A call came into the help desk. A customer said they can’t log in. Another call came in. A different customer said all their files are missing. Three, four, five calls came. More customers who couldn’t work. And the help desk was scrambling to figure out what happened.
Contrary to popular belief, the real cost of a cybersecurity attack isn’t downtime. Any standard recovery plan will resume business operations in no time.
It’s your (and your customers’) insurance company breathing down your neck. It’s being liable for the data breach. It’s not knowing if private information is now on the dark web. It’s having to let every single client know that you dropped the ball.
That lost trust and broken reputation is the real cost. And it can take years to recover.
So, how can businesses avoid this mess? Preparation. To be truly prepared, it helps to know how the enemy operates.
We’re taking you through, play-by-play, what happened to an IT department in our industry. You’ll see exactly how hackers successfully launched a cyberattack and how the IT department responded.
*Note: We’ve been given express permission to share this account. All identifiable details, such as names, have been changed to protect privacy.
We’ll go through what the IT team did right, what vulnerabilities they missed and what every business should do to improve IT security.
Let’s get back to the timeline.
A call came into the help desk. A customer couldn’t log in. Another call came in. A different customer’s files were missing. Three, four, five more calls. More customers who couldn’t work. And the help desk was scrambling to find what happened.
Something was wrong.
Then, heart-dropping news: ransomware was found on a server. Questions started immediately: Is it isolated? Who’s affected? How long has this been happening?
Quickly, it was determined the ransomware went system-wide — every customer was affected.
In less than 1 hour, ransomware had overtaken the entire business. They had a full-blown cybersecurity attack.
Panic set in. There was no choice but to shut down all operations immediately.
A cybersecurity firm was contacted and engaged immediately in evidence preservation — necessary for insurance and liability.
This quick response is the goal. But many businesses can’t say with confidence their IT partner would do the same. Emergencies like this underscore why businesses can’t settle for poor relationships.
What is evidence preservation? In digital forensics, it’s identifying and collecting important information needed to understand the crime. This information is reported to insurance companies and other regulatory agencies.
The impacted business began an attempt to recover all back-ups to avoid more data loss.
The impacted business pursued an aggressive recovery of its cloud environment. Thankfully, back-ups were regular and consistent.
How frequently should back-ups happen? Local backups should happen every hour. Offsite (cloud-based) backups should be nightly.
But there was a problem. How could anyone be sure the recovered back-ups didn’t also have ransomware? It’s a risk the business had to take.
Let’s think about this.
This is how cybersecurity attacks work. It starts with one problem and quickly dominoes. Another reason why quick responses are critical.
Initial server recovery was almost complete. Nearly all 700 servers were restored.
Customer patience was thinning. They wanted answers as to what happened, how it happened and if their private data was stolen.
Customers with HIPAA, GLBA and other compliance requirements were especially anxious because they needed to report the cybersecurity attack.
It was incredibly difficult to ask customers to wait. To tell them, “We don’t know.” But the impacted business couldn’t ease customer fears until all evidence was preserved.
Let’s be clear: This is the real cost of cybersecurity attacks. This painful process of limping back to customers, head held down, hoping they won’t leave — or worse, sue you.
Downtime can be dealt with. What happens afterward can take years and potentially millions of dollars to fix.
On the afternoon of June 7, an active ransomware infection was found. It was located on a desktop plugin.
What was normally a harmless desktop tool turned into the hackers’ Trojan Horse.
The FBI was brought in. It appeared this cybersecurity attack wasn’t run-of-the-mill. Dark web experts were needed to record the ransomware’s behavior and perform a fingerprint analysis.
What is a fingerprint analysis?
Every business has their own fingerprint i.e. how their IT environment runs. Hackers observe this fingerprint to stage an attack. Fingerprint anaylses are done by experts to understand how they manipulated the business’ fingerprint.
On day 5, the business’ insurance company became heavily involved. It’s important to note that until this point, the business had no access to the insurance company’s resources.
Incredibly, the hired cybersecurity firm contained most of the ransomware despite the threat group’s extensive anti-forensic strategies.
What are examples of anti-forensic strategies?
- Using ambiguous language in code so that readers can’t understand it.
- Faking IP addresses to people and systems into
- allowing access
Converting code into an unreadable mess to hide malicious activity
Patient 0 is not identified
Finally, the business had a name for the threat group that attacked them. They’re called Gold Dupont. This group is associated with ties to Saudi Arabia.
Who is Gold Dupont?
They are a cybercriminal group who targets organizations for financial gain. Their calling card is Defray777 malware.
The IT security team also discovered a services account was compromised by Gold Dupont.
On June 15, the cybersecurity firm finally contained all traces of ransomware. Now, Patient 0 is the top priority.
Nearly a month later, on July 7, Patient 0 was identified and the pieces began to make sense.
It’s confirmed that hackers from Gold Dupont were in the business’ system and watching them for at least 37 days before launching an attack. They quietly added rules, uninstalled code and set up anti-forensic techniques in preparation.
It’s believed that this ransomware attack wasn’t random; there was insider knowledge and intent. The attack was executed especially for this business by the hackers who had plenty of time to sit, watch and learn.
It took more than 40 days to end this mess. Even with a quick response time and a capable IT security team, the business was interrupted for more than a month.
And then they still have to manage worried customers, insurance companies and regulatory agencies. Who knows how long that will take?
But, this cybersecurity attack could have been much worse. Thankfully, this business didn’t have to pay ransom, all data was recovered and nothing leaked onto the dark web.
Not all companies are so lucky. So let’s talk about lessons learned and what businesses should take away from this cautionary case study.
Having the right relationships saved this business from permanent disaster. Because they had a trusted cybersecurity partner, the response was quick. Because their IT team had a strategic continuity plan, recovery was fast and comprehensive.
Just like with any fall, it helps to have the right people around to get you back up. If your business is looking for the right type of partnership to keep you secure, give us a call.
iVenture Solutions is an award-winning managed service provider delivering superior IT solutions to clients across Florida.
As a leading-edge IT firm for small and medium-sized businesses, we provide a diverse range of services covering the entire scope of IT including maintenance, support, hosting and more.
Through rapid response time, reduction of chaos and the right people, our expert team of IT professionals will fulfill your technology needs. At iVenture, we give you more time to do what matters most.