pratum.com Open in urlscan Pro
192.124.249.57  Public Scan

Form analysis
1 forms found in the DOM

POST /blog

<form action="/blog" method="post" id="login-form" class="">
  <div class="userdata">
    <div id="form-login-username" class="form-group">
      <input id="modlgn-username" type="text" name="username" class="form-control" tabindex="0" placeholder="Username">
    </div>
    <div id="form-login-password" class="form-group">
      <input id="modlgn-passwd" type="password" name="password" class="form-control" tabindex="0" placeholder="Password">
    </div>
    <div id="form-login-remember" class="control-group checkbox">
      <label for="modlgn-remember" class="control-label"><input id="modlgn-remember" type="checkbox" name="remember" class="inputbox" value="yes"> Remember Me</label>
    </div>
    <div id="form-login-submit" class="control-group">
      <div class="controls">
        <button type="submit" tabindex="0" name="Submit" class="btn btn-primary btn-default">Log in &nbsp; <span class="livicon" data-name="sign-in" data-size="18" data-color="#ffffff" data-hovercolor="0" data-onparent="true" data-iteration="3"
            id="livicon-1" style="width: 18px; height: 18px;"><svg height="18" version="1.1" width="18" xmlns="http://www.w3.org/2000/svg" id="canvas-for-livicon-1" style="overflow: hidden; position: relative;">
              <desc style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Created with Raphaël 2.1.0</desc>
              <defs style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></defs>
              <path fill="#ffffff" stroke="none"
                d="M14.424,8.135C14.191,7.901,14,7.979,14,8.311V12H7.2C6.537,12,6,12.537,6,13.2V18.801C6,19.463,6.537,20,7.2,20H14V23.689C14,24.019,14.191,24.099,14.424,23.865L22,16.424C22.234,16.192,22.234,15.809999999999999,22,15.575999999999999L14.424,8.135Z"
                opacity="1" stroke-width="0" transform="matrix(0.5625,0,0,0.5625,0,0)" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); opacity: 1;"></path>
              <path fill="#ffffff" stroke="none" d="M27,30H15C14.447,30,14,29.553,14,29V27C14,26.447,14.447,26,15,26H26V6H15C14.447,6,14,5.553,14,5V3C14,2.447,14.447,2,15,2H27C28.656,2,30,3.343,30,5V27C30,28.656,28.656,30,27,30Z" stroke-width="0"
                transform="matrix(0.5625,0,0,0.5625,0,0)" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></path>
            </svg></span></button>
      </div>
    </div>
    <ul class="list-inline">
      <li>
        <a href="/component/users/?view=remind">
					Forgot your username?</a>
      </li>
      <li>
        <a href="/component/users/?view=reset">
					Forgot your password?</a>
      </li>
    </ul>
    <input type="hidden" name="option" value="com_users">
    <input type="hidden" name="task" value="user.login">
    <input type="hidden" name="return"
      value="aHR0cHM6Ly9wcmF0dW0uY29tL2Jsb2cvNTE3LWxlc3NvbnMtbGVhcm5lZC1mcm9tLXJhbnNvbXdhcmUtYXR0YWNrcz91dG1fbWVkaXVtPWVtYWlsJl9oc21pPTE5MDI0NTMxNSZfaHNlbmM9cDJBTnF0ei1fQi1odk92eGZaMFdUVFNVWnJ1di02LXJrRlFYSkJsYWdzR1dfUWg4ZDFnRUxoN1h0N3VNcEVzN21lT1c3SGIwY2lvbHpHV3hWazVjYUF1SG5uM05sejF5azQzQSZ1dG1fY29udGVudD0xOTAyNDUzMTMmdXRtX3NvdXJjZT1oc19lbWFpbA==">
    <input type="hidden" name="e43fe4665b19b804047976568d8c8a1c" value="1">
  </div>
</form>

Text Content

 * Search
 * (515) 965-3756

 * Home
 * Services
   *  * Consulting & Advisory
      * Virtual CISO
      * Digital Forensics
      * Incident Response
      * Security Consulting
     
      * Assessments & Testing
      * Risk Assessments
      * Penetration Testing
      * IT Audits
      * OT Security
     
      * Compliance
      * HIPAA Compliance
      * PCI Compliance
      * SOC 2
      * FISMA / FedRAMP / RMF
      * CMMC
      * Data Privacy
     
      * Security Operations
      * SOC Overview
      * Vulnerability Scanning
      * Managed XDR
 * Industries
   * Healthcare
   * Banking
   * Technology and SaaS Providers
   * Retail
   * Manufacturing
 * Resources
   * Case Studies
   * Events
   * Infographics
     * Banking Information Security Infographic
   * Speakers Bureau
   * Posters
   * Videos
   * Papers
   * Webinars
 * Blog
 * Company
   * About Our Company
   * Leadership
   * FAQs
   * Careers
   * Join Partner Network
 * Contact


PRATUM BLOG


LESSONS LEARNED FROM RANSOMWARE ATTACKS

Details Written by Trevor Meers Category: Blog Created: 08 October 2021
fShare


Share





You could wait for a ransomware attack to teach you some hard truths about
combatting these breaches. Or you could step up your game right now with
hard-won lessons from organizations that have already been there. At the 2021
Secure Iowa Conference, two CEOs took the stage with a commitment to helping
others learn from their ransomware experiences. In this post, you’ll step inside
two organizations’ war rooms as they manage a ransomware attack—and share best
practices we all can follow to stop these attacks, or at least limit the damage.





