USE CASE #4
ONE LAPTOP, 200 POINTS OF SALE, AND TOTAL PARALYSIS - HOW RANSOMWARE BROUGHT A NATIONWIDE RETAIL CHAIN TO A STANDSTILL

SOURCES OF VULNERABILITY TO ATTACKS

• The company used only the basic Windows Defender solution and did not have any system for central management of endpoint security.
• Users worked on accounts with administrator privileges, and the domain administrator account was permanently logged in on all computers to facilitate IT support.
  
• The network infrastructure was based on unmanaged switches, and the edge router served only as a basic firewall, without advanced traffic inspection.

INCIDENT

It all started in the private sphere: on the computer of one of the employees who was on vacation, his child installed software for cheating in online games, which was actually a carrier of malicious code.

The malware operated undetected on the network for several weeks. When the employee returned from vacation, anomalies and loops began to appear on the network, which were not initially associated with the threat.

The end result was the complete encryption of the server room by ransomware.

WHY WAS THE ATTACK SUCCESSFUL?

• No monitoring and SOC: no one analyzed logs and network traffic, which allowed the malware to operate freely for many weeks.
  
• Excessive privileges: The domain administrator's permanent login allowed the virus to rapidly escalate privileges and infect the entire infrastructure.
  
• Lack of network segmentation: the lack of VLAN segmentation meant that the infected endpoint had direct access to the critical server room.
• Misconception about security: the organization believed its infrastructure was secure, but did not have the tools to verify this in real time.

EFFECTS OF THE INCIDENT

• It was necessary to manually recreate databases for each point of sale separately and to recreate accounting records based on JPK files.
• In addition to losses due to downtime, the company had to finance the reconstruction of an entire data center in a new location and replace computers in its branches.
• Only after the incident were professional network segmentation (VLAN), UTM firewalls, and advanced EDR/SOC incident monitoring implemented.

THE ROLE OF SOC ADQ: WHAT WOULD CHANGE?

• Early detection: SOC analysts would detect the installation of unauthorized software and unusual network traffic generated by malware within the first few days of its operation.
• Blocking escalation: detecting administrator account abuse would allow the infected computer to be immediately cut off from the rest of the network.
  
• Saving the server room: thanks to the early response, the incident would have been limited to a single laptop, saving the company months of downtime and huge losses.

KEY CONCLUSIONS:

• Even a single laptop outside of IT control can bring down an entire server room.
• The lack of least privilege and persistent administrator sessions are a highway for ransomware.
• The cost of prevention and constant 24/7 monitoring is incomparably lower than the cost of rebuilding infrastructure after a successful attack.
• In a dispersed environment (multiple branches), it is impossible to ensure security without a central monitoring system.