Clients & Case Studies

Incident Response Team Assembled To Counter Multi-Pronged Cyber Attack

A mid-market manufacturing company with multiple independently-operating business units experienced a significant ransomware attack and looked to PIP for containment.

Ransomware Attack Cripples Manufacturer, Shutting Down All Operations

After an initial attempt to internally contain the incident, the manufacturer reached out to PIP to form an incident response team (IRT) and mitigate additional cyber attack damages.

To protect our client, we are withholding all identifying information.

Industry: Manufacturing
Service: Cybersecurity

Learn More About Security

The Challenge

A mid-market manufacturer experienced a multi-pronged cyber attack that took all operations offline.

The Solution

PIP assembled an IRT to evaluate the situation, identifying the root and scope, containing the attack, and re-enabling business operations.

The Result

Using edge-controls, PIP terminated all remote access and disrupted the attacker’s dual entrance paths before securing all sensitive systems and restoring operations.

Distinct Attack Vectors

Hours To Assemble, Evaluate, and Deploy IRT

Hours Until PIP On-Site

%

Business Operations Restored

Dual Attack Brings Manufacturer’s Operations To A Halt

A persistent ransomware attack disrupted all business operations, encrypting all servers and user systems on the client’s network. After an initial containment attempt, the internal IT team temporarily contained the attack, only for the attacker to re-compromise the environment a second time within 48 hours.

The PIP team was on-site within 24 hours — Saturday, mid-day. The IRT team identified two distinct attack vectors: surface-level ransomware and, beneath that, a banking trojan attempting to gain access to the company’s financial and HR systems.

Performance Improvement Partners | Cyber Incident Remediation
Performance Improvement Partners | Cyber Incident Remediation

“When a cyber attack occurs, speed is of the essence. Downtime, especially in manufacturing, costs hundreds of thousands of dollars per hour. But there’s another reason speed matters: the longer an attacker has access to your systems, the more direct and indirect damage they can do — from accessing financials to compromising your customers’ personal information.”

Fred Purdue

Infrastructure Practice Manager | Performance Improvement Partners

IRT Evaluates, Identifies, Contains, And Re-enables Business Operations

The objective of the IRT was to identify the root cause and scope of the attack, contain it, and re-enable business operations as quickly as possible.

Situation Evaluation

The IRT evaluated the situation within four hours, navigating a number of challenges, including a large number of public-facing applications and hard-coded administrative credentials.

Attack Vector(s) Identified

The reason the internal IT team’s initial containment did not hold was due to the dual attack vectors used by the attacker: ransomware and a banking trojan.

Containment Implemented

Both attacks were contained by deploying remote monitoring and management, then using scripts that recognize ransomware patterns and block file system activity in real-time.

Remediation & System Security

Immediately, PIP worked with the client to secure all third-party banking, payroll, and HRIS systems that hold sensitive data.

Endpoint Detection & Response Platform

By deploying a hardened instance of a cloud-managed anti-malware endpoint detection and response platform, PIP was able to restore 50% of business operations by Monday morning and 100% by Wednesday end-of-day.

Performance Improvement Partners | Cyber Incident Remediation

The Incident Response Team Achieves All Objectives

Revenue losses are directly tied to the hours of downtime a manufacturer experiences. In addition, the more time the attacker has access to the system, the more lateral — and vertical — movements they can make, compromising critical assets and sensitive data.

That is why our IRT’s objective centered on containment and speed, so the attack could be stopped and business could resume. By first containing the attack, securing the system, and then re-establishing operations, PIP returned our client to operational levels and minimized any further damages.

Now, with an endpoint detection and response platform in place, our client has a more robust security posture and is better protected from security threats.

Related Resources

Learn How to Protect Your Portfolio

Find out why the responsibility — and liability — for cybersecurity goes beyond the IT department to the C-Suite and the Board in the Private Equity Guide to Cybersecurity.

Get My Guide

Protect Business. Partner With PIP.

Mitigate risks and deter bad actors by improving your security posture with PIP.

Talk to a Security Advisor