Reacting Quickly to a Compromised Server Prevented Data Theft and Ransom Demands
A leading tourist attraction developer contacted Pragma after the IT Manager discovered unusual activity on one of their servers.
This company, whom we'll refer to as LT, showcases high-quality tourist projects throughout Asia. The IT Manager first noted suspicious activity on the morning of February 24, 2020. The initial indicator was suspicious activity against their Fortigate firewall. Through analysing this activity, the IT Manager saw a breach had occurred. They found encrypted files on LT's servers. Pragma was engaged to contain the breach, analyse the threat, and restore LT's security perimeter.
Very quickly, Pragma's CIRT discovered the attackers used a brute force strategy. They targeted a public HR server using the Remote Desktop Protocol. Through this vulnerable spot, the threat actors tried to move laterally through the network. Another set of folders on a different server was encrypted through Server Message Block (SMB) file share. By analysing the timestamps and conducting a forensic investigation, the CIRT dismissed the existence of a second attack. Containing a single breach and restoring operations were the next steps for Pragma and the client to take together.
With annual revenue in excess of 30 million SGD, a rapid resolution for LT was critical. LT could not function during the ransomware attack. The CIRT contained the breach within a few days and full control was given back to LT after approximately 1 week. This included the time taken to reconstruct a critical database for which there were no backups. After a short recovery window, the client was fully operational and more secure than before. We recommended the following:
- Backup Scanning and Restoration
- Anti-Malware Software
- Updated Firewall Rules
- User Access Management
- Vulnerable Port Scanning
- Password Strengthening