A leading global technologies company was the victim of ransomware in 2021. Infrastructure was impacted nationally, with all data encrypted. Business impact was extreme, with some critical infrastructure providers (who are reliant on the client) impacted; business as usual was not possible. Client infrastructure was diverse and geographically dispersed, the result of inorganic growth.
Upon engagement, Slipstream DFIR resources were on site within 24 hours with enterprise-grade detection and response capabilities deployed. Senior DFIR and executive advisors provided the client with guidance at both a technical and crisis management level.
On-site and remote data acquisition was required, including significant support to the client who did not have the requisite skills or staff to manage the incident (a third-party IT provider was also contracted to assist with restoration activities). Incident management and project management was a large component of the initial phase. Containment activities were significant due to the presence of web shells, remote access trojans and the widespread nature of the incident, hampered by the absence of an asset register or understanding of the breadth and depth of the network. Senior Incident Managers and Responders were critical during the 2–3-week containment phase, which involved regular on-site meetings, business continuity planning and execution and emergence management and response.