Mandiant Stories

Mandiant Saves Multi-Brand Restaurant Company Millions of Dollars by Avoiding Ransomware

Daniel Slack, Nathan Crews, Nick Schroeder, Shelly Tzoumas
Jul 25, 2021
5 min read
|   Last updated: Aug 22, 2022

Every IT security professional knows what it’s like to receive news of a major vulnerability surrounding a cyber attack. It’s never a convenient time—and then the nerve-racking questions begin. Are our systems safe, or are they vulnerable? Are we protected, or are we headed into weeks or months of disruption, distraction, and pain?

On the afternoon of July 2, 2021, Kaseya announced that a zero-day vulnerability in their VSA product, a remote-monitoring and management tool, was being exploited to deploy ransomware. Fortunately, one U.S. restaurant conglomerate and several Mandiant Managed Defense customers were already protected. That morning, Mandiant obtained intelligence that led our managed detection and response services team to begin scoping customer environments for hosts running the vulnerable Kaseya VSA software. Affected Managed Defense customers were quickly identified and advised to contain certain on-premises systems.

Vulnerable—But Safe

By late in the day that Friday, the restaurant conglomerate’s Chief Information Security Officer (CISO) was turning his attention to the upcoming three-day holiday weekend.

Hints began to emerge that a major new ransomware attack was underway.

As he monitored intel alerts, the CISO’s first thought was that his company would not be affected. The hackers were exploiting a vulnerability in a network management software application the CISO and his security team didn’t believe was deployed anywhere in his company’s infrastructure.

Then came the notifications from Managed Defense. “I got an alert from Mandiant that they had intercepted the ransomware attack on us, and directed us to quarantine a small, but significant number of our servers,” the CISO