An employee at an engineering firm became the victim of criminals, but the ransomware they downloaded never took hold because of strong defenses.
It all started when the employee downloaded a free internet program to create and edit music. A site advertised the program as a “free” or “cracked” version of a program that people usually have to pay for.
Alas, the offer was too good to be true and the download included malicious software sometimes used to spread ransomware.
The engineering firm had both Microsoft Defender for Endpoint and the Critical Insight SOC on their side. Defender intercepted the file, preventing an immediate explosion and sent an alert to the SOC. An Analyst saw it immediately and launched an investigation. The analyst found the blocked file, called “setup.exe,” examined it and identified that it was malicious, and when digging into the Defender data, discovered that Microsoft indicated the file contained the “StopCrypt” ransomware.
The SOC identified the victim and reviewed their activity and any activity related to their IP to make sure there weren’t other malicious downloads or suspicious activity. The SOC also looked at any other IDS alerts to make sure there weren’t related issues.
The Critical Insight analyst knew malicious files can be downloaded in groups, so the SOC wanted to make sure the infected device could be investigated, quarantined, and re-imaged. The SOC Team called the Systems Administrator at the Firm, told them about the investigation, the results, and gave them the recommendations.
The Systems Admin worked quickly to follow the recommendations including quarantining and rebuilding the laptop.
And that’s how an Engineering Firm avoided a ransomware attack.