Issue:
A large public research Canadian university with over 10,000 students faced an imminent threat from the ransomware group Cl0p, as alerted by Canada’s cybersecurity center. The university’s IT estate was at risk of compromise, threatening the continuity of operations due to the risk of ransomware and sensitive data exfiltration.
Action:
CRA’s Forensic Services team swiftly responded to the alert by deploying advanced security solutions, including Tanium for comprehensive asset inventory, CrowdStrike Falcon for live monitoring, and active directory infrastructure monitoring for reviewing user account permissions across the IT environment. CRA’s incident response experts deployed proprietary forensic collection scripts to gather historical forensic artifacts and identify the presence of a threat actor toolkit.
Impact:
Through meticulous investigation, we uncovered that approximately 35% of systems were unmanaged, enhancing visibility for the incident response operations and uncovering unapproved applications, missing patches, remote control software, and critical vulnerabilities exploited by ransomware threat actors. Our forensic analysis and threat-hunting activities enabled us to proactively block external IP addresses associated with threat actor-controlled infrastructure and remove malware persistence, effectively eradicating the threat and preventing the execution of ransomware. Our team discovered additional successful attempts by an unknown threat actor on the client’s externally facing systems which could have led to enterprise-wide privilege escalation and theft of sensitive data.
Outcome:
Our incident response efforts not only safeguarded the university’s IT infrastructure but also averted potential financial losses, potentially amounting to millions of dollars. By leveraging our proprietary approach and methodology, we not only resolved the immediate threat but also facilitated lasting improvements in the client’s overall security hygiene, ensuring resilience against future cyber threats.
The team was led by Aniket Bhardwaj, Vice President, Forensic Services, with invaluable assistance from colleagues including Carlo Lakay, Frank Visser, Bharad Subramanian, David Lee, Yung Han Yoon, Ronan Roque, Jacob Feldman, Jake Nemiroff, and Leo Jones.
