Restoring a mortgage company’s IT systems after a cyberattack – in under 7 days

What We Did

Shortly before the Christmas holiday, cybercriminals hit a major mortgage company with a ransomware attack, completely disabling access to critical systems and data, including on-premises email servers. Acting quickly, West Monroe:

• Restored the company's key business operations
• Rebuilt the entire IT infrastructure and recovered 30 terabytes of critical data
• Updated and strengthened systems against future attacks   

The Challenge  

Attackers rendered the company’s entire on-premise environment unavailable, disrupting all operations not running on cloud-based services. But West Monroe’s investigation into the attack revealed a deeper issue: the attackers had infiltrated the network via an unsecured server and obtained credentials for an administrator account. 

The attackers sent encrypted files and a ransom note requesting bitcoin payment in exchange for releasing the files, which could have cost the company up to $90,000.  

Though the amount was trivial compared to cost of rebuilding the entire network, the lack of a centralized tracking system meant the company could not determine exactly what and how much information had been lost. Nor could the company determine the attackers’ activity prior to the attack. This meant it couldn’t guarantee the future safety of its current IT system.  

Ultimately, the company decided not to pay the ransom and instead tasked West Monroe with rebuilding the entire IT environment. 

An Undeniable Approach 

We quickly assembled a multidisciplinary team of cybersecurity, infrastructure, desktop application management, cloud services, advanced analytics, and business continuity experts. 

During a two week period over the holidays, our team worked with leadership to lock down and stabilize the network and restore basic operations to get the company up and running. 

Less than three days after the ransom note, West Monroe had identified the source of the attack, isolated the systems, and started planning the recovery process, which involved: 

• Creating a clean network and identifying infected machines 
• Restoring basic infrastructure services  
• Recovering deleted backup data 
• Recovering 765 potentially affected workstations  

Next, we worked with company leadership to determine which data to scrub, documents to recover, and servers and workstations to restore first.  

Rebuilding involved standardizing the system on Windows 10 and Microsoft Office 365 with enhanced security configurations, and automating software deployment. Over 12 hours, the team built two automation platforms; once they were ready, we backed up user data, re-imaged and re-deployed nearly 450 high-priority workstations at two large corporate offices and restored the company’s critical business operations. 

Returns You Can Measure 

Our quick recovery efforts saved the company millions of dollars’ in potential losses.  

In just under one week, the West Monroe team delivered the equivalent of 25 weeks’ effort to restore critical services and limit the fallout. In that same timeframe, we deployed 80% of the company’s765 workstations across the country. 

Not only did we restore systems and infrastructure already in place, but we put the company ahead. When rebuilding system, we installed the newest technology and implemented upgrades that lowered future IT costs.  Having a single, standardized system also strengthened the company against future attacks.