Ransomware Attack Cripples Manufacturer, Shutting Down All Operations
After an initial attempt to internally contain the incident, the manufacturer reached out to PIP to form an incident response team (IRT) and mitigate additional cyber attack damages.
To protect our client, we are withholding all identifying information.
Industry: Manufacturing
Service: Cybersecurity
The Challenge
A mid-market manufacturer experienced a multi-pronged cyber attack that took all operations offline.
The Solution
PIP assembled an IRT to evaluate the situation, identifying the root and scope, containing the attack, and re-enabling business operations.
The Result
Using edge-controls, PIP terminated all remote access and disrupted the attacker’s dual entrance paths before securing all sensitive systems and restoring operations.
Distinct Attack Vectors
Hours To Assemble, Evaluate, and Deploy IRT
Hours Until PIP On-Site
%
Business Operations Restored
Dual Attack Brings Manufacturer’s Operations To A Halt
A persistent ransomware attack disrupted all business operations, encrypting all servers and user systems on the client’s network. After an initial containment attempt, the internal IT team temporarily contained the attack, only for the attacker to re-compromise the environment a second time within 48 hours.
The PIP team was on-site within 24 hours — Saturday, mid-day. The IRT team identified two distinct attack vectors: surface-level ransomware and, beneath that, a banking trojan attempting to gain access to the company’s financial and HR systems.
“When a cyber attack occurs, speed is of the essence. Downtime, especially in manufacturing, costs hundreds of thousands of dollars per hour. But there’s another reason speed matters: the longer an attacker has access to your systems, the more direct and indirect damage they can do — from accessing financials to compromising your customers’ personal information.”
Fred Purdue
Infrastructure Practice Manager | Performance Improvement Partners
IRT Evaluates, Identifies, Contains, And Re-enables Business Operations
The objective of the IRT was to identify the root cause and scope of the attack, contain it, and re-enable business operations as quickly as possible.
Situation Evaluation
The IRT evaluated the situation within four hours, navigating a number of challenges, including a large number of public-facing applications and hard-coded administrative credentials.
Attack Vector(s) Identified
The reason the internal IT team’s initial containment did not hold was due to the dual attack vectors used by the attacker: ransomware and a banking trojan.
Containment Implemented
Both attacks were contained by deploying remote monitoring and management, then using scripts that recognize ransomware patterns and block file system activity in real-time.
Remediation & System Security
Immediately, PIP worked with the client to secure all third-party banking, payroll, and HRIS systems that hold sensitive data.
Endpoint Detection & Response Platform
By deploying a hardened instance of a cloud-managed anti-malware endpoint detection and response platform, PIP was able to restore 50% of business operations by Monday morning and 100% by Wednesday end-of-day.
The Incident Response Team Achieves All Objectives
Revenue losses are directly tied to the hours of downtime a manufacturer experiences. In addition, the more time the attacker has access to the system, the more lateral — and vertical — movements they can make, compromising critical assets and sensitive data.
That is why our IRT’s objective centered on containment and speed, so the attack could be stopped and business could resume. By first containing the attack, securing the system, and then re-establishing operations, PIP returned our client to operational levels and minimized any further damages.
Now, with an endpoint detection and response platform in place, our client has a more robust security posture and is better protected from security threats.
Related Resources
Learn How to Protect Your Portfolio
Find out why the responsibility — and liability — for cybersecurity goes beyond the IT department to the C-Suite and the Board in the Private Equity Guide to Cybersecurity.
Protect Business. Partner With PIP.
Mitigate risks and deter bad actors by improving your security posture with PIP.