April 8, 2024

Incident response Case Studies and lessons learnt on the ground

By venkat

Case studies help a lot in understanding how other companies respond to a crisis situation. What is the learning our organisation can take from it? Can we do a table top exercise using this as a scenario?

Our approach – Reuse as much operational knowledge gained by your peers who have already handled attacks. Most of them are kind enough to help you provided you ask. Below are a series of learnings shared by companies that have handled major incidents and which others can take as actionable items.

Data Breach Notifications – Sperm donation giant California Cryobank warns of a data breach – US – March 14, 2025

Learning: Sometime a a year-long investigation may be required to ascertain an exact data loss
Business: California Cryobank is a full-service sperm bank providing frozen donor sperm and specialized reproductive services, such as egg and embryo storage. The company is the largest sperm bank in the US and services all 50 states and more than 30 countries worldwide.
Threat actor: –
Company communications: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/6b6aacae-67b7-414e-be1a-ea17b44a7f12.html
- https://www.maine.gov/cgi-bin/agviewerad/ret?loc=2044
https://www.bleepingcomputer.com/news/security/sperm-donation-giant-california-cryobank-warns-of-a-data-breach/

Supply chain attack – Tata Technologies – India – Tuesday, January 28 2025

Learning: More to come. Focus here would be on large Intellectual Property data being exfiltrated / Possible Espionage
Business: Manufacturing supply chain – Automotive design, aerospace engineering, and R&D engineering
Threat actor: Ransomware attack
Company communications: Public Notice
https://www.bleepingcomputer.com/news/security/indian-tech-giant-tata-technologies-hit-by-ransomware-attack/

Supply chain attack – Solana Pump.fun – DogWifTool compromised to drain wallets – US – Tuesday, January 28 2025

Learning: Private GitLab repositories compromised – Treat actor controlling the software builds and injecting backdoors.
Business: BlockChain
Threat actor: To be declared
Company communications: Discord channel
https://www.bleepingcomputer.com/news/security/solana-pumpfun-tool-dogwiftool-compromised-to-drain-wallets/

Ransomware attack on New York Blood Center – US – Sunday, January 26 2025

Learning: The implementing of workarounds to help restore services and fulfill orders.
Business: Healthcare, Blood Bank
Ransomware family: To be declared
Company communications: Announcement

Patelco shuts down banking systems following ransomware attack – Ransomware – 29th June 2024

Learning: Very clear communication updates at Link

Geisinger, a prominent healthcare system in Pennsylvania – Insider Attack

Link

CDK Global hacked again while recovering – June 19th, 2024, June 20th, 2024

Learning : It is important to analyse the incident prior to restoration.
Business: Car dealership software as a service (SaaS)
Ransomware family: Blacksuit
Restore note: CDK was restoring its services, they were once again forced to shut down their systems after suffering another breach late yesterday evening.
Link1 Link2 Link3

KADOKAWA corporation – Japan – June 8 2024

Learning: The company’s and its subsidiary operations hit as they were hosted in the same data center.
Business: Media conglomerate
Ransomware family: Blacksuit
Company communications: Announcement

Panera Bread – Week long – Ransomware attack – 22nd March, 2024

Impact: Severely affected its internal IT infrastructure, including phones, point-of-sale systems, website, and mobile apps.

Impact on employees: Were unable to access their shift details and had to reach out to managers to determine their work schedules.

Link & Link

Toll Group

Sincere thanks to Diana Peh.

The logistics giant was first hit by Mailto ransomware at the end of January 2020, which took six weeks to recover from.

It then suffered a second attack in early May that used the Nefilim malware and was similarly devastating.

Below are the clear lessons kindly shared:

“In a time of crisis, it can get really confusing. Everybody wants to help, but you need to know who’s in charge, you need a leader,”

“My experience with both cyber incidents have been very different. I found it really hard for the first incident, [but] the second one [was] much better than the first.”

“In the first one in particular, there were lots of questions around who’s in charge, and what are the roles and responsibilities.”

“It’s really important upfront that you actually are clear on roles and responsibilities going in and that you’re ready, because in a time of crisis, you really want to make sure that you try to eliminate as much chaos as you possibly can.”

An incident response plan should lay out “the next 20 steps” clearly, with plenty of practice runs.

“You need to make sure that you run lots and lots of practice runs with your teams, so that everyone is clear,”.

Blue team exercises – “We’re doing this quarterly at the moment, not just with the executive crisis management teams, but with the teams on the ground, and my reflection is that this is actually a lot harder than it sounds, especially if you have teams that are spread across the globe and working across different time zones.

“My personal experience is that having run a couple of them by now, we’re still finding lots of opportunities to improve and making sure that our teams really deeply understand the drill.”

References

https://www.itnews.com.au/news/toll-group-unveils-year-long-accelerated-cyber-resilience-program-551025

https://www.itnews.com.au/news/toll-group-still-mopping-up-after-ransomware-attacks-555046

Maersk

Maersk had to reinstall its entire IT environment in 10 days to recover.

Hydro

Coming soon.

DLA Piper

https://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495

“We spent an awful lot of time trying to test all our computers and validate them and make sure they were clean and safe to put back on the network,” James said. “After about two weeks of doing it and redoing it and redoing it, we made the decision in the end just to wipe everything and start afresh.“In hindsight I would have done that at the beginning and not wasted all that time and effort.

“We’d been hit by something very serious and I think it was not the best use of our time to spend trying to check all of that equipment and see if there was anything that was salvageable.”

General counsel Amber Matthews said one of the “saving graces” for DLA Piper was that the company did not lose any data to the attackers, and that its backups were unaffected.

Still, the company is making changes to its architecture to prevent a similarly catastrophic global failure should it be hit again in future.

“In addition to segmenting its network so it can better contain threats, the company is also looking to stand up cloud-based versions of its core systems for business continuity purposes.“

“We manage all of our infrastructure on-prem,” James said.

“But for core services we are now looking to host some of those services – at least as a lifeboat solution – in the cloud where we can failover to those very quickly if we need to.

“The assumption being this will probably happen again at some point, somehow, hopefully not on the same scale, but we can’t wait four days to recover email – we need to be able to fail that over almost instantly.”

Interesting case studies that you can practice in your organization

LLM prompt injection attack – Enterprise chatbot
Hydro
Winter Olympics – biggest attribution problem
Colonial Pipeline
Kaseya
Medibank
AIIMS Medical
ICMR – India (P3)
Tata Power – HIVE
1. https://ciso.economictimes.indiatimes.com/news/tata-power-data-leak-what-makes-hive-one-of-the-top-5-ransomware-groups-operating-today/95120970
IRELAND HSE
Singapore HSE
Ice cream discussion shutdown
Costa Rica
1. 27 institutions
2. Conti – Eastern Europe – IRELAND health services
3. IRELAND
4. Conti – Through Emotet botnet
5. Last 2 months
MGM
1. https://bluoceancyber.com/insights/hackers-shut-down-mgm-in-a-10-min-phone-call
Orange – https://therecord.media/orange-espana-outage-hacker-internet-ripe-bgp-rpki

Cybercrime

Hansa market shutdown
1. https://therecord.media/hansa-market-takedown-dutch-national-police

Ransomware families

https://www.malwarebytes.com/blog/news/2021/06/clop-stopped-ransomware-gang-loses-tesla-and-other-treasures-in-police-raid

ARTIFACTS

DRILLS CASE STUDIES
Israel case

HEALTHCARE COMPANIES

Sun Pharma – ALPHV (Ransomware)
1. https://www.youtube.com/watch?v=ChO-JFSiB0g
Dr. Reddys
Lupen
https://therecord.media/philippines-state-health-insurer-struggles-with-ransomware

Insolvency

https://therecord.media/knp-logistics-ransomware-insolvency-uk?utm_medium=email&_hsmi=275872933&_hsenc=p2ANqtz-9B4Mq5i-ZPyQUep4nBcPYSR6Davxa5K6PdhraKUDtA1GLu69uefpYFNCLnLUlOF84HVsJRVP3pKJowA_x79CC2eRktpA&utm_content=275876509&utm_source=hs_email

Hosting companies

https://www.bleepingcomputer.com/news/security/hosting-firm-says-it-lost-all-customer-data-after-ransomware-attack/

Rackspace – https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/ PLAY

2023 TOP RANSOMWARE FAMILIES

https://securitybrief.com.au/story/ncc-group-reveals-cl0p-ransomware-attack-continues-to-dominate

TO THE CORE

The DFIR Report – Real Intrusions by Real Attackers, The Truth Behind the Intrusion

About The Author

venkat

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.