Sangfor was contacted by one of Jakarta and West Java, Indonesia’s most
respected motor vehicle dealers, established in 2001, and employing over 500
On July 30th, 2020, company administrators discovered that 6 application
servers were encrypted. The attack was confirmed to be a version of Crysis
ransomware, using ransomware information and encryption suffix.
Experts searched for the encrypted suffix using an “everything tool,” and
sorted by time to confirm that the earliest encryption started at 5:53 pm on
July 23rd, 2020.
The investigation log showed a Remote Desktop Protocol(RDP) login at 5:41:43
pm on July 23, 2020, using an administrator account and an RDP logout record at
5:31:24 pm on July 23, 2020. Looking at the security log, you can see a large
number of login failure records. It can be inferred that the hacker invaded
using IP 10.100.X.XXX using an external network and a brute force attack.
- The ransomware family is Crysis, and There is no public decryption
tool available during that time
- Hackers first logged into 10.100.x.xxx using brute force cracking
from an external network, then used it as a jumping-off point to log into
other hosts on the internal network, and manually run the ransomware.
The customer began a search for a vendor who could provide forensically the investigation, ransomware removal, and enhanced protection.
Sangfor suggested a combination of Sangfor NGAF, HCI, and Endpoint Secure to harden network security and correlate their incident
Ensure those network security devices are properly deployed and installed to
protect against both internal and external threats.
- NGAF protects the network perimeter from external threats and attacks
- NGAF and SSL-VPN restrict unauthorized users from accessing the
- Endpoint Secure protects endpoints from both known and unknown
malware and viruses
- NGAF URL and application filtering ensures that only authorized URL
and applications can be assessed by authorized employees
Ensure continuous monitoring of any possible attacks and threats, early
detection and proactive response.
- Platform X and Cyber Command provide real-time monitoring for attack
attempts, security incidents, and events.
- Cyber Command vulnerability and security assessments allow managed
security service providers (MSSP) to assess organizational assets for
vulnerabilities, threats, and risks.
- NGAF, Endpoint Secure, and Cyber Command product integration provide an active and automatic response when an attack attempt is discovered.
- Sangfor’s incident management prepares standard operation procedures and incident management plans according to different breach scenarios.
Ensure quick business recovery by using a private cloud platform, Hyper
Converged Infrastructure (HCI).
Sangfor General Improvement Recommendations
- Use VLAN segregation to ensure that all servers are separated based
on the role and functionality of the servers
- Perform server hardening before migrating to the production
- Perform vulnerability assessments and penetration tests to identify
possible threats and hidden risks on a regular basis
- Perform server and network security product configuration reviews to
ensure that all settings and configurations are secure
- Ensure that the server, firmware, and software are updated to the latest version on a regular basis
- Ensure high availability and redundancy on servers that support
critical business operation
- Make sure business data is backed-up on a regular basis
- Ensure no unnecessary ports are listening externally and exposed to