Ransomware Case Study

FOGO Solutions’ primary focus is to deliver highly secure and efficient IT solutions to empower our clients in safeguarding their systems against cyberattacks. We are dedicated to providing the necessary tools and expertise to ensure the protection of our client’s valuable data and the smooth operation of their business operations.

A group of business people from Fogo Solutions in front of a laptop.

Introduction

A local, midsized Insurance Agency fell victim to a devastating Ransomware attack when an unsuspecting end user opened a malicious email attachment. The attachment infiltrated the network via shared folders and encrypted all data on the on-premise server. The on-premise server was set to replicate on demand with the cloud server, therefore, also encrypting the cloud server, which was not backed up properly.

Upon discovering that their existing provider lacked a secure and reliable backup plan or disaster recovery strategy for their environment, the agency promptly sought assistance from FOGO Solutions. The customer's IT provider had employed inadequate technology to offer a mere semblance of a "backup" solution.

Challenges

After conducting an initial assessment, we gathered crucial information about revealing alarming gaps in their infrastructure: the absence of a comprehensive Disaster Recovery plan, the lack of a valid and secure backup system, and insufficient security measures that failed to deter such attacks. We discovered several critical components missing from their setup, including a proper firewall equipped with comprehensive threat management services, an effective antivirus/EDR solution, adequate patch management for all systems, and minimal to no monitoring of both on-premise and cloud environments.

A man holding a laptop and looking stressed, with his head in his hands.

FOGO Approach Incident Response

  • A group of people conducting a case study on ransomware, sitting around a computer with the number 1 on it.

    1

     Assess the severity of the attack

Assess the severity of the attack

Upon receiving the alert about the incident, we immediately dispatched a technician to the customer's location to provide an immediate, in-person response. This rapid on-site deployment allowed our team to promptly commence researching and investigating the situation. The technician diligently assessed the extent of the damage and identified the necessary steps to be taken to restore the customer's operations. This hands-on approach ensured that the customer received timely assistance and allowed us to expedite the recovery process effectively.

  • A man in a headset on a computer conducting a ransomware case study.

    2

    Course of Action

Course of Action

Identifying

Fogo's technicians identified the ransomware utilized in the attack as Cryptolocker, which was responsible for encrypting the data on the customer's devices. Fortunately, during the attack, no evidence indicated that the data had been copied or extracted from the customer's environment. Our experts diligently examined all systems for signs of infection or encryption, meticulously analyzing the attack vectors to determine the most suitable course of action for the customer's environment in its state at the time of the attack.

Remediating

After recognizing that data restoration through secure backup was not feasible, the only viable option left was to pay the ransom to potentially regain access to the data. Once the decryption keys were obtained, the immediate focus shifted to securing and sanitizing the environment. Key steps included disabling the synchronization between the on-premise server and the cloud server, thoroughly cleaning all devices, installing a robust firewall for enhanced security, deploying an endpoint security/antivirus solution across all devices, implementing patch management protocols, and integrating a Remote Monitoring and Management (RMM) system. Additionally, multiple copies of the decrypted data were created, as they became available, effectively restoring functionality to the data and databases.

Communicating

Throughout the process, Fogo Technicians maintained regular and consistent communication with the customer, ensuring they were informed about the attack's status, timing, resolution, and subsequent remediation steps. Daily contact was established, with Fogo techs and the customer engaging in frequent conversations to exchange updates and address any changes that occurred. Multiple times a day, both parties would communicate to stay informed and keep the customer involved in the progress and developments of the situation. In addition to constant customer communication, Fogo techs notified an FBI Cybersecurity contact as well as local authorities and insurance providers.

  • A group of people conducting a case study around a table with the number 3.

    3

    Results

Results

The customer's operations were completely restored within a week after the attack, although the decryption process for the data within the environment caused the main delay. It took an additional 2-3 weeks for them to be fully back up and running, which included the necessary efforts to catch up and update all affected parties. Throughout this timeframe, comprehensive security measures and robust disaster recovery solutions were successfully implemented to prevent future incidents.

The expenses incurred as a result of paying the ransom, along with the costs associated with lost wages and business functionality, were carefully assessed. Additionally, the cost of migrating the environment to enhanced security solutions was considered.

100% restoration of data and system functionality was achieved.

Business continuity was increased with the new solutions that Fogo put in place in the customer’s environment.

The customer was extremely pleased with the response time and resolution time that Fogo achieved during the attack and remediation.

%
Restoration of Data Received
A man with a mustache providing fogo solutions.

Operations Manager & Senior IT Consultant Marc Thompson on the Importance of Regular Security Audits:

“In today's digitally connected world, we are constantly under attack from malicious actors that are trying to steal information and/or money from us personally and through our businesses, large and small. There are many things that can help protect us from these attacks such as Cybersecurity Training, Security Audits (internal and external), and continued discussions on the importance of following best practice uses in our business and home environments. The threat landscape is continuously changing and keeping this fact on the front of our minds is a great way to help prevent attacks such as ransomware, viruses, business disruptions, and more. Security incidents are a vector that shines a light on more serious issues hidden behind the curtain of everyday business activities and systems.

Security audits help protect our critical data, identify security vulnerabilities, create security policies, and track the effectiveness of the strategies and solutions we implement. Regular audits can help employees stick to the best security practices and can help alert us of new loopholes and vulnerabilities. Regular Cybersecurity Training will help all members of your business perform their jobs following best practice scenarios on a daily basis.”

Learning Lesson

Prior to engaging Fogo, the customer's end users lacked adequate training in identifying and handling malicious emails and other cybersecurity threats. Moreover, the antivirus software in place was inadequate, and both firewall policies and active services were insufficient. Since FOGO, they have improved their environment by implementing a Firewall solution, backup/disaster recovery solution, antivirus solution, email with spam filtering solution, and cybersecurity training.

A group of people from Fogo Solutions in a meeting room.

WANT TO SHARE HOW FOGO DEFEATED A RANSOMWARE ATTACK ON YOUR COMPANY?