Anatomy of a Cybersecurity Attack

Anatomy of a Cybersecurity Attack: A real-life account of what happens before, during and after

Day 1 – Thursday, June 4 – Something is Wrong

3 p.m.

A call came into the help desk. A customer said they can’t log in. Another call came in. A different customer said all their files are missing. Three, four, five calls came. More customers who couldn’t work. And the help desk was scrambling to figure out what happened.

Something was wrong.

Contrary to popular belief, the real cost of a cybersecurity attack isn’t downtime. Any standard recovery plan will resume business operations in no time.

Instead, the real cost is what happens after recovery.

It’s your (and your customers’) insurance company breathing down your neck. It’s being liable for the data breach. It’s not knowing if private information is now on the dark web. It’s having to let every single client know that you dropped the ball.

That lost trust and broken reputation is the real cost. And it can take years to recover.

So, how can businesses avoid this mess? Preparation. To be truly prepared, it helps to know how the enemy operates.

We’re taking you through, play-by-play, what happened to an IT department in our industry. You’ll see exactly how hackers successfully launched a cyberattack and how the IT department responded.

*Note: We’ve been given express permission to share this account. All identifiable details, such as names, have been changed to protect privacy.

We’ll go through what the IT team did right, what vulnerabilities they missed and what every business should do to improve IT security.

Day 1 – Thursday, June 4 – Something is Wrong

3 p.m.

A call came into the help desk. A customer couldn’t log in. Another call came in. A different customer’s files were missing. Three, four, five more calls. More customers who couldn’t work. And the help desk was scrambling to find what happened.

Something was wrong.

Then, heart-dropping news: ransomware was found on a server. Questions started immediately: Is it isolated? Who’s affected? How long has this been happening?

Quickly, it was determined the ransomware went system-wide — every customer was affected.

  • 80 customer businesses
  • 700 servers directly impacted
  • Numerous customers with HIPAA, GLBA and other compliances

In less than 1 hour, ransomware had overtaken the entire business. They had a full-blown cybersecurity attack.

Panic set in. There was no choice but to shut down all operations immediately.

6 p.m.

A cybersecurity firm was contacted and engaged immediately in evidence preservation — necessary for insurance and liability.

This quick response is the goal. But many businesses can’t say with confidence their IT partner would do the same. Emergencies like this underscore why businesses can’t settle for poor relationships.

What is evidence preservation? In digital forensics, it’s identifying and collecting important information needed to understand the crime. This information is reported to insurance companies and other regulatory agencies.

The impacted business began an attempt to recover all back-ups to avoid more data loss.

Final Status:

  • Ransomware is not contained.
  • Patient 0 is not identified

Day 2 – Friday, June 5 – Initial Progress is Made

The impacted business pursued an aggressive recovery of its cloud environment. Thankfully, back-ups were regular and consistent.

How frequently should back-ups happen? Local backups should happen every hour. Offsite (cloud-based) backups should be nightly.

But there was a problem. How could anyone be sure the recovered back-ups didn’t also have ransomware? It’s a risk the business had to take.

Let’s think about this.

This cybersecurity attack actually posed three different challenges:

  • Recovering lost data
  • Preserving evidence
  • Ensuring recovered backups didn’t also have ransomware

This is how cybersecurity attacks work. It starts with one problem and quickly dominoes. Another reason why quick responses are critical.

1 p.m.

Initial server recovery was almost complete. Nearly all 700 servers were restored.

Final Status:

  • Ransomware is partially contained
  • Patient 0 is not identified

Day 3 – Saturday, June 6 – Anxious Customers Want Answers

Customer patience was thinning. They wanted answers as to what happened, how it happened and if their private data was stolen.

Customers with HIPAA, GLBA and other compliance requirements were especially anxious because they needed to report the cybersecurity attack.

It was incredibly difficult to ask customers to wait. To tell them, “We don’t know.” But the impacted business couldn’t ease customer fears until all evidence was preserved.

Let’s be clear: This is the real cost of cybersecurity attacks. This painful process of limping back to customers, head held down, hoping they won’t leave — or worse, sue you.

Downtime can be dealt with. What happens afterward can take years and potentially millions of dollars to fix.

Final Status:

  • Ransomware is partially contained
  • Patient 0 is not identified

Day 4 – Sunday, June 7 – Finally, A Breakthrough

On the afternoon of June 7, an active ransomware infection was found. It was located on a desktop plugin.

What was normally a harmless desktop tool turned into the hackers’ Trojan Horse.

The FBI was brought in. It appeared this cybersecurity attack wasn’t run-of-the-mill. Dark web experts were needed to record the ransomware’s behavior and perform a fingerprint analysis.

What is a fingerprint analysis?

Every business has their own fingerprint i.e. how their IT environment runs. Hackers observe this fingerprint to stage an attack. Fingerprint anaylses are done by experts to understand how they manipulated the business’ fingerprint.

Final Status:

  • Ransomware is partially contained
  • Patient 0 is not identified

Day 5 – Monday, June 8 – Insurance Companies Want A Piece

On day 5, the business’ insurance company became heavily involved. It’s important to note that until this point, the business had no access to the insurance company’s resources.

Incredibly, the hired cybersecurity firm contained most of the ransomware despite the threat group’s extensive anti-forensic strategies.

What are examples of anti-forensic strategies?

  • Using ambiguous language in code so that readers can’t understand it.
  • Faking IP addresses to people and systems into
  • allowing access
    Converting code into an unreadable mess to hide malicious activity

Final Status:

  • Ransomware is significantly contained

Patient 0 is not identified

Days 6-11 – Tuesday, June 9 – Sunday, June 14 – The Threat Group Is Named

Finally, the business had a name for the threat group that attacked them. They’re called Gold Dupont. This group is associated with ties to Saudi Arabia.

Who is Gold Dupont?

They are a cybercriminal group who targets organizations for financial gain. Their calling card is Defray777 malware.

The IT security team also discovered a services account was compromised by Gold Dupont.

Final Status:

  • Ransomware is significantly contained
  • Patient 0 is not identified

Days 12-27 – Monday, June 15 – Tuesday, June 30 – Ransomware is Fully Contained

On June 15, the cybersecurity firm finally contained all traces of ransomware. Now, Patient 0 is the top priority.

Final Status:

  • Ransomware is fully contained
  • Patient 0 is not identified

Days 28-42 – Wednesday, July 1 – Wednesday, July 15 – Patient 0 is Identified

Nearly a month later, on July 7, Patient 0 was identified and the pieces began to make sense.

Let’s connect those pieces:

  • A hacked desktop plug-in. A forgotten IT services account. A shared cloud domain.
  • Gold Dupont hackers put ransomware on the desktop plug-in. Patient 0 clicked on it which gave the hackers an entry in.
  • The hackers saw that the business’ IT services account could be exploited. They hacked into it which gave them access to the entire shared cloud domain. All 80 connected businesses and 700 servers were up for grabs.

Final Status:

  • Ransomware is fully contained
  • Patient 0 is identified

The Inception Point – 37 Days Before – April 29

It’s confirmed that hackers from Gold Dupont were in the business’ system and watching them for at least 37 days before launching an attack. They quietly added rules, uninstalled code and set up anti-forensic techniques in preparation.

It’s believed that this ransomware attack wasn’t random; there was insider knowledge and intent. The attack was executed especially for this business by the hackers who had plenty of time to sit, watch and learn.

Lessons Learned From This Hack

It took more than 40 days to end this mess. Even with a quick response time and a capable IT security team, the business was interrupted for more than a month.

And then they still have to manage worried customers, insurance companies and regulatory agencies. Who knows how long that will take?

But, this cybersecurity attack could have been much worse. Thankfully, this business didn’t have to pay ransom, all data was recovered and nothing leaked onto the dark web.

Not all companies are so lucky. So let’s talk about lessons learned and what businesses should take away from this cautionary case study.

What the business did right:

  • Quick response – shut everything down immediately
  • Rapid team organization especially with COVID (everyone remote)
  • Right IT experts in place
  • Kept customers and other parties in the loop
  • Regular and consistent backups
  • Tested technology continuity plan

What put the business at risk:

  • Lack of multi-factor authentication (MFA) across the company + clients
  • Used a shared cloud domain
  • Inadequate virus protection
  • Lack of host-based app control
  • Insufficient account admin control
  • Lack of detection visibility

What every business should do right away:

  1. Revisit your tech continuity plan — has it changed since COVID and remote work?
  2. Talk with your IT team — ask about MFA, user controls, frequency of backups
  3. Get a second opinion — contact a local IT provider for an unbiased review of your recovery strategy

Final Thoughts

Having the right relationships saved this business from permanent disaster. Because they had a trusted cybersecurity partner, the response was quick. Because their IT team had a strategic continuity plan, recovery was fast and comprehensive.

Just like with any fall, it helps to have the right people around to get you back up. If your business is looking for the right type of partnership to keep you secure, give us a call.

iVenture Solutions is an award-winning managed service provider delivering superior IT solutions to clients across Florida.

As a leading-edge IT firm for small and medium-sized businesses, we provide a diverse range of services covering the entire scope of IT including maintenance, support, hosting and more.

Through rapid response time, reduction of chaos and the right people, our expert team of IT professionals will fulfill your technology needs. At iVenture, we give you more time to do what matters most.

Rectangle 2
Rectangle 16(1)

Start changing the way you approach IT.
Harness efficiency and expertise.

iVenture’s award-winning team delivers managed services, cloud and cybersecurity to Florida’s best businesses. Whether you need end-to-end IT or a boost to your internal IT team, we’re ready.

Set up a call with iVenture now to learn more about our premium IT solutions.

Let's Talk...