The Battleground:

Infrastructure of a local county including various governmental departments.

The Presumption: 

Preventing ransomware from being propagated among a network can be established by filtering which types of e-mails are received by the network. Additionally, informing employees of how to recognize phishing e-mails is critical. The ransomware will install brute force programs that can crack passwords to admin accounts to gain access to sensitive data. Often this data is sent back to its point of origin which is usually a foreign country. 

The Discovery: 

We found various external IPs that spoke with the client to verify that this communication was mirrored. Several IPs were blocked. Since our client shut down so many subnetworks when they were hit with ransomware, they were able to prevent any executable programs from running. (Being that the county was a new client, we were able to learn more about their topology and establish techniques for incidence response when a new client comes to us with ransomware. We helped to lessen the impacts of ransomware on the county by communicating and checking for external connections in the logs.) 

Our Solution: 

Increase account security by making better passwords. If possible, try to have the data decrypted that the ransomware encrypted (Luckily, the ransomware did not get to all their clients and completely lock out the county). Deep clean all systems on the network and bring them back online one by one.  

Lessons Learned: 

Keep networks separated so that they cannot be accessed easily by moving laterally within the network. The county did have their network sectioned out which helped prevent a total lockout of all systems. E-mails need to be very carefully viewed before opening in order to verify that they are not from a malicious source. Having unnecessary ports closed is vital to network security.