Rapid response to brute force attack saves the day

Rapid response to brute force attack saves the day

6th November 2019 Uncategorised 0

The Initial Response

It was a normal afternoon in the office, until the phone rang from an unknown company, panicking as they believe they have been the victims of a cyber-attack, with no idea on what they should do next or where to turn.   

Within a few moments they are speaking to a senior Technician, feeling reassured, realising that they are speaking to a team that could and would assist them.  The basis of this initial call was the belief that the security of their server and infrastructure had been severely compromised, and we reacted accordingly. 

This is a demonstration of the high levels of understanding, responsiveness and customer service that the team here at CSSCloud Ltd delivers.  Our priority in handling this call was speed of response, implementing a measured and considered plan based on our experience of such emergencies, and achieving an effective outcome, all the time being in constant communication to reassure the client that they were in safe hands and keeping them updated. 

Mark Cobb (CSSCloud Technical Director) said, “irrespective of not being a client, our priority was to help, and we immediately assigned a team to investigate, quickly determining that they were undergoing a brute force attack from a hacker based in Iran. A malicious infection had encrypted the server and had deployed the ADAGE variant of the PHOBOS ransomware. Within an hour of receiving the call, the customers server was on a bench in our workshop being worked on.” 

This attack had wreaked havoc and our technical teams research identified that the encrypted data situation was not going to be recoverable without the decryption key. The situation was further compounded by the fact that data backups going back 6 months had also been encrypted rendering them useless.   

 We were faced with two main challenges:

  1. Dealing with the hackers to obtain the decryption key and to recover their data.
  2. Getting business operations back in to a functioning state as quickly as possible. 

Negotiating with the hackers 

The customer wanted us to attempt negotiating with the hackers, potentially paying them to provide the encryption keys so that their own server could be decrypted and restored. The team created a Bitcoin Account on behalf of the client and liaised with a specialist ransomware recovery company who brokered the release of the decryption key. 

CSSCloud Service Delivery Director Aaron Swanborough says “paying the hackers is not something we wanted to do but with their backs against the wall, there were no other options. This situation could have been totally avoided had the customer had greater security measures in place as well as protected local and cloud backups. It is always easy to be wise after the fact and this why customers should use an I.T. Support company such as CSSCloud, as we can bring our advice, expertise to them and prevent such attacks as this. 

Re-establishing Business Operations 

Here at CSSCloud we have loan servers in a “ready to go “state that we can look to deploy with minimal delay. One such server was very quickly prepared and configured for the client, with the encrypted server converted to a virtual server on the loan. We then used the decryption key to decrypt all the data and the server which was then recovered to operational status. 

CSSCloud Service Delivery Director Aaron Swanborough advised “Within 12 working hours from the time we received the initial panic phone call to having a loan server deployed and the customers entire team being back up and running in such a short timeframe, is testament to the skills and experience of our team.” 

So, what happened next? 

Having rescued the immediate situation, it was vital that further action was taken to ensure that the customer’s I.T. infrastructure was made secure to prevent further compromises.  A blend of hardware and software protections was installed to lock down the site, identify and destroy any further such attacks and to improve the overall operation and efficiency of their network. 

These included:

  • Supply and installation of a brand-new server and desktop computers
  • Installation of best of breed antivirus and monitoring software
  • Establish encrypted backup and disaster recovery features
  • Migration of existing email to Office 365
  • Implementation of Multi Factor Authentication for Office 365
  • Transfer their company Domain to our control
  • Supply a fully managed superfast fibre broadband

Mark Cobb said “The I.T. infrastructure of this client’s site is unrecognisable from that which we inherited.  Security measures have locked down the site and with new server and desktops, they have an infrastructure that will serve them well for many years to come.” 

Finally, the last piece of the jigsaw is that the customer is now on a full support contract with ourselves and they can rest assured in the knowledge that our fully managed monitoring systems, market leading security systems and a dedicated Support Helpdesk team are all focusing on letting them concentrate on their own business activities while we concentrate on their I.T. systems.