A mid-sized company in the Legal Industry was faced with impacts from a network and data security breach carried out by CLOP ransomware group
- Client required immediate Incident Response to include containment & remediation, forensics, and recovery & restoration of systems.
- The Threat Actors demanded a $1M ransom for access to decryption keys.
- The clients Managed Services Providers (MSP) infrastructure was compromise and allowed sophisticated malware to run and infect the majority of the firms infrastructure.
- The firm had a backup strategy, however backups were targeted and infected by CLOP.
- The firm was completely shut down and all systems were unusable.
- CLOP operators hit the law firm with triple extortion tactics.
TOOLS & TECHNIQUES:
- Emergency Response: Redpoint supported immediate incident response, investigation and containment Deployed security tools to protect to network from additional encryption.
- Forensics: Conducted forensics and timeline analysis to confirm credential harvesting (Mimikatz) and primary propagation method was GPO (Group Policy Object).
- Containment: Coordinated with network engineering team to contain active “hostile hosts” through routing updates, data center isolation, and targeted shutdowns of critical operations capabilities.
- Threat Actor(TA) intelligence gathering: Redpoints threat intelligence team established communications with the TA to gain valuable insight into the TA operations and share the intel with the network team.
- Discovery: Analyzed client physical/virtual server environment to identify recoverable systems and/or configuration to facilitate rebuild of critical infrastructure Performed data integrity analysis on unencrypted data and exfiltrated data to shared storage solution for recovery after spinning up new server infrastructure.
- Remediation: Consulted with client leadership, technical staff, and 3rd-party provider(s) to plan and execute migration to cloud-based server infrastructure with proper backup policies established and in use; planned, organized, and executed re-imaging for client client’s servers/ workstations at all locations using newly established clean infrastructure.
- Rapid response including initial engagement within the first hour of being engaged by Breach ounsel.
- Established critical “mass on target” within first 12 hours including facilitation of daily 5pm coordination meetings with client senior leadership team.
- Systematically identified, contained, and remediated “hostile hosts” while balancing business priorities.
- Remediation of client’s hybrid cloud/on-prem workstation and server distribution.
- Initial restoration of essential business services to internal staff and clients was performed within 72 hours, and full restoration completed within seven days.