CETSAT’s monitoring and alerting systems raised a flag on a potential ransomware attack on a large
hotel in the South West of England. Our team of engineers quickly confirmed an attack was taking
place and confirmed malicious encryption of the customer’s data.
Utilising our experience of responding to potential cyber-attacks, our engineers came up with a
strategy: Isolate and remove the infected workstation which was infecting the network, confirm the
encryption process had stopped, then begin the process of restoring from a backup and rebuilding
the infected machine.
• Monitoring and alerting: Proprietary CETSAT built file monitoring system. SonicWALL Capture
• Operating Systems: Windows 7 Professional. Windows Server 2008 R2.
• Anti-virus: Webroot Managed Anti-virus. SonicWALL Gateway Anti-virus.
• Resources: VirusTotal
Two CETSAT senior engineers attended site within an hour of the initial infection and isolated the
infected workstation. Once the engineers confirmed the encryption process had stopped, a restore
of the last good backup was started. The malicious workstation was taken to CETSAT’s Yeovil office
for investigation. Our engineers found the malware and confirmed it was a new variant that wasn’t
yet added to anti-virus definitions. The signature of the malware was added by CETSAT to Webroot
and SonicWALL definitions, protecting other CETSAT customers from infection. We rebuilt the
infected machine and returned to site, ensuring full service had been restored.