CyberArk responds within hours to navigate global business out of major ransomware attack

Global holding company utilizes CyberArk solutions to mitigate ransomware attack

Company profile

It was mid-summer when this global company was hit by a major ransomware attack. The criminals demanded a significant amount of money to unlock critical applications and information, placing the company’s operations and long-standing reputation under severe threat.

Industry: Multiple sectors
Annual Revenue: USD 2.0 Billion
Employees: 5,000+

Challenges

The corporation was already underway with an initiative to upgrade its legacy security measures and to reduce dependence on the level of manual intervention required to execute key security-related processes. With dramatic increases in the frequency and sophistication of malicious attacks on public and private organizations, the objective was to build a standardized information security infrastructure across all business entities, using a common set of tools that supported process automation. Since 2018, the company has offered the Digital Arts Cloud service from its Desk Cloud product group, encompassing the cloud versions of its web/ mail/file security solutions, as well as chat/online conference functions. Today, this service is used by many corporations as the foundation for ensuring safe and smooth operations in telework environments.

The devastating discovery of the ransomware gave the company little time to act. Immediately, the director of identity & access management contacted his existing privileged access management (PAM) vendor. It was Friday and the provider said it could start to help on Monday. The product was good but the response – at such a critical time – fell very short of what was needed.

The director recalled, “We could see the attack chain and how the criminals jumped from machine to machine. They eventually located a file that contained a highly privileged credential, which gave them domain admin rights. Once this occurred, it was game over for us.”

Solutions

In your deepest, darkest hour, turn to the industry experts

On seeing the lack of response from the incumbent PAM provider, the director was asked about other potential PAM options and, based on previous experience, said to his CIO. “Let’s get CyberArk!” He recalled,

“We were in our deepest, darkest hour of need and that’s when you turn to what you know and trust. For me, this was CyberArk.”
– Director of Identity & Access Management, Global Holding Company

And his confidence was well placed. The next day – following a LinkedIn message to the CyberArk CEO – he met with a swiftly convened CyberArk Remediation Team and a full-scale remediation plan was quickly launched. The following Monday, CyberArk Privilege Cloud was in place, accounts and users onboarded, and the business able to repair the damage. The director stated, “CyberArk has very seasoned people: They quickly helped us go through each step as we dealt with the attack and the subsequent reconstruction of our infrastructure. The newly deployed capabilities – derived from both technology and processes – eliminated the vulnerabilities that were originally exploited by the criminals.”

Planning for success
Utilizing the CyberArk Jump Start service, the company shut down its entire environment while it worked with the CyberArk team to get Privilege Cloud deployed. Simultaneously, existing backup images of applications and data were leveraged, and domain controllers rebuilt from scratch on new servers.

“CyberArk support was always really solid and outstanding,” commented the director. “We were given a plan for what needed to be addressed first, made sure key credentials were in place, and lined up all the components we needed. What normally would have been a proof-of-concept was all of that, plus full implementation and execution all happening at the same time!”

The recovery plan focused on isolating privileged credentials and sessions, putting foundational access controls in place, and onboarding approximately 300 key users. All credentials were put into CyberArk and policy was set to automatically rotate them every two days. “Even if someone did write down their password, it’s only good for a couple of days before it gets reset,” noted the director. “Any window of vulnerability has been dramatically reduced.”

CyberArk now acts as the company’s primary provider of PAM and Identity Security solutions and is also integrated with other applications to establish a layered approach to its security posture. The blueprint approach utilized by the CyberArk Security Services team ensured that the infrastructure is protected by industry-proven best practices while the Privilege Cloud Jump Start helped to rapidly achieve the company’s initial goals with the new solution and set strong foundations for the Identity Security program.

Results

Learning from the past: Defending against attacks

With support from CyberArk, the business defeated the ransomware attack, halted the ransom payment demand, and protected its staff, information, and applications with a forward-looking program. “We’ve rebuilt our PAM discipline around CyberArk. The conditions and events that resulted in the ransomware attack are simply not feasible anymore,” the director reflected. “We’ve been able to propagate this rigor across the entire organization in a consistent, highly efficient manner.”

As well as helping deal with the ransomware attack, CyberArk solutions and services have accelerated the business’ overall PAM strategy. The business believes criminals started the ransomware process several months before the actual ransom demand surfaced. Now the business is alerted to anomalies— like user mistakes—instantly.

The company utilizes CyberArk Endpoint Privilege Manager to manage privileged credentials on endpoints, including a large number of loosely connected devices spread across the company’s expansive environment that are not always connected to the corporate network.

To further validate the value of the hardened PAM infrastructure, the company’s executive leadership team recently simulated an attack on its digital assets, without letting the security teams know it was occurring. An attack from outside of the enterprise was launched, and when that failed, a deliberately infected laptop was taken into the office building and attached to the in-house network. Almost instantly, the internal team was alerted to the suspicious activity and quickly isolated the subnet.

“We called our CIO to warn him of the attempted compromise: After letting us provide updates for a few minutes, he laughed, admitted that it was a test, and declared that we’d passed with flying colors,” the director recounted. “It doesn’t mean we won’t get hit again, but because of CyberArk, we’re now properly equipped and very aware of what’s going on. I really feel that we are in a much better place than we were prior to the ransomware attack.”

Key benefits

  • Defeated a major ransomware incident and eradicated the vulnerabilities that were exploited
  • Remediation plan and team rapidly deployed to preserve brand reputation and halt demand for ransom payment
  • Created robust PAM program to protect against future compromise – validated by prevention of a simulated internal attack

TALK TO AN EXPERT

Understand the key components of an Identity Security strategy

Get a first-hand look at CyberArk solutions

Identify next steps in your Identity Security journey