The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.
2. Certified on…
• Chief Information Security Officer
• Ethical Hacker
• NIST Cyber Security Framework
• Data Privacy and EU GDPR Practitioner
• ISO 22301:2019 Lead Implementer
• IS0 27001 Internal Auditor
• Business Continuity GPG
• ITIL v3
• RHCE
PRABHAKAR
RAMAKRISHNAN
(CISO & General Manager – IT Infrastructure)
IT Infrastructure, Information security, Business Continuity & Data Privacy
About me
3. Growing Threat of
Ransomware Attacks
• Ransomware is a type of malware that encrypts
files on a victim's computer system, making them
inaccessible until a ransom is paid.
• The threat of ransomware attacks is growing as
cybercriminals are becoming more sophisticated
and using new tactics such as double extortion,
where they not only encrypt the victim's data but
also threaten to leak it if the ransom is not paid.
4. Impact of Ransomware
Attacks
• Ransomware attacks can have a devastating impact
on individuals and organizations, causing financial
losses, reputational damage, and even legal liabilities.
• In addition to the direct costs of paying the ransom
and restoring the encrypted data, there are also
indirect costs such as lost productivity, business
interruption and regulatory compliance.
12. 22-July-22 (Friday)
1:30 AM
All the virtual machines were powered off in
one of our locations
Blocked one of the users who had many
open connections to the file server
22-July-22 (Friday)
6:30 AM
Identified a compromise (Virtual servers were
powered down and many files were
encrypted)
22-July-22 (Friday)
8:30 AM
Initiated a call with CXO’s
Informed all our customers about the
incident
13. 22-July-22 (Friday)
8:30 PM
Situation Assessment – Evolving
22-July-22 (Friday)
9:30 PM
Decided to rebuild completely
War room setup
23-July-22 (Saturday)
9:00 AM
Focus of the Recovery Process…
Two things were important for me
1. How do we identify how this incident happened?
2. How do we protect from further damage?
14. 23-July-22 (Saturday)
9:30 AM
Approached vendors for Incident Response
Services
Mandiant Vs Crowdstrike
23-July-22 (Saturday)
6:30 PM
Decided to go with Crowdstrike. Completed all
the formalities.
24-July-22 (Sunday)
Onboarded Crowdstrike.
Agent installation for 3500+ devices
15. 24-July-22 (Sunday)
Coimbatore location was our focus.
Infrastructure was made LIVE.
Strong verification process
26-July-22 (Tuesday)
Started production and delivery for a few
customers
29/30-July-22 (Friday)
Started production and delivery for most of
our customers
16. BlackCat/ALPHV
Office 1 Office 2
Mgmt Server
Mgmt Server
VM Infra
Active Directory File Server
Mgmt Server
VM Infra
Mega.io
17. Incident Summary
• Threat actor used a compromised account to access the servers over RDP
• Using the Admin account the Threat actor copied and installed an open-source software
for anonymous communication named TOR (The Onion Router). During this installation,
Threat Actor masqueraded the anonymity software TOR as Applocker.exe which is a
legitimate Microsoft Windows application.
• TOR is an open-source software that creates a multi-hop proxy network which allows
Threat Actors to communicate with the installed systems over an encrypted channel.
18. Incident
Summary
To further maintain persistence in the environment, the
Threat Actor installed multiple remote management software
like Atera agent, AnyDesk, LogMeIn and BitVise and ZeroTier.
Threat Actor attempted to perform lateral movement by
installing the Remote Management tool named Action1
Threat Actor used the compromised privileged account to
copy a compressed file which contained multiple legitimate
system administration tools, different variants of ransomware
encryptor and text files
Threat Actor created an account MS_BACKUP on the Domain
controller and added the Account Domain Admin Group
19. Ransomware Deployment Activity
• The Threat Actor copied multiple binaries of Windows and Linux based ALPHV
ransomware encryptors to the system.
• The Threat Actor targeted ESXi systems by copying the Linux ALPHV ransomware
executable and linkable format (ELF) binaries on multiple VMware ESXi systems.
• Once connected to the ESXi systems through SSH connections using the root account, the
Threat Actor copied over the ALPHV ELF binary encryptor to the ESXi systems and
executed the ransomware encryptor. This resulted in the encryption of several virtual
machine disk (VMDK) files stored on the datastore attached to these ESXi systems.
20. Major Gap’s
EDR was not installed in the servers that
were compromised.
Weak password, Same password used for
multiple devices.
2FA was not configured for all external
facing applications.
Backups stored in the same environment.
Lack of centralized logging.