Contact Us
Free Trial
Menu
Contact Us
Free Trial
act-sample-bg33.jpg

Containing a Ransomware Incident

Adversaries weaponized administrator credentials
to infect critical servers with ransomware.  

At a Glance

Remediant contained a rapidly spreading ransomware attack at a U.S. personnel services firm in under a day.

2

Hours to scan full environment

10

Hours to turn on Freeze mode

4K

Endpoints protected

Background

A U.S.-based personnel services firm experienced a ransomware attack in late 2019. The firm engaged an incident response services firm to contain the breach, which then brought in Remediant. 

personnel-services-firm

Mean time to detect and contain

Cost and impact of
breach

Return on security investment

The Problem

The firm was experiencing a ransomware attack on its 5000 server environment. Specifically, adversaries had compromised the default administrator account on a specific Windows server. The default administrator account was then used to infect the server with ransomware and then "island hop" across the network. The adversary was successfully hopping across servers because the default administrator credential was the same across all 5000 servers. Once they were on a new server, it was infected with ransomware.


The firm had only one dedicated Security FTE, along with the incident response services firm, engaged to address the situation. And, they had no way to take control of the compromised default administrator account and remove it or rotate the password across all 5000 servers and prevent further harm.
“Remediant's bulk update and Offline Access features made all the difference. With those, we were able to take control of the compromised accounts and rotate their passwords all at once. This stopped the intruders dead in their tracks.”
user-white

"Mark" Customer
Chief Information Security Officer (CISO)
U.S.-based personnel services firm

With Remediant

When Remediant first arrived, adversaries had spread to 300 servers and were moving rapidly. Remediant took a four step approach to deploying, analyzing, triaging and addressing the incident:

  • Deploy single VM (1 hour): Remediant SecureONE requires no agents on endpoints. The management console operated as a single virtual appliance.

  • Scan for points of exposure (2 hours): A targeted scan of the potentially compromised network was conducted to surface any administrator access that were potentially compromised for "island hopping," counter IR or ransomware infection

  • Disarm (10 hours):

    • Manage Offline Access: Took control of default admin accounts on critical servers and rotated passwords
    • Freeze: Switched servers to “Freeze” mode to stop new admin accounts from being added
    • Protect: Turned on "Protect mode" to remove all standing access with the exception of critical path machine accounts that were marked "persistent" and monitored for login attempts with MFA

This four step approach limited the intrusion to just those 300 servers out of the 5000 that had points of exposure and used the same default administrator credential. Remediant SecureONE had reduced the impact of the intrusion from a major publicly exposed data breach to a minor incident. 

Reduced Mean Time to Respond

Downgraded breach to minor incident

Improved throughput with no added FTE

What Made the Difference

Remediant's agentless, single VM deployment and ability to take control of the compromised accounts across all the infected servers at once made all the difference. In addition, the response team was able to mitigate the breach without disruption to day to day business. 

  • Rapid install and inventory (2 hours)
  • Freeze mode to stop lateral movement (few ms per endpoint)
  • Offline Access Management - Local administrator password rotation, disable default admin
  • Lightweight AD bridging
SecureONE

Peaked your interest? Sign up for a 30 day free trial.

See how SecureONE can defend your enterprise with zero standing privilege.

More

Customers →

Read

Use Cases →

Browse

Resources →