Restoring critical operations in one weekend following a DopplePaymer ransomware attack

What We Did

The possibility for a ransomware attack exists—anywhere, anytime. What determines recovery? Readiness to respond immediately—and with the right steps. 

This was the situation facing the bank when an attack brought its operations to a halt. The bank needed to mitigate the financial impact and maintain its reputation with customers, regulators, and other stakeholders. At the recommendation of a forensics firm, the bank called West Monroe. Just four days later, we had the bank back up and running.

The Opportunity

In 2019, the bank was the victim of a DopplePaymer ransomware attack that rendered its IT systems and applications inoperable. The bank resorted to executing transactions manually. And without key systems, it was unable to fulfill critical daily, weekly, and month-end reporting obligations. 

Like many organizations, the bank relied on a lean internal team and remote outsourcing vendors for IT support. Their IT staffing model was not built to support large-scale system failure and they needed expertise to respond quickly to this event and restore the systems that support revenue generation and regulatory compliance. So, bank leaders turned to us to help manage the crisis—and restore the IT assets needed to generate revenue and comply with regulations.

An Undeniably Different Approach

Our team was ready for the call. We sprung to action with an approach:

• Rapid deployment: We didn’t just send one or two IT professionals. We deployed a team of security and infrastructure consultants specifically skilled in recovering systems from ransomware attacks. Even more, we deployed them to all branch locations to perform hands-on remediation efforts.  
• Proven tools: We brought proprietary tools and methods—such as ABE, our rapid endpoint re-imaging solution—that accelerated restoration of workstations. 
• Flexibility: We quickly assessed the bank’s operations, systems, and situation and then quickly developed a decryption methodology tailored to its unique needs. 
• Coordination: We served as the hub for orchestrating various third parties including breach counsel, forensics firms, and outsourced application management teams to make sure recovery happened as quickly as possible.
• Prioritization: We worked with bank leaders to prioritize functions based on compliance and operational needs and then planned activities to restore systems accordingly.
• Crisis management: We led communication and status reporting across all parties – in particular, making sure that bank management had a current and clear pulse on the situation and understood the timeline for resolution which was critical for regulatory body reporting obligations.

The Output

In just four days, our team:

• Collected forensic evidence
• Cleaned the Active Directory environment, evicted the hacking group, and restored secure authentication and authorization 
• Decrypted 30 servers in 2 locations and validated that hardened configurations were back in place before reintroducing servers and workstations into the environment
• Rebuilt over 70 workstations across 6 different locations

Returns You Can Measure

Just six days after the attack and four days after engaging West Monroe, the bank was back to conducting business. This speed of recovery enabled the bank to continue meeting its regulatory reporting requirements—avoiding potential regulatory fines and mitigating financial and reputational risks.