In the midst of a bustling workday, the team at <Redacted>, a mid-sized 3PL company, suddenly noticed something was wrong. Employees could no longer access the WMS system, and critical applications were throwing error messages. Within minutes, a ransom note appeared on a few screens across the office, demanding payment in exchange for the company’s encrypted data. The fax machine and printer continuously printed pages with instructions for sending money via Moneypak or hackers would publicly release company information. With operations paralyzed, critical applications down, and revenue losses escalating by the minute, <Redacted> needed a rapid and effective solution.
Reaching Out to Experienced IT Solutions
Recognizing the severity of the situation, the management team at <Redacted> immediately contacted Experienced IT Solutions, their trusted MSP partner for assistance. Within minutes, the incident response team at Experienced IT Solutions was on a video call with <Redacted>’s IT teams, working to assess the situation and lay out a response strategy.
Step 1: Containment and Isolation
The first priority was to contain the ransomware which was a challenging task as <Redacted> didn’t have any specialized endpoint security tools for this task. The team at Experienced IT Solutions quickly advised <Redacted> to disconnect infected systems from the network. Experienced IT Security Engineers immediately blocked all outgoing traffic, turned off VPN tunnels, and powered down affected servers. They remotely isolated affected devices utilizing the UniFi network equipment, preventing further spread and ensuring that the malware couldn’t reach the company’s backups or other endpoints. This immediate action helped contain the damage and limit the attack to a portion of the network. Due to the segregation and security architecture of the backup system (OpenSource Backup System) it was unaffected and immune to the ransomware attack.
Step 2: Securing Backup Data
Just to be sure, Experienced IT Solutions worked with <Redacted> to inspect their backups, ensuring they hadn’t been compromised. Their response team checked backups for each affected mahcine for malware traces and verified its file integrity date and hash information. Luckily, the company’s backups were 100% intact, stored on a hardened and network-segregated NAS per the best practices Experienced IT Solutions had implemented previously.
Step 3: Analyzing the Attack Vector
With containment measures in place, Experienced IT Solutions’ forensic analysts began investigating the ransomware’s entry point. This was a difficult task as <Redacted> did not have an endpoint protection portfolio. Experienced IT Solutions Security Engineers combed through network logs, analyzed emails and the o365 environment, and reviewed remote access activity. After a thorough investigation, the team discovered the ransomware had entered through an outdated version of Apache Tomcat, which was hosted externally. This insight not only helped address the current threat but also provided valuable data for strengthening defenses across vendor applications.
Step 4: System Cleanup and Data Restoration
Once the infected systems were isolated, the team at Experienced IT Solutions started the eradication process. They cloned the affected systems for later analysis, and re-imaged the systems to the known-good images taken hours before the incident. Experienced IT Solutions deployed their endpoint portfolio of products including MDR and continuous monitoring agents before systems and the network internet connections were restored. The company’s databases were then restored from the clean, secure backups, allowing <Redacted> to resume operations without paying the ransom.
Step 5: Reinforcing Cybersecurity Defenses
Following the recovery, Experienced IT Solutions recommended a series of security enhancements to prevent future incidents. They implemented multi-factor authentication (MFA) across all user accounts, improved email filtering for phishing protection, added XDR tools, and provided additional cybersecurity training for <Redacted> employees to enhance awareness. Network segmentation was also revised, so any future infections could be contained more effectively.
Step 6: Developing a NIST-Compliant Incident Response Plan
The incident underscored the need for a comprehensive, well-structured incident response plan. Experienced IT Solutions worked with a partner and <Redacted> to develop a NIST-compliant IR plan, customized to fit their operations and business model. This plan provided the company with clear guidelines on how to respond to future incidents, covering everything from initial detection and containment to recovery and post-incident analysis.
A Swift, Successful Recovery
Thanks to Experienced IT Solutions’ rapid response and comprehensive approach, <Redacted> was able to fully recover from the ransomware attack without paying any ransom. The business resumed operations the next day, and the strengthened security measures have since protected them from further incidents.
Why Partner with Experienced IT Solutions
For <Redacted>, this experience was a reminder of the importance of having expert cybersecurity support and a structured incident response plan. Experienced IT Solutions’ proactive, precise approach not only saved the company from significant financial losses but also empowered them with the tools to face future cybersecurity challenges confidently.
