A global law firm was hit by ransomware.
The attack rapidly spread to a dozen servers.
The attackers were ready to infiltrate the entire network and hold the company hostage.
But this law firm was ready. They had Illumio. And by using our technology, they:
- Contained the attack to just 12 servers
- Identified the compromised systems and quarantined them in seconds
- Stopped the attack within just a few hours of the initial breach
- Ended the threat before the attackers could encrypt or steal sensitive data and harm the company and its clients
In this post, we will explain how the global law firm stopped the ransomware attack with unprecedented speed while avoiding significant damage to their IT systems, their business, and, most importantly, their clients.
From intrusion to eviction in hours: Timeline of an attack
It should have been a disaster.
The law firm had thousands of users, servers and workstations in dozens of locations around the world. It had hundreds of clients and stored a wealth of sensitive data and legal documents in its digital infrastructure.
The firm was a prime target for ransomware, and one day it happened. They were attacked.
But the attack failed. The cybercriminals were evicted in hours. Here’s how it happened, as told to Illumio by the IT executive who led the incident response for the law firm.
Because of the sensitive nature of this incident, all names and identifying specifics have been withheld.
The initial breach: Early afternoon, Monday
One of the firm’s employees received a phishing email that came from a client who had been compromised by the attackers.
“The hackers were sneaky,” the executive says. “They sent a URL to a supposed Excel file, but it wasn’t a hyperlink. So our employee copied the URL into their browser to download the file.”
But nothing happened. So she contacted the company’s IT help desk to assist in accessing the file, unaware yet that it was malicious code.
2:00 PM: The attack begins
The help desk employee copied the URL into his browser. That triggered the weaponized file to launch its malware.
“The Excel file executed a macro that allowed the bad actors to compromise his workstation and access his account privileges,” the executive explains.
2:00 PM – 3:40 PM: The attacker goes undetected
The IT technician’s machine was online and unchecked for almost two hours, giving the criminals time to explore and assess how to best carry out their attack.
“The bad actors performed their network scans very carefully and slowly, so their movements were nearly undetectable,” he says.
Eventually, the attackers found servers they could access with the privileges they acquired from the help desk workstation. This is when they took their shot.
3:40 PM – 4:00 PM: The attackers make their move
The attackers initially encrypted the database files on an SQL server. This caused the server to crash. The law firm’s IT group immediately noticed the crash, investigated it and saw indicators of ransomware.
“Our database administrator called me at 6:00 PM and told me he thought we had been hit with ransomware,” he says.
4:00 PM – 4:50 PM: Creating the war room
The IT executive notified his CIO of what had happened. It was a call no CIO ever wants to receive. He feared the worst. They knew the clock had started ticking.
The law firm needed to orchestrate its response — fast.
“Within about 15 minutes, I opened a Zoom call and met with members of our IT and security teams,” he explains. “We dove into the logs to learn what happened and what was already compromised.”
4:50 PM – 6:15 PM: Understanding the attack
“We quickly found the logs that pointed back to our ‘patient zero’ — the IT help desk workstation which hosted the malicious URL and ransomware file,” he says.
But that wasn’t enough. They needed to know where else the attack might have spread.
“At that point, the minutes are ticking by,” the executive explains. “We quickly isolated that workstation and started looking at the environment as a whole to understand the scope of the attack.”
The response team brought in its managed security service provider (MSSP) to help track down the hackers.
Using its security information and event management (SIEM) tool, which included real-time application traffic data from Illumio, the MSSP was able query the SIEM and determine the attackers had reached another 11 servers, including one cloud-based server running on Microsoft Azure.
As the team worked, they could see from real-time telemetry that the scope of the attack was expanding before their eyes. Time was running out.
6:20 PM: Illumio ends the attack
The law firm needed to act fast to contain the breach.
Using Illumio, the team was able to immediately put all 12 servers — including the Azure cloud instance — into a segmentation ring-fence, with no access to the network or computing resources.
Ultimately, this was the decisive action that stopped the attack cold.
"Literally, in a couple of drag-and-drop clicks, we were able to quarantine all the affected systems,” the executive says. “If we tried to do that with conventional methods, it would have taken far, far longer and given the bad actors plenty of opportunities to jump to other systems and continue to spread. With Illumio, we were able to shut them down immediately. They had no way to jump anywhere else to evade us and keep spreading. Their fun for the evening was over.”
6:20 PM – 1:00 AM: Assessing the damage
The threat had ended, but there was still work to do.
“We had to investigate the full attack to see if the bad actors stole any of our data,” the executive says. “As a law firm, if we lost data, then we would have to notify our clients. Doing so would create reputational harm that could be very damaging.”
He engaged an incident response (IR) firm to investigate the attack’s full scope.
Tuesday – Friday: Searching for evidence of exfiltrated data
The law firm’s IT group installed the IR firm's software agent, and then used Illumio to securely send them files from the compromised machines (to ensure nothing else was accidentally reinfected). The IR team got to work.
“From there, we just had to wait,” the executive says.
At the end of the week, the IR team concluded their investigation.
“They came back and told us that no other systems had been compromised, and they confirmed that there was no exfiltration of data,” he says.
The news could not have been better. And the results were unprecedented.
“Everybody — from the incident response team to our MSSP — told us they have never seen a company respond to a ransomware attack so fast,” the executive says. “They said it’s unheard of to limit an attack to a dozen systems because it spreads so fast. But we did just that, thanks to Illumio.”
Ransomware defense made easier
The IT executive says that while Illumio was pivotal in reactively stopping the breach, its deployment of Illumio’s Zero Trust Segmentation capabilities prior to the breach also made a critical difference.
Though the company is only about 40 percent complete with its Illumio deployment, the access controls already in place greatly restricted the pathways and options the hackers had available during the attack, helping slow them down and significantly limit what they could access once inside the network.
“If we had not already begun to implement Illumio to segment our environment, this attack would have been much, much worse,” the executive says. “The bad actors would have potentially found multiple paths out of the workstation and spread much further, much faster.”
The lessons from the law firm’s successful defense of a ransomware attack are clear: Have the right leadership, the right teams, and the right controls in place to be ready to respond immediately when a breach happens.
“It’s only a matter of time before you have your own breach,” the executive says. “In this day and age, it’s essential to implement microsegmentation to limit lateral movement when hackers or malware inevitably get into your network. Illumio allowed us to do this in ways that just weren’t possible before. It made all the difference.”
Bring Illumio to your organization today and be ready to stop ransomware — before it takes your company hostage.