Ransomware Attack 5 Minutes or less
For the first time, we invite you to take an exclusive and real life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organization.
View Timeline Navigation
5:23 am
Source: Active Directory
Did you know?
5:26 am
Source: Arctic Wolf Sensor
5:28 AM
Investigation Triggered
The Arctic Wolf Aurora Platform correlates C2 traffic with PowerShell Empire activity on [SERVER]. The incident is escalated to Triage Team Level 3 forensics dashboard with Urgent status.
Dwell Time
Ransomware Cases Rise
2021 Ransomware outlook
5:29 AM
The Investigation Starts
The Arctic Wolf Triage Team begins investigation and finds activity within Active Directory logs of [USER] logging into many systems in a short amount of time. They also confirm that the network and PowerShell Empire alerts are a true positive and begin to assess the scope of the attack.
5:48 aM | Following Investigation
Incident Ticketed
The Triage Team conclude their investigation and contact customer detailing the C2 traffic as well as logins which preceded the connections. They recommend the customer immediately:
-
Contain the device / disconnect from network
-
Change passwords for the [USER]and service accounts
-
Run Antivirus scans on endpoints
State of Ransomware
Begin Post-Incident Zone
6:13 AM
Post-Incident Security Journey
Customer responds they have contained [SERVER] and reset the password of [USER]. The Arctic Wolf Triage Team verifies that communication with C2 has stopped on the network.
*According to statistics, the average downtime from a ransomware attack was up to 19 days. Imagine having a threat remediated in under an hour from detection! *Safeatlast.co
Next, the security journey continues
Attack Timeline:
with our concierge security team
Although many Managed Detection and Response services would end once the threat of ransomware was finished, theArctic Wolf Concierge Team is focused on using this attack to improve the security posture of the customer.
Implement principle of least privilege for remote tools
Geofence firewalls
Enable MFA
Setup GPO to block use of PowerShell
Install Arctic Wolf Agent on all machines
Ransomware Attacks
Are Affecting Every Industry
Government
48 of the 50 U.S. states, as well as the District of Columbia, experienced at least one ransomware attack from 2013 to 2018.
Additionally, at least 948 government entities in the United States were attacked by ransomware hackers extorting money in 2019.
Financial Services
On New Year’s Eve of 2019, the popular currency exchange service Travelex was hit by a ransomware attack knocking over 1,200 stores and kiosks in over 70 countries offline.
The attack also impacted several large national banks that relied on Travelex services. Ultimately services were down for 2 weeks with attackers demanding $6M or to take the customer data public.
Legal
The first prominent ransomware attack on a law firm was DLA Piper in 2017. While the DLA Piper security team was able to detect the threat within 20 minutes, the attack had already disabled the firm’s global telephone system and most of its computer network.
It took the firm months to become fully operational again at the cost of tens of millions of dollars.
Manufacturing
In May 2021, the Colonial Pipeline was forced to halt operations due to a ransomware attack by the DarkSide gang. The attack shut down more than 5,000 miles of pipes and cutting supply to many parts of the southeast. The pipeline eventually paid out $4.4M to resolve the issue and avoid further crisis.
Healthcare
Ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, according to an annual report by Comparitech.
The report also found that 92 individual ransomware attacks occurred at healthcare organizations, and 600 clinics, hospitals and organizations were affected. In addition, more than 18 million patient records were impacted by these ransomware attacks.
Minutes Matter
We're here to help.
Reach out to learn how Arctic Wolf’s industry-leading Security Operations workflow can detect, investigate, and escalate incidents before they impact your business operations.
