Christopher 1,393 Posted February 25 Share Posted February 25 The New Team of Weapons and Tactics would like to alert its members and visitors to a recent security incident that occurred on the premise of our networks. On February 11, 2024, the Department of Information Technology at the New Team of Weapons and Tactics discovered that one of our servers had been compromised with a ransomware attack. The attack – known as LockBit – was found to be strategically embedded in an installer that one of our technicians utilized to perform regular maintenance on the server in question. The ransomware acted as a “time bomb”, not immediately acting upon getting installed, and instead was found to initiate its attack about a week later. Unfortunately, this ransomware was of a more “advanced variety” – similar to the infamous WannaCry ransomware from 2017 that many businesses and organizations also suffered – and not only infected the compromised server that it started on, but was able to migrate itself to other adjacent servers over the network. This malware did not waste once it commenced its attack, and was able to spread to infect a total of five (5) of our server systems out of the eighteen (18) server systems and machines that we had operational. Each infected system had the majority of its file contents encrypted and locked, and the individuals responsible for the attack demanded payment for the return of our property. Although we wish we were able to catch it before, one of our senior engineers was able to spot the attack due to the abnormal traffic and was able to effectively disconnect and shutdown the rest of our network before any more systems could have a chance to be infected. Thanks to our rigorous security and backup practices, we had backups of our data stored securely off-site which we were able to utilize to restore our systems back to full operation. As part of our investigation into this security incident, we performed a procedural RCA (root cause analysis) and were able to determine the source machine that was initially infected and the source installer that had the ransomware embedded in its executable that initially went undetected in our initial scans due to the nature of imperfections in general file security analysis. We were able to determine with absolute certainty that no passwords or other account information, such as emails, usernames (or the like) were compromised. These pieces of information are stored in separate disjoint segments of our network, with additional security measures, specifically for increased security and protection from incidents just like this one. As part of our response efforts, we have restructured our network to better protect all of our servers and systems and have made changes in our internal SOPs (standard operating procedures) to better prevent and protect from these sorts of incidents, and have increased the security and monitoring efforts on our network. We do sincerely apologize for any inconvenience or concern this incident may have caused, and appreciate everyone’s understanding and cooperation as we worked to resolve this matter. Yours truly, The New Team of Weapons and Tactics February2024_SecurityIncident.pdf Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now