Case

True Success Story: Another Incident Response Case Study

Location: Hong Kong
Industry: Consulting Company
Company Size: 200 employees
Date: 4th October 2019
Sangfor Solution: Sangfor NGAF+ Endpoint Secure (aka ES) + IAM
For the confidential reasons, we are not allowed to display the customer name.

In early October 2019, the Sangfor IR received an urgent request from a major Hong Kong consulting company whose system had been infiltrated by ransomware and fully locked down. The attackers had demanded over 40,000 HKD in Bitcoin to decrypt the server, sending a single decrypted folder as an incentive to inspire quick action and a measure of trust.

The Sangfor IR team responded to the customer immediately by connecting to the customer’s computer remotely. Within 30 minutes, the Sangfor HQ experts defined the ransomware as belonging to the Ryuk family and had mapped the ransomware path of destruction through the network. The Sangfor Hong Kong FAE helped the customer install Endpoint Secure to remove the virus entirely. At a request from the customer, Sangfor provided additional traceability analysis services, locating the source of the incident and the root vulnerability, with results available within hours.

While Sangfor can’t decrypt ransomware-affected files, clear information provided by the Sangfor solutions on the ransomware family and variant type, kill chain determination, entry point identification and IOC and triage determination can secure your system from future damage from this and other ransomware attacks.

Sangfor Suggestions:

1. Take the infected devices offline (all servers and computers).
2. Analyze and kill ransomware using Sangfor Endpoint Secure, and import a system backup and immediately confirm protection from patches, AV and ES.
3. Configure firewall policies and update the firewall to the latest version.
4. Reconnect to the network and continuously monitor and observe.
5. If RDP is not required for business, we recommend closing RDP.
6. Shorten backup intervals for important servers, check and strengthen the weak system and application passwords.
7. Check the endpoints and server for security software. AV and ES are recommended for a full scan. Enable real-time monitoring functions.
8. Perform a comprehensive assessment of network security and rectify any weaknesses based on assessment results.

Sangfor Solution:

As we know, the most important step for hackers is establishing C&C communication, which allows hackers full control over the upload of ransomware and remote control of the system. Most firewalls can stop ordinary C&C communication, yet advanced hackers will use a DGA algorithm to encrypt this communication, allowing it to bypass most firewall detection.

Sangfor NGAF provides world-class C&C communication detection, even those with DGA encryption. The integration of Sangfor Endpoint Secure and NGAF, customers have a complete evidentiary analysis of the entire attack chain, making it easy to find intrusion points and suspicious activity.

Sangfor Endpoint Secure uses honeypot technology in sensitive folders to tempt viruses into attacking these specific protected folders, giving ES and NGAF an extra advantage. Sangfor answered the call and saved the reputation and revenue of this particular company, and are ready and willing to do it for you!