Ransomware Attack 5 Minutes or less
For the first time, we invite you to take an exclusive and real-life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organisation.
View Timeline Navigation
5:23
Source: Active Directory
Did you know?
In the four years since January 2016, more than 4,000 ransomware attacks have been carried out daily, according to ransomware statistics from 2020 published by the FBI.?
5:26
Source: Arctic Wolf Sensor
Coming with little surprise, remote desktop protocol connections (RDP) was *the most common attack vector in Q1 2021 with many vulnerabilities in securing remote connections.
5:28
Investigation Triggered
The Arctic Wolf Aurora 黑料社 correlates C2 traffic with PowerShell Empire activity on [SERVER]. The incident is escalated to Triage Team Level 3 forensics dashboard with Urgent status.
Dwell Time
The time it takes to deploy patches for critical vulnerabilities increased by an *extra 40 days since March. Higher CVE volumes, more critical CVEs, and a disruption of patching programmes caused by the dispersed workforce have all contributed to this increase. *Arctic Wolf Annual Report
Ransomware Cases Rise
As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent?of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.
2021 Ransomware outlook
The healthcare and education sectors were easy targets for ransomware in 2020 due to the disruptions caused by the global pandemic. Analysts are predicting that *the parcel and shipping sector may be hit hard in 2021, driven by an increase in dependency on these services.
5:29
The Investigation Starts
The Arctic Wolf Triage Team begins investigation and finds activity within Active Directory logs of [USER] logging into many systems in a short amount of time. They also confirm that the network and PowerShell Empire alerts are a true positive and begin to assess the scope of the attack.
5:48 | Following Investigation
Incident Ticketed
The Triage Team conclude their investigation and contact customer detailing the C2 traffic as well as logins which preceded the connections. They recommend the customer immediately:
-
Contain the device / disconnect from network
-
Change passwords for the [USER]and service accounts
-
Run Antivirus scans on endpoints
State of Ransomware
Data breach costs rose from $3.86 million in 2020 to *$4.24 million in 2021, the highest average total cost in the history of the IBM Security Cost of a Data Breach Report.
Begin Post-Incident Zone
6:13
Post-Incident Security Journey
Customer responds they have contained [SERVER] and reset the password of [USER]. The Arctic Wolf Triage Team verifies that communication with C2 has stopped on the network.
*According to statistics, the average downtime from a ransomware attack was up to 19 days. Imagine having a threat remediated in under an hour from detection!
Next, the security journey continues
Attack Timeline:
with our concierge security team
Although many Managed Detection and Response services would end once the threat of ransomware was finished, theArctic Wolf Concierge Team is focused on using this attack to improve the security posture of the customer.
Implement principle of least privilege for remote tools
Geofence firewalls
Enable MFA
Setup GPO to block use of PowerShell
Install Arctic Wolf Agent on all machines
Ransomware Attacks
Are Affecting Every Industry
Government
48 of the 50 U.S. states, as well as the District of Columbia, experienced at least one ransomware attack from 2013 to 2018.
Additionally, at least 948 government entities in the United States were attacked by ransomware hackers extorting money in 2019.
Financial Services
On New Year’s Eve of 2019, the popular currency exchange service Travelex was hit by a ransomware attack knocking in over 70 countries offline.
The attack also impacted several large national banks that relied on Travelex services. Ultimately services were down for 2 weeks with attackers demanding $6M or to take the customer data public.
Legal
The first prominent ransomware attack on a law firm was . While the DLA Piper security team was able to detect the threat within 20 minutes, the attack had already disabled the firm’s global telephone system and most of its computer network.
It took the firm months to become fully operational again at the cost of tens of millions of dollars.
Manufacturing
In May 2021, the Colonial Pipeline was forced to halt operations due to a ransomware attack by the DarkSide gang. The attack shut down more than 5,000 miles of pipes and cutting supply to many parts of the southeast. The pipeline eventually paid out $4.4M to resolve the issue and avoid further crisis.
Healthcare
Ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, according to an annual report by Comparitech.
?also found that 92 individual ransomware attacks occurred at healthcare organisations, and 600 clinics, hospitals and organisations were affected. In addition, more than 18 million patient records were impacted by these ransomware attacks.
Minutes Matter
We're here to help.
Reach out to learn how Arctic Wolf’s industry-leading Security Operations workflow can detect, investigate, and escalate incidents before they impact your business operations.
