USE CASE #2
HOW RANSOMWARE PARALYZED
A WHOLESALE COMPANY WITH
AN OUTDATED ERP SYSTEM

SOURCES OF VULNERABILITY TO ATTACKS

• The ERP system was outdated because it fulfilled its function, and there were concerns that an update would compromise numerous dedicated add-ons for which the source codes were missing.
• The antivirus software operated without central management, which made it impossible to quickly assess the security status of all workstations.
• The network infrastructure was based on a simple SOHO-class router without network segmentation or traffic control.

INCIDENT

The attack took place over the weekend, when vigilance is at its lowest. Upon returning to work, employees found themselves completely paralyzed: the main server and all virtual machines had been encrypted by ransomware.

The infrastructure was completely immobilized, and the server had to be secured as evidence.

WHY WAS THE ATTACK SUCCESSFUL?

• Exploiting known vulnerabilities: An outdated ERP system provided a direct attack vector, allowing criminals to take control of a critical resource.
  
• The illusion of protection: antivirus software without central management gave a false sense of security. In reality, no one saw the alerts about suspicious activity that may have appeared on individual computers before the main attack.
• No internal barriers: the lack of network segmentation on the SOHO router meant that once one element was infected with ransomware, it could spread unhindered throughout the entire virtual environment.
• No 24/7 monitoring: Criminals were able to operate freely throughout the weekend because no one was monitoring system logs and responding to anomalies in real time.

EFFECTS OF THE INCIDENT

• The attack forced the company to undergo an immediate and costly reorganization. Although the daily backup of the ERP database to the cloud worked and allowed the data itself to be recovered, the process of bringing the company back to life was extremely difficult.
• The lack of installation files for the old ERP system, documentation for dedicated add-ons, and the absence of disaster recovery procedures significantly prolonged the downtime.
  
• To avoid a repeat occurrence, the company replaced the router with a professional business-class UTM firewall and implemented centrally managed protection for all devices (endpoints). A new server was installed and rigorous data recovery procedures were implemented.

THE ROLE OF SOC ADQ: WHAT WOULD CHANGE?

• Faster detection: our analysts would detect the first signs of ransomware activity (e.g., attempts to scan the network or unusual connections from a SOHO router) even before files are encrypted.
  
• Reduced response time: earlier detection of anomalies would make it possible to limit the effects of an attack through a faster response.
  
• Professional support: IT administrators would not have to fight alone; they would receive specific instructions and support from us in the process of neutralizing the threat.

KEY CONCLUSIONS:

• Having a copy of your data does not guarantee a quick return to work if you do not have procedures and system installers in place.
• Maintaining critical tools (such as ERP) without security patches is a huge business risk.
  
• Only centralized management and 24/7 monitoring allow you to truly control threats.