Cyber Response Player Sygnia Foils Attack on Client With Bold Security Move

A “blow-by-blow” account of how Sygnia, an incident response company, coped with a ransomware attack on an unidentified client was recently published by SecurityWeek.

The response team’s first recommendation was bold, and proved to be decisive: Disconnect from the internet.

The company did so, rendering the attacker unable to continue encryption or delete its trail. The attacker was identified as BlackCat, the same gang that recently paralyzed pharmacies across the US with an attack on a UnitedHealth subsidiary that processes insurance.

Sygnia put together a detailed history and progress of what it soon identified as a supply chain attack on a previously compromised third-party vendor.

On day one BlackCat achieved three successful logons to one of the victim’s servers. By day three it connected with a server that became the source for reconnaissance and lateral movement. The victim’s security system provided timely alerts of anomalous activity, but they weren’t treated as serious, an example of what SecurityWeek calls the standard problem of alert fatigue and possible false positives.

By the time the victim called Sygnia more than two weeks had passed, and the situation was urgent. 

“Cutting the Internet connection is a severe action that was unavoidable in this specific case, but there are many cases where we have taken a more careful approach and planned our activities so that the attacker isn’t informed of our activities, until we and the company we assist, are fully ready,” Sygnia’s CEO Ram Elboim told SecurityWeek.

SecurityWeek writes that the courage to take drastic steps can salvage a bad situation, even very late in the day. If an attack cannot be prevented, its impact can be limited and a victim’s survival is more likely.