Insights from Our Ransomware Experience Ransomware attacks are becoming increasingly common and can have severe consequences for businesses, affecting customers, operations, brand reputation, and even board members. In my role at DXC Technology, I oversee our security business and regularly deal with attacks on our clients. However, on July 4, 2020, as I was about to start my family vacation, DXC Technology itself fell victim to a ransomware attack.
The attack targeted Xchanging, a DXC subsidiary based in the United Kingdom that provides technology-enabled business services to the commercial insurance industry. The attacker sent a message with an often-used image of a beloved cartoon character making an obscene hand gesture, accompanied by a ransom demand.
While Xchanging’s network was separate from DXC’s larger IT environment, we were concerned about the potential operational impacts on Xchanging customers when London insurance offices opened on Monday.
Time is crucial in a ransomware attack, as it often results in downtime. According to Emsisoft, the average attack causes critical systems to be down for 16 days, and the worldwide cost of ransomware in 2020 was estimated at $170 billion.
In the Xchanging incident, the attacker had gained initial access just two days earlier. Fortunately, only a few systems were compromised, and we were able to isolate and neutralize the threat swiftly. No data was stolen, and we did not pay the ransom. We immediately informed our customers and authorities, and by Sunday, July 5, we had cleaned and restored the affected environment, allowing Xchanging to process insurance policies on Monday.
Lessons Learned Our criminal investigation is ongoing, and we are committed to reviewing and improving our controls and procedures. While many things went as planned, there are important lessons to be learned:
- Understand Your Infrastructure: Prioritize basic software patching and ensure all networks and firewalls have robust security tools in place to detect malicious behavior. In our case, we detected unusual activity during the attack, which allowed us to identify the compromised network quickly.
- Involve Senior Leadership: Engage senior leaders from the beginning to make critical decisions swiftly. Good governance and clear accountability are essential during such incidents.
- Engage Authorities and Experts: Seek the help of law enforcement and security experts early on for valuable insights and legal intervention. In our case, we took control of the attackers’ internet domains with a court order.
- Don’t Pay Ransoms: Authorities strongly advise against paying ransoms, and legal penalties are being enforced for ransom payments in some countries. If negotiation becomes necessary, involve experienced ransom brokers as part of your incident response preparations.
- Be Transparent: While you may not disclose all details, transparency is generally a good practice. Sharing indicators of compromise (IOCs) can help protect others and garner support from colleagues, authorities, and the security community.
Our rapid incident response, robust security controls, governance, technical tools, and adherence to industry practices were key factors in mitigating the attack’s impact. We know the situation could have been much worse, and our commitment to our customers remained unwavering throughout the incident.
This incident taught us valuable lessons, and it’s crucial to stay informed about the latest threats. Subscribe to DXC’s Security Threat Intelligence Report to stay updated.
