Customer Background

Sangfor was contacted by one of Jakarta and West Java, Indonesia’s most respected motor vehicle dealers, established in 2001, and employing over 500 people.


Incident Overview

On July 30th, 2020, company administrators discovered that 6 application servers were encrypted. The attack was confirmed to be a version of Crysis ransomware, using ransomware information and encryption suffix.

Experts searched for the encrypted suffix using an “everything tool,” and sorted by time to confirm that the earliest encryption started at 5:53 pm on July 23rd, 2020.


The investigation log showed a Remote Desktop Protocol(RDP) login at 5:41:43 pm on July 23, 2020, using an administrator account and an RDP logout record at 5:31:24 pm on July 23, 2020. Looking at the security log, you can see a large number of login failure records. It can be inferred that the hacker invaded using IP 10.100.X.XXX using an external network and a brute force attack.


Investigation Conclusions

  1. The ransomware family is Crysis, and There is no public decryption tool available during that time
  2. Hackers first logged into using brute force cracking from an external network, then used it as a jumping-off point to log into other hosts on the internal network, and manually run the ransomware.


Customer Requirements

The customer began a search for a vendor who could provide forensically the investigation, ransomware removal, and enhanced protection.


Sangfor Solution

Sangfor suggested a combination of Sangfor NGAF, HCI, and Endpoint Secure to harden network security and correlate their incident response capabilities.

Ensure those network security devices are properly deployed and installed to protect against both internal and external threats.

  1. NGAF protects the network perimeter from external threats and attacks
  2. NGAF and SSL-VPN restrict unauthorized users from accessing the internal network
  3. Endpoint Secure protects endpoints from both known and unknown malware and viruses
  4. NGAF URL and application filtering ensures that only authorized URL and applications can be assessed by authorized employees


Ensure continuous monitoring of any possible attacks and threats, early detection and proactive response.

  1. Platform X and Cyber Command provide real-time monitoring for attack attempts, security incidents, and events.
  2. Cyber Command vulnerability and security assessments allow managed security service providers (MSSP) to assess organizational assets for vulnerabilities, threats, and risks.
  3. NGAF, Endpoint Secure, and Cyber Command product integration provide an active and automatic response when an attack attempt is discovered.
  4. Sangfor’s incident management prepares standard operation procedures and incident management plans according to different breach scenarios.
    Ensure quick business recovery by using a private cloud platform, Hyper Converged Infrastructure (HCI).


Sangfor General Improvement Recommendations

  1. Use VLAN segregation to ensure that all servers are separated based on the role and functionality of the servers
  2. Perform server hardening before migrating to the production environment
  3. Perform vulnerability assessments and penetration tests to identify possible threats and hidden risks on a regular basis
  4. Perform server and network security product configuration reviews to ensure that all settings and configurations are secure
  5. Ensure that the server, firmware, and software are updated to the latest version on a regular basis
  6. Ensure high availability and redundancy on servers that support critical business operation
  7. Make sure business data is backed-up on a regular basis
  8. Ensure no unnecessary ports are listening externally and exposed to Internet

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Healthcare Providers

Zhongshan Hospital Case Study: Secure Digital Transformation in Healthcare

Date : 02 Aug 2022
Read Now

Manufacturing & Natural Resources

PT Toyota Astra Motor (TAM)

Date : 11 Jul 2022
Read Now

Manufacturing & Natural Resources

PT JFE Steel Galvanizing Indonesia

Date : 07 Jul 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
SASE Access
icon notification