Customer ransomware attack, recovery and mitigation
The customer is a large retail firm based in the North of England with over 200 employees across multiple UK based offices.
This customer suffered an email-based ransomware attack. Emails containing malware were received by a member of staff, opened, and the user’s computer was subsequently infected. This resulted in the ransomware encrypting a large number of company files across the network. This included many files essential to the running of an accounting application. The result of this was the customer was left with an infected computer, several critical file shares inaccessible, and their accounting system out of action.
The Greystone support team were engaged shortly after the initial incident by users reporting that staff could no longer access files.
By tracking which user had encrypted the files in question the infected PC was isolated from the network and the user’s account was disabled stopping the ransomware from encrypting any further files.
The customer’s file structure was then scanned to see what files had been encrypted by the ransomware. Using the results of the scan a file recovery process was started to restore files from backup, to restore files that have been affected including the accounting system files.
To mitigate any further ransomware attacks the customer’s IT security was reviewed and several additional technologies were implemented to mitigate future attacks. These included Software Restrictions Policies (SRP) that stop unauthorized programs from executing on any computer in the network, File Server Resource Manager (FRSM) Filters that detect if files are being encrypted by ransomware, block its access and send IT staff and alert message.
- Windows Software Restriction Policies.
- Windows Files Server Resource Manager (FSRM) Filters and alerting.
- Data Backup / Recovery.
- NTFS and File share permissions (Principal of Least Privilege).
- Antivirus / Anti-malware.
- Email filtering
Results and Benefits
Although this customer suffered a significant ransomware attack the scale of the damage was limited by the well-implemented file permissions already in place and all lost data was recovered thanks to a robust backup and recovery solution. Now the customer has advanced technologies in place to help detect, stop, and alert any further ransomware attack.