THE ATTACKS

In June 2021, Des Moines Area Community College suffered a ransomware attack
that made national news. The school, Iowa’s largest community college, has six
campuses, 1,880 employees and more than 72,000 total students. The ransomware
attack forced the closure of in-person classes for one week and online classes
for two weeks. DMACC CEO Rob Denson joined the conference panel to discuss the
school’s experience.





Rob Denson, President, DMACC

Rob Denson was appointed the fourth President of Des Moines Area Community
College on November 1, 2003.

In addition to his DMACC position, he serves on the National Board of Gateway to
College, a drop-out recovery program; the Governor's STEM Advisory Council and
Executive Committee; the National STEM connector Innovation Task Force, and the
Food and Ag Council; and, the National Leadership Council of Opportunity Nation.
He also chairs the National STEM connector Higher Education Council and serves
on the boards of Iowa Student Loan Liquidity, the Iowa Ag. Literacy Foundation,
the Technology Association of Iowa, the Iowa Quality Center, the Agri-Business
Association of Iowa, the Iowa Direct Caregivers Association, the Iowa Rural
Development Council, the Greater Des Moines Partnership, the Iowa Innovation
Council, and the Iowa Economic Development Authority.







In the summer of 2020, hackers launched a ransomware attack against EFCO, a Des
Moines-based manufacturer that serves customers worldwide with its concrete
forming and shoring products. EFCO President, CEO and Director Scott Walter
joined the panel to tell his team’s story.





Scott Walter, President, Chief Executive Officer & Director, EFCO

Scott Walter has been with EFCO since 2008 and in his current position since
2020. He is responsible for the strategic direction of the Company and oversees
the management of manufacturing, sales, distribution, and finance. While with
EFCO he has held positions in manufacturing and information technology.








--------------------------------------------------------------------------------



Q:

HOW WERE YOU FIRST NOTIFIED ABOUT THE ATTACK?





ROB:

I was driving on vacation when I got a call that a student received a phishing
message in a computer lab and gave up their credentials, which let the bad guys
go in with Ryuk ransomware. I kept driving and got hourly updates from initial
interactions with our insurance company.

SCOTT:

Coming from IT, I was used to getting calls at night. And now being CEO (for
only two months at that time), I was used to hearing about crises coming up at
any time. This call came at 9pm. In hindsight, I think our initial reaction was
an underreaction.



--------------------------------------------------------------------------------



Q:

WHAT WAS YOUR TEAM’S FIRST STEP?





ROB:

We waited 24 hours for the insurance company to get everything place. We hadn’t
done any practice runs, which I recommend you do. I hadn’t paid enough attention
as CEO to all the crazy acronyms and company names. It was an unbelievable
learning experience.

SCOTT:

We worked through the night to shut down the network and stop the spread. Then
we started working on identifying the extent of the attack and what recovery
would look like. We met in that war room every day for a couple of weeks.



--------------------------------------------------------------------------------



Q:

WHAT WERE YOUR INITIAL DISCOVERIES?





ROB:

We found a ransom note on a computer in one of our satellite campuses. This
group went searching for anything labeled “confidential” and found one of our
VP’s files that had nothing in it but very old personnel data. In the end, we
paid no ransom.

SCOTT:

We found out that 50% of our servers were encrypted and wasted about a day
trying to find the right vendor to help us out. Within 5 days (counting a
weekend) I set up a sandbox with our dev team with our ERP system to run the
business. We had 10 people taking calls from around the world to enter things
into the ERP within that sandbox.

We kept a close eye on everyone’s energy level and ability to make decisions.
You’re making critical decisions around the clock and looking for critical path
to get back up and running.



--------------------------------------------------------------------------------



Q:

HOW WAS YOUR CYBER INSURANCE EXPERIENCE?





ROB:

We had great service, but our premium went from $30,000 last year to $100,000
this year. (This blog explains why cyber insurance rates are climbing for
everyone this year.) To not lose time in our next situation, we put the
consultants we used on a retainer to stand by so that we don’t have to wait for
insurance.

The business interruption consultants tagged our business loss at about $950K
for the fall term due to students giving up on registration. It will be a great
help if we can recover that money through our business interruption insurance.

SCOTT:

When you have the whole company shut down, the damages are impossible to
estimate and impossible to validate. We got minimal help there, I would say. 



--------------------------------------------------------------------------------



Q:

WHAT WERE OTHER BUSINESS IMPACTS?





ROB:

They got our active directory, which I’d never even heard of. We didn’t have
MFA, which would’ve sounded like an obscenity to me before this. We had
thousands of e-mail addresses to put on MFA. That took a heck of a lot of
effort.

We had to decide which systems were a priority to restore. The first thing we
did was get payroll back up and get financial aid flowing back to our students,
many of whom are low income. Then we went to registration systems.

SCOTT:

In prioritizing systems and locations, we focused on the customer. We’re always
shipping and returning equipment from customers every day. We had offline
processes to handle that for a short period. Eventually, we’ll miss a billing
cycle. Eventually, we’ll miss a payroll run. So that’s how we prioritized. We
know which district offices do the most business and prioritized those first,
knowing we’ll have to scan and clear every computer before it rejoins our
network.



--------------------------------------------------------------------------------



Q:

WHAT KIND OF MEDIA AND NOTIFICATION SITUATION DID YOU FACE?





ROB:

We contacted the FBI and had to notify the U.S. Department of Education and the
Iowa Department of Education and our board. But most important was communicating
to our own faculty, staff and students. We kept sending out e-mails and put up a
daily note on our site, mainly reassuring people that very few names had been
disclosed. The media was beating down the door, and the lawyers told us to just
refer them to statements on our website.

SCOTT:

We have a low profile in our city, and much of our operations are elsewhere, so
it didn’t make the news. A blogger did pick up on our attack. They didn’t name
us, but they gave us some new information because it was a new piece of malware
we were facing, and they’d seen it on the dark web.

Law enforcement was first on my mind, but I was surprised to learn that our
consultants said not to call the FBI. We notified customers, shareholders,
employees—anyone who had information that may have been compromised. We didn’t
know what servers the hackers had been on yet.



--------------------------------------------------------------------------------



Q:

WHAT IS YOUR TEAM SAYING ABOUT THE BREACH NOW?





ROB:

We’re on to dealing with the Delta variant. We did go to MFA. We’re doing more
frequent passwords changes. Computers lock after 15 minutes of inactivity. But
overall, we’re on to the next emergency.

SCOTT:

It’s a significant event in our recent history, so it sticks in people’s minds.
I had been part of starting an info security committee in the company a couple
of years earlier, but we were weren’t disciplined about holding meetings and
reporting to the board. The committee was reluctant to put in place security
things that would make people’s jobs slightly harder and cause pushback. But
now, nobody wants to go through this again.

We never knew exactly who attacked us or how they got in. That makes it hard to
tell that to the team in a way they can understand it and in a way that’s
applicable to their work and how they can do their part to protect it.



--------------------------------------------------------------------------------



Q:

WHAT DO YOU KNOW NOW THAT YOU WISH YOU’D KNOWN THEN?





ROB:

You need to immediately get your IT people and your insurance on the horn.
Identify your most likely consultants and reach out to them in advance. They can
help test your system to confirm steps you’ve taken to become a harder target. 

SCOTT:

Our experience validated that backups are gold. We had the option to not pay the
ransom, and we lost very little data in the process. But I wish I would have
known how important forensics would be. We needed a clean network to be
reconnected and to scan for malware on all the machines. And forensics are also
critical to knowing what was lost.

We also needed more focus on the prevention side of things. Minimally, we needed
to be able to recover. But now we need to focus on prevention. We found out
during our investigation that Microsoft Defender had detected this and was not
configured to notify our IT department.



--------------------------------------------------------------------------------






If this discussion gets you thinking about your own readiness for a ransomware
attack, contact Pratum today for a free consultation.





HOW YOU CAN STOP RANSOMWARE POSTER

Stopping ransomware starts at the front line of every employee’s computer. This
poster will help you and your employees keep your organization safe.




Get Poster


--------------------------------------------------------------------------------




SUBSCRIBE TO OUR NEWSLETTER

GET OUR BLOG ARTICLES DELIVERED
TO YOUR INBOX:






 * Sitemap
 * Search Site
 * Privacy Policy
 * Terms of Use

© 2021 - Pratum, Inc. All Rights Reserved
Des Moines, IA | Cedar Rapids, IA | Dallas, TX | Kansas City, KS
515-965-3756 | sales@pratum.com

 * 
 * 

×Close


LOGIN

Remember Me
Log in   Created with Raphaël 2.1.0
 * Forgot your username?
 * Forgot your password?

The information we track while users are on our websites helps us analyze site
traffic, optimize site performance, improve our services, and identify new
products and services of interest to our users. To learn more please see our
Privacy Policy.
Ok
Privacy Policy

x

x