Helping a Wholesale IT Distributor Recover from Threat Actors
The Client is a regional wholesale distributor of computer components, peripherals, accessories and networking products. The client's distribution offices are in Singapore, Malaysia, Hong Kong, South Africa, Sri Lanka and Mauritius. Regular stock availability and efficiency in logistics are some of their unique selling proposition in the IT supply chain.
One of the Client's employees fell victim to a phishing email attack that enabled the Emotet Trojan attached to gain a foothold into the system. The threat actors pivoted from the infected workstation to the company's Domain Controller and deployed an RYUK ransomware to multiple servers and workstations in the Client's environment. With no viable backups, their database from which they run their global business was encrypted.
Pragma first contained the attack by isolating the affected workstations and servers from the network. The client's IT was instructed to rebuild affected machines from scratch after forensic images were captured for analysis. In our forensic analysis, Pragma ascertained the first point of compromise to be the phishing email attack.
The client was given recommendations to strengthen their security posture, such as implementing network segmentation and an Endpoint Protection solution that is tamper-proof from the local machine.
The client was adamant about not negotiating with the Threat Actors. As recovery and resumption of business were a priority for the Client, Pragma analysed and found that the ransomware encryption only affected certain portions of the database and able to manually recover tables containing vital data.
Using the tables recovered by Pragma, and manual input of data that was irrecoverable, the Client was able to recover from the ransomware attack. The Client minimised the future risk of system compromises by implementing the security recommendations and following best practices related to backups.