When businesses fall victim to a ransomware attack, they can’t do business. Tetra Defense is one of the few incident response firms to prioritize restoration from ransomware attacks while simultaneously conducting our investigation, getting you back to business faster. We develop the best possible response strategy based on your situation and the prior experiences of our incident response team. We then guide you through the process, step-by-step, so you know how our work will get you back to work after a ransomware incident.
Many ransomware response firms place their focus on the investigation, and solely the investigation. While important, that does nothing to ease the uncertainty and get your operation back on its feet. We eliminate the ransomware threat and restore your infected systems while simultaneously conducting the ransomware attack investigation.
The vast majority of the ransomware attacks we respond to do not require us to spend time and money traveling to you. That’s because we built a suite of remote collection tools, reducing the overall ransomware response time and cost. Our innovative approach to ransomware attacks provides immediate service and support across the board.
Dealing with a ransomware attack is stressful enough without having to deal with multiple vendors throughout the response process. To keep things simple, we handle everything from eradication, ransom negotiation, restoration, investigation, and reporting. We offer clear communication and a diverse skillset from our dedicated team.
Ransomware response can take many different paths. We work with you to determine the type of security incident or ransomware infection, the best course of action, and whether restoration from backups or paying the ransom for your encrypted files is the best next step.
If there is no other option to get your encrypted data, we attempt to negotiate the ransom to a lower amount on your behalf. Once we’ve arrived to an amount, we process the payment to retrieve your encrypted files from the infected systems.
We remove the threat from your critical systems, conduct malware scans and network threat hunting. We also preserve evidence from the ransomware attack to inform our investigation of root cause.
Once the decryption keys are obtained, we decrypt all the files and get systems restored to full functionality as quickly as possible.
We provide the details and results of our activities in a final report, including suggested corrective actions and cybersecurity safeguards necessary to avoid future incidents, such as endpoint detection.
In the early morning hours in March of 2020, a high-value target company experienced a Sodinokibi ransomware incident that impacted the vast majority of their user’s workstations. This particular ransomware attack had a unique twist — video screen captures recorded the event, revealing that the threat actors accessed a live feed throughout the attack, and enabled them to actively monitor their victim’s response when the ransomware was triggered.
| 6:01 AM | Surveillance video feed shows a customer call center environment with four rows of cubicles. Four angles of view are in the office area, and there are three employees present. Operations appear normal, with each employee actively engaged in work on their respective workstations, and two of the three are on phone calls. A message at the top of the screen reads, “Your computer is being controlled by ‘Tech Support.’” The threat actor moves the mouse across the screen and hides this message. |
| 6:09 AM | The video feed shows two of the three employees suddenly stand up from their desks and begin to pace the room excitedly while also talking to each other. They point at their screens and gesture to each other. The third employee’s computer still appears to be functional. The other two employees walk over, and all three begin to huddle over the one working machine. One of the three makes a call on his cell phone and starts nervously pacing, even pulling his hair. A message at the top of the screen reads, “Your computer is being controlled by ‘Tech Support.’” The threat actor scrolls the mouse across the screen and hides this message. |
| 6:19 AM | One of the three employees walks out into the hallway, still on his phone. He is seen visibly wiping the sweat from his brow and his hands. He’s gesturing and talking to someone on the phone as the other two employees continue to pace and try to work on the problem inside the call center. The employee walks back into the room from the hallway and sits, head in hands, pulling his hair. “Your computer is being controlled by ‘Tech Support.’” The threat actor hides this message. |
| 6:28 AM | All three employees are sitting around the call center, periodically making calls or texting, and now look defeated as well as distressed. One of the employees gets a phone call and suddenly stands up and runs out of the room and down the hallway. “Your computer is being controlled by ‘Tech Support,’” hidden for the last time. |
Senior Director of DFIR Brad Roughan, Director of DFIR Bryan Mermilliod, and Director of DFIR Rahil Aftab teamed up to tackle this case. They confirmed the ransomware variant as Sodinokibi/REvil, and the root point of compromise to be from a cloud-based RMM (Remote Management and Monitoring) solution named “ConnectWise Control.” Unfortunately, when RMM tools such as ConnectWise are compromised, it allows a threat actor to quickly and effortlessly take over entire networks and to conduct malicious activities undetected and at their discretion. We have seen numerous cases where RMM tools are to mass-deploy ransomware to downstream customers of MSPs. Many of these cases have involved ConnectWise in conjunction with Sodinokibi. Rahil Aftab commented, “It was really interesting to be able to compare the screen capture video to the underlying forensic artifacts. We saw how the threat actor’s activities and the artifacts left behind compared to the videos from the affected systems.”
The organization felt quite blindsided by this attack — they had enforced several precautions across the board and implemented some security best practices. They felt they had good systems to prevent Sodinokibi, so how could an attack like this happen to them? While the high-value target company reported that two-factor authentication was enabled (and should have prevented a login from an unknown 3rd party), Tetra discovered that the employee behind the “Tech Support” user account never completed the process of setting up multifactor authentication. Other risky user behaviors included a saved text file containing user credentials and passwords — both to their desktop and to a personal online account. Personal cloud accounts were on their work laptop, and they were actively using torrents to search for, download, and install movies and cracked software. What’s most glaring is that the “Tech Support” user had sent email attachments including a username and password list — a spreadsheet containing employee names, phone extensions, and IP addresses, all in plain text.
“As we got further into the case, it evolved into a unique mix of both an investigation of an active ransomware attack and an internal investigation of missteps taken by an IT employee. It’s one of the more interesting cases I’ve seen recently,” said Brad Roughan. Bryan Mermilliod commented, “With both external and internal risks at play, the client was understandably on high alert throughout the restoration process. Our ability to detect malicious activity combined with our experience rebuilding and troubleshooting systems after these attacks allowed us to give the client peace of mind as they returned to ‘normal.’” As unsettling as it is to be surveilled in a compromising situation, there is a silver lining to this case.
Thankfully, as evidenced by extended logging in ConnectWise, there was no sign of data exfiltration. This threat actor was solely focused on compromise and ransoming encrypted files rather than stealing the client’s data.
https://tetradefense.com/wp-content/uploads/2021/05/Blog_TetraU.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-10-19 10:40:182021-10-19 10:40:20Tetra Defense Announces TRAC, an Apprenticeship Program Within TetraU to Broaden Cybersecurity Education
https://tetradefense.com/wp-content/uploads/2021/08/Blog_RR_July.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-08-23 11:28:262021-08-24 10:29:35Ransomware Round-Up: July 2021
https://tetradefense.com/wp-content/uploads/2021/07/TheratIntel_June_Blog.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-07-15 10:00:002021-07-15 10:50:52Ransomware Round-Up: June 2021
https://tetradefense.com/wp-content/uploads/2021/06/May_RansomwareRoundUp.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-06-18 08:53:572021-06-22 09:13:18Ransomware Round-Up: May 2021
https://tetradefense.com/wp-content/uploads/2021/05/Blog_TetraU.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-05-26 16:32:472021-10-19 10:34:38Tetra Defense Announces Launch of Tetra U, a Revolution in Cybersecurity Education
https://tetradefense.com/wp-content/uploads/2021/05/CauseEffect_SunCrypt.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-05-03 11:17:462021-09-27 11:56:48Cause and Effect: SunCrypt Ransomware Analysis
https://tetradefense.com/wp-content/uploads/2021/04/Blog_MicrosoftExchange.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-04-05 09:59:292021-05-18 13:23:07What You Need to Know About the Microsoft Exchange Vulnerability
https://tetradefense.com/wp-content/uploads/2021/02/Blog_RCE_Exploit.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-02-04 12:18:562021-11-13 19:02:29Active Exploit: A Remote Command Execution (RCE) Vulnerability for NCR Aloha Point of Sale
https://tetradefense.com/wp-content/uploads/2020/11/CauseEffect_WastedLocker.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-11-17 16:58:002021-09-27 11:52:06Cause and Effect: WastedLocker Ransomware AnalysisWe can help.