Summary
The client faced a devastating ransomware attack that encrypted their entire server environment, effectively rendering it useless. The malicious actors gained access through an unsecured VPN without Multi-Factor Authentication (MFA), likely using stolen credentials to exploit an ancient, unsupported operating system. Within a short period, the ransomware moved laterally across the network, encrypting everything it could access and locking out all users.
R3 quickly responded by isolating the network to stop the ransomware from spreading further. A comprehensive forensic investigation, though complicated by the outdated infrastructure, indicated that the attackers most likely breached the system via the perimeter firewall or VPN. Fortunately, the client had robust backups through Azure Site Recovery (ASR), which enabled us to restore operations without paying the ransom. Within 48 hours, the institution was back online, and operations were resumed, avoiding prolonged disruption and costly ransom payments.
2 Days
Operations were able to resume after two days
216 Hours
The total time spent to investigate and remediate the incident
Key Takeaways
Backups saved the day
Azure Site Recovery was instrumental in restoring the client’s systems without needing to pay the ransom.
Critical vulnerabilities
Outdated systems and lack of MFA created an environment ripe for exploitation.
Quick response time
The R3-IT team had the client back up and running in 48 hours, despite major infrastructure challenges.
Overview of the Client
The client is a large religious institution in the Washington, DC metro area, with approximately 120 full-time employees across multiple locations in DC and Maryland. Despite their wide-reaching operations, their IT infrastructure was outdated, creating a significant cybersecurity vulnerability. Their server infrastructure, which ran an unsupported Microsoft operating system left them vulnerable to an attack of this nature.
Setting the Stage
The client, a religious institution with multiple locations across Washington, DC, and Maryland, had a server infrastructure long past its prime. Despite several warnings, their server environment ran on an operating system no longer supported by Microsoft. This left their systems unprotected by even the most basic defenses, such as Windows Defender, which was inactive.
Additionally, their Virtual Private Network (VPN) was unsecure, lacking essential features like Multi-Factor Authentication (MFA). This outdated infrastructure, combined with the critical lack of modern security protocols, made the institution a prime target for a ransomware attack.
What Happened
The ransomware attack likely began when the attackers used stolen credentials to gain access through the VPN. Without MFA in place, there were no barriers stopping unauthorized access. Once inside, the attackers exploited the client’s severely outdated operating system, quickly moving laterally throughout the network.
Within hours, the entire environment was encrypted. The attackers dropped ransom notes across all servers, demanding payment in Bitcoin to decrypt the files. No one could access the system, and the religious institution faced the possibility of severe operational disruption, financial losses, and reputational damage. Both their DC and Maryland environments were hit, and without immediate action, the situation could have escalated even further.
The Solution
R3’s priority was containment. We immediately disconnected the network to prevent further lateral movement by the ransomware. Once isolated, our team began a forensic investigation to identify the source of the breach. Due to the age and limitations of the system, scanning every endpoint and reviewing logs took considerable time, but it became clear that the breach occurred via the perimeter—likely through the firewall or VPN.
Fortunately, the client had invested in Azure Site Recovery (ASR) technology, which provided a snapshot-based backup of every server. This allowed us to restore the environment without paying the ransom. Although a decryptor for the ransomware variant was made public, we did not need to use it, as the backups provided a clean slate.
We gradually reintroduced users, resetting all passwords and regenerating the “golden ticket” to ensure no lingering threats remained in the network. With careful coordination, we ensured that systems came back online safely and securely.
R3SULTS
Within 48 hours, the client’s operations were restored without any ransom payment. R3’s onsite team worked tirelessly over multiple days, dedicating 216 hours to ensure the environment was clean, stable, and secure. The client’s investment in backup technology was the primary reason they avoided paying the ransom, underscoring the importance of proactive planning.
While the client successfully resumed operations, the attack served as a wake-up call. They have since committed to a full infrastructure overhaul, upgrading to supported operating systems and implementing MFA across their VPN. This experience was a stark reminder of the importance of maintaining modern, secure IT environments and keeping up to date on software updates
