The rise in ransomware attacks has been well-reported, but ransomware attacks can cause serious damage that affects every part of a company’s business: customers, operations, brand values, and even the board of directors. it might bring about. DXC Technology-sponsored content on the Harvard Business Review website (HBR.org) shares five lessons DXC learned from a real-life ransomware attack.
The rise in ransomware attacks has been well-reported, but ransomware attacks can cause serious damage that affects every part of a company’s business: customers, operations, brand values, and even the board of directors. it might bring about.
As part of my role at DXC Technology, I oversee DXC’s security business and frequently respond to cyberattacks that our customers face. However, on Saturday, July 4, 2020, we were targeted in a ransomware attack as we were getting out of the car for a family vacation.
Our attack involved Xchanging, a UK-based subsidiary of DXC. Xchanging provides technology-enabled business services to the commercial insurance industry. The attacker sent the following message, along with an image of a popular cartoon character making an offensive hand gesture, which is commonly used in such attacks. “We have your data. We have encrypted your files. If negotiations are necessary, we can discuss them in a secure tool or chat session.”
Even though Xchanging’s network was isolated from DXC’s much larger IT environment, the attack hit Xchanging’s customers when the London insurance company’s offices opened for business on Monday. We were concerned that it would affect us.
Ransomware attacks can cause a lot of damage due to downtime, so a quick response is essential. According to Emsisoft, ransomware attacks can cause an average of 16 days of critical system outages, and total global ransomware losses in 2020 could reach $170 billion.
In Xchanging’s case, hackers first broke in just two days ago. No data was stolen and no ransom was paid because only a few systems were compromised and we were able to quickly isolate and control the threat. We immediately coordinated with our customers and law enforcement agencies and by Sunday 5th July the affected environment had been cleaned up and reinstated so that by Monday morning Xchanging was insured as normal. It was possible to process securities.
Tips for staying safe
The investigation into this matter is ongoing and we have reviewed our administrative procedures on all occasions and can say that almost everything worked as planned. Unfortunately, in many organizations the situation is different.
We analyzed what worked, what didn’t and what could be improved.
Here are five important points.
Infrastructure awareness: Focus on basic software patch hygiene and ensure enterprise security tools to detect malicious behavior are deployed on all networks and firewalls. The attackers used a public security testing tool called “grayware” as their foothold. Although the grayware itself is not malicious, in this case it was used to exploit Microsoft Windows and create a backdoor to deploy new crypto-malware variants. Although we weren’t able to stop the attack, we were alerted to the anomaly and were able to quickly identify the compromised portion of the network while the attack was in progress.
Senior Management Involved from the First Response: Our global crisis response team met to assess the situation, but because we directly engaged senior management to ensure that key decisions were made quickly, this meeting was it was important to us. For example, we needed to cut off remote access, so we made the decision to cut all connections to the Xchanging system. This sounds simple, but it required an immediate response by IT teams in India as well as the UK, and the involvement of team leaders from both sides allowed us to shut it down quickly and efficiently. Throughout this response, leaders including DXC CEO Mike Salvino participated in assessing the situation and making key decisions. Good governance is essential in this day and age, and lack of accountability and clarity of who is responsible for what wastes valuable time and allows attackers to exploit that gap.
Early Engagement with Law Enforcement Authorities and Experts: Law enforcement authorities and security experts provide valuable insight into how cyberattacks are dealt with and how to enable rapid legal intervention. For example, the ransomware was configured to send Xchanging data to a US website domain, so I contacted a law enforcement official who works the weekend that coincided with a holiday and told the attacker that night. obtained a court order to seize the Internet domain of
Get as much support as possible and don’t pay the ransom: Legal authorities strongly advise against paying the ransom. In fact, the US and UK are moving towards imposing civil as well as criminal penalties for ransom demands. In our case, the attacker didn’t ask for money first, but wanted to negotiate. We know we blocked the attack, the attacker didn’t steal our data and we have backup data and we were in a strong position so we don’t have to negotiate was. If you choose to negotiate with cybercriminals, do not negotiate alone. Find and secure an experienced ransom broker. It is recommended that this be done as part of incident response preparation, preferably before an attack occurs.
Be transparent: You don’t have to reveal all the facts, but being open in general helps, and in fact we’ve seen an attacker’s Indicators of Compromise (IoC) with hundreds of customers. shared. While it is true that some information may not be publicly available (for example, subject to client confidentiality restrictions or directed by law enforcement), sharing information that is publicly available only protects the safety of others. It is also useful when seeking help from many colleagues, law enforcement, and the security community. We issued a news release about the ransomware attack on Sunday, July 5th, and then released another news release a few weeks later confirming the containment.
Law enforcement officials I spoke to that weekend were surprised that the attack had already been contained. Most of the calls law enforcement officials receive are from CEOs, but this is a frantic rush for IT and security teams, and companies typically stop working three to four days before they’re done. because you can’t see it.
We believe the damage from the July 4th ransomware attack could have been much greater. Rapid incident response, security management, and governance, along with our use of technical tools and industry best practices, gave us an edge.