have hundreds of hours and hundreds of cases behind them, began their investigation. Over the next few days, they discovered that the victim’s servers had been breached and encrypted, affecting their on-premises and cloud systems – including their back-up servers. The attacker had also exfiltrated data.

Furthermore, the attack had disrupted a large portion of the network services and interrupted business operations to a high degree. Fortunately, we identified no evidence to suggest that the threat actor was able to extend their access to any Software-as-a-Service (SaaS) solutions.

“We worked with their teams to understand the extent of the breach, which was severe,” explains James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence. “The access the attacker had was extremely extensive and they had free rein over the environment. They had been able to gain the highest possible privileges within the network estate, allowing them unrestricted access to everything contained within the on-premises and virtual Azure network.”

Bringing in extra support

The customer contacted Microsoft’s recovery team, which successfully rebuilt the IT environment from scratch. As a Microsoft Solutions Partner for Security, we regularly work with them on security incidents. We explained the current state of the environment to Microsoft and gave our recommendations from what we’d seen the attacker doing.

Our role in such scenarios isn’t limited to technical detective work and advice. We liaise with professional external organisations too. Because incidents of this nature can be very stressful, we also help our customer’s team to de-stress, regroup and re-energise, and we provide much-needed peace of mind during what’s often their worst-ever week at work.

We contacted law enforcement to report the crime and advised our customer to get in touch with their insurers and any stakeholders, guiding them on what information to share, and when. And we contacted the Information for Commissioner’s Office (ICO), a public sector body that’s the UK’s authority for data protection and information rights. Making sure everyone has the precise information they need in the aftermath of a cyber-attack is crucial and shouldn’t be underestimated.

Attacked at the worst possible time

Attacks like this one go to show that breaches can happen when an organisation least expects them, and they can result in attackers getting inside IT systems for a long period of time before being detected. In this specific case, the organisation discovered the attack just two weeks before they were due to go live with Quorum Cyber’s Managed Detection & Response (MDR) service.

Comprehensive security solutions, such as the Microsoft XDR ecosystem – provides holistic protection, detection and response across endpoints, data, email, cloud, identify and more. Configured carefully to the company’s environment by Quorum Cyber’s XDR engineers, this provided incredibly strong protection during the company’s worst moments.

Act quickly but take the right steps

When anyone believes they’ve been the subject of a cyber-attack, it’s important to act fast but the specific actions they take are very important, but not always obvious or intuitive, as our ten dos and ten don’ts when responding to a cyber-attack guide outlines. This can be the difference between making a full recovery and making the situation worse for the organisation impacted.

If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.

The calm after the storm

Since the incident, the customer has upgraded from our MDR service to our Managed Extended Detection & Response (M-XDR) service, signed up for an Incident Response Retainer (IRR) and we’ve conducted extensive advisory services through the Security Director-as-a-Service (SDaaS).