Incident Report – March 2024

Acme Corp.

Event

Acme Corp was compromised by a ransomware attack. The point of the initial compromise has not been confirmed. The COO was on‑site on Saturday and noticed the ACME‑Host machine actively running unauthorized applications from the bad actors. The ACME‑Host machine runs a vendor inventory service. The COO contacted IT immediately and promptly disconnected the network access to the server.

Response

On‑Premises Response

Saturday

  • Disconnected all public network access and re‑configured remote access for IT personnel
  • Started the backup‑restoration process for the ACME‑Host server
  • Started identification, detection, and analysis of the affected endpoints
  • Local restore of user PCs to check the status of available restore points

Sunday

  • Setup access between warehouse and front‑office network switches
  • Disabled SSL‑VPN access, disabled RDP access
  • Cleaned up Active Directory
  • Restored affected servers
  • Ran a malware scan on affected servers – discovered the trojan inserted by the bad actor
  • Tested restore points across devices to verify an uninfected state
  • Identification and analysis of malware on ACME‑Host

Monday

  • Eradication of ransomware – wiped affected endpoints and reinstalled OS
  • Restoration of network access

Tuesday

  • Eradication & recovery – set up network access for sanitized PCs and provided requested utilities
  • Bitdefender policy assessment with Bitdefender Labs

Wednesday

  • Eradication & recovery – continued network setup for sanitized PCs
  • Information gathering from ACME‑Host

Thursday & Friday

  • Eradication & recovery – ongoing network setup for sanitized PCs and utility provisioning

Remote Response

Conclusion – What We Know