REMEDIANT IS NOW PART OF NETWRIX  READ PRESS RELEASE

Blog
Get a Demo
  • There are no suggestions because the search field is empty.
Contact Us
Get a Demo

Customer Stories

    Use Cases

     

    Watch this video to learn about Zero Standing Privilege (2:08)
    Blog
    Get a Demo
    • There are no suggestions because the search field is empty.
    Contact Us
    Get a Demo

    Customer Stories

    Use Cases

     

    Watch this video to learn about Zero Standing Privilege (2:08)
    Menu
    Contact Us
    Blog
    Get a Demo
    • There are no suggestions because the search field is empty.
    act-sample-bg33.jpg

    Containing a Ransomware Incident

    Adversaries weaponized administrator credentials
    to infect critical servers with ransomware.  

    At a Glance

    Remediant contained a rapidly spreading ransomware attack at a U.S. personnel services firm in under a day.

    2

    Hours to scan full environment

    10

    Hours to turn on Freeze mode

    4K

    Endpoints protected

    Background

    A U.S.-based personnel services firm experienced a ransomware attack in late 2019. The firm engaged an incident response services firm to contain the breach, which then brought in Remediant. 
    personnel-services-firm

    Mean time to detect and contain

    Cost and impact of
    breach

    Return on security investment

    The Problem

    The firm was experiencing a ransomware attack on its 5000 server environment. Specifically, adversaries had compromised the default administrator account on a specific Windows server. The default administrator account was then used to infect the server with ransomware and then "island hop" across the network. The adversary was successfully hopping across servers because the default administrator credential was the same across all 5000 servers. Once they were on a new server, it was infected with ransomware.


    The firm had only one dedicated Security FTE, along with the incident response services firm, engaged to address the situation. And, they had no way to take control of the compromised default administrator account and remove it or rotate the password across all 5000 servers and prevent further harm.
    “Remediant's bulk update and Offline Access features made all the difference. With those, we were able to take control of the compromised accounts and rotate their passwords all at once. This stopped the intruders dead in their tracks.”
    user-white

    "Mark" Customer
    Chief Information Security Officer (CISO)
    U.S.-based personnel services firm

    With Remediant

    When Remediant first arrived, adversaries had spread to 300 servers and were moving rapidly. Remediant took a four step approach to deploying, analyzing, triaging and addressing the incident:

    • Deploy single VM (1 hour): Remediant SecureONE requires no agents on endpoints. The management console operated as a single virtual appliance.

    • Scan for points of exposure (2 hours): A targeted scan of the potentially compromised network was conducted to surface any administrator access that were potentially compromised for "island hopping," counter IR or ransomware infection

    • Disarm (10 hours):
      • Manage Offline Access: Took control of default admin accounts on critical servers and rotated passwords
      • Freeze: Switched servers to “Freeze” mode to stop new admin accounts from being added
      • Protect: Turned on "Protect mode" to remove all standing access with the exception of critical path machine accounts that were marked "persistent" and monitored for login attempts with MFA

    This four step approach limited the intrusion to just those 300 servers out of the 5000 that had points of exposure and used the same default administrator credential. Remediant SecureONE had reduced the impact of the intrusion from a major publicly exposed data breach to a minor incident. 

    Reduced Mean Time to Respond

    Downgraded breach to minor incident

    Improved throughput with no added FTE

    What Made the Difference

    Remediant's agentless, single VM deployment and ability to take control of the compromised accounts across all the infected servers at once made all the difference. In addition, the response team was able to mitigate the breach without disruption to day to day business. 

    • Rapid install and inventory (2 hours)
    • Freeze mode to stop lateral movement (few ms per endpoint)
    • Offline Access Management - Local administrator password rotation, disable default admin
    • Lightweight AD bridging
    SecureONE

    Get a demonstration of Remediant SecureONE today!
    See first hand how to stop lateral movement & prevent ransomware attacks by removing 24x7 admin access.
    Schedule Your Demo

    More

    Customers →
    Customers

    Read

    Use Cases →
    Use Cases

    Browse

    Resources →
    Resources