IR Hotline Numbers:

+44 20 3318 1470
+60 154 877 0076
+61 2 7908 1745
+65 3165 8788
caution icon

Experienced a breach? Reach us now

company logo

Ransomware

Reacting Quickly to a Compromised Server Prevented Data Theft and Ransom Demands

Reacting Quickly to a Compromised Server Prevented Data Theft and Ransom Demands

The Background

A leading tourist attraction developer contacted Pragma after the IT Manager discovered unusual activity on one of their servers.

This company, whom we'll refer to as LT, showcases high-quality tourist projects throughout Asia. The IT Manager first noted suspicious activity on the morning of February 24, 2020. The initial indicator was suspicious activity against their Fortigate firewall. Through analysing this activity, the IT Manager saw a breach had occurred. They found encrypted files on LT's servers. Pragma was engaged to contain the breach, analyse the threat, and restore LT's security perimeter.

The Process

Very quickly, Pragma's CIRT discovered the attackers used a brute force strategy. They targeted a public HR server using the Remote Desktop Protocol. Through this vulnerable spot, the threat actors tried to move laterally through the network. Another set of folders on a different server was encrypted through Server Message Block (SMB) file share. By analysing the timestamps and conducting a forensic investigation, the CIRT dismissed the existence of a second attack. Containing a single breach and restoring operations were the next steps for Pragma and the client to take together.

The Result

With annual revenue in excess of 30 million SGD, a rapid resolution for LT was critical. LT could not function during the ransomware attack. The CIRT contained the breach within a few days and full control was given back to LT after approximately 1 week. This included the time taken to reconstruct a critical database for which there were no backups. After a short recovery window, the client was fully operational and more secure than before. We recommended the following:

  • Backup Scanning and Restoration
  • Anti-Malware Software
  • Updated Firewall Rules
  • User Access Management
  • Vulnerable Port Scanning
  • Password Strengthening

Tags:

Compromised Server
Data Theft
Ransom Demands
Incident Response
Brute Force Attack
Remote Desktop Protocol
SMB File Share
Ransomware Attack
Backup Scanning and Restoration
Anti-Malware Software
Firewall Rules
User Access Management
Vulnerable Port Scanning
Password Strengthening

Join the Pragma Community Today

Email


Solutions

Cyber Advisory

Technology Risk

Compliance, Conduct, and Regulatory Risk

IT Audit

Insights

Pragma Logo

Terms & conditions

Privacy Policy