Soteria recently has received urgent incident response requests from clients who had been hit with ryuk, banta, and, phobos ransomware.
One of these clients had several systems already in the process of being encrypted when security professionals discovered the outbreak. After initial meetings and contracts were signed, through our Lexico EDR platform the client immediately began installing the Lexico endpoint agent to critical servers and workstations in their environment in conjunction with restoring systems. This was a massive effort of over 700 machines. Those with experience rebuilding networks after ransomware attacks or malware infections understand the high stress/high tempo environment. With these types of incidents, decisions have to be made in the moment and only later will the consequences of those decisions be known. Compounding the situation, it is important to ensure that the ransomware doesn’t strike again during the middle of remediation efforts, requiring personnel to start over from scratch. Lexico EDR has the capability to remove the reinfection equation from the situation and this allowed Soteria to minimize the impact from the ransomware attack.
Within 90 minutes of initial communication between the new client and Soteria, Lexico deployment began in the environment and within 90 minutes from deployment, Lexico’s behavior-based detection algorithms had flagged the ransomware attempting to shutdown Windows Defender and enumerating network file shares. Once the detection was validated by Soteria’s DART (Detection, Analysis, Response, Triage) team, automatic protections were implemented that would isolate hosts on future detections of ransomware behavior, preventing them from enumerating and expanding further into the client’s network. This isolation of the infected hosts allowed our client’s security and IT staff to focus on returning the network to full operations and not have their efforts thwarted by ransomware continuously trying to do its job. There was some luck involved in preventing this attack from being as crippling or costly (paying the ransom) as it might have been. Our client discovered the ransomware early, and immediately sought assistance in mitigation. Our behavior-based detection rules were able to identify the ryuk ransomware quickly, and the network isolation capabilities of the Lexico EDR tool quickly segregated the infected systems.
Ultimately our client recovered fully and was back to normal business within 24 hours.
In another case, systems had been encrypted forcing the client to pay ransomware as they had no working backups. Once the keys unlocked the ransomware, the Lexico endpoint agents were installed to ensure that as servers and endpoints were restored, it could be verified that no other malicious variants still existed. Although the ransom was paid, recovery and remediation efforts with Lexico ensured reinfection was eliminated.