This post was last updated on September 17th, 2019 at 04:03 pm
Download Case Study
Submit this form to download our case study
Case Study Overview
When leading biotechnology companies find ransomware within their environment, they turn to Check Point Software's Incident Response Team. Check Point's Incident Response Team leveraged Infocyte HUNT to quickly detect and respond to the incident.
During their IR investigation, Check Point's IR Team identified a new malware variant, masked behind Ryuk ransomware. Their incident responders worked closely with our security analysts to successfully close attack vectors and help their customer recover.
In 2018, bad actors launched a major ransomware attack against a global US-based biotechnology firm, targeting high-value intellectual property, sensitive customer files and key financial data. The attack managed to get past the defensive security technologies deployed on the firm’s network, including next-generation firewalls with an intrusion prevention system (IPS), network appliances, monitoring tools, and a leading endpoint protection platform (EPP).
Due to the severe nature of the ransomware attack, the biotech firm called in the FBI to assist in investigating the source of the attacks. In addition, the company contracted an incident response (IR) team from Check Point Software, an Infocyte HUNT partner, to conduct a thorough compromise assessment of its network and to hunt for evidence of other attack vectors or backdoors. Infocyte security experts assisted Check Point’s efforts.
Infocyte HUNT was deployed and within 15 minutes had inspected the first 300 systems suspected to be compromised. Almost immediately, HUNT flagged 20 systems with active memory-injected TrickBot trojans, a system with a Mimikatz credential dumper, and over 70 related execution artifacts.
Using HUNT, the IR team was able to develop a timeline of the attack based on timestamps from the historical artifacts. This enabled them to rapidly identify “patient zero” and the entry vector for the coordinated Ryuk ransomware attack. What’s more, Infocyte HUNT was instrumental in helping uncover new malware variants and new attack techniques being used by this Ryuk ransomware campaign.
Infocyte HUNT was instrumental in helping uncover new malware variants and new attack techniques being used by this Ryuk ransomware campaign, including confirming the presence of the Trickbot trojans and Mimikatz credential dumper. The stolen credentials and TrickBot trojan, in this case, can be used as the initial entry vector for a targeted attack or as a “leave behind” after the ransom is paid to give the attackers long term access to the network. The hidden remote access could also be leveraged to ensure a more effective attack across all critical services/data or repeating ransoms in the future.
Infocyte’s security team assisted our Partner in successfully closing the attacker’s entry vector and any backdoor intended for future use.
“Infocyte was amazing and saved us a bunch of time. We immediately identified a wicked Mimikatz TrickBot trojan infection, masked behind Ryuk ransomware—and more.”
- Lead Incident Responder, Check Point Software
We continue to see a rise in ransomware attacks leveraging administrative credential theft and dropping secondary payloads, like Trickbot, as hidden “leave-behinds” in order to retain access to the ransomed network following remediation. Attacks like this demonstrate a clear need to be proactive and hunt for threats throughout an IT environment.
Read our biotech case study to learn more about what Infocyte HUNT found in this environment and how it was resolved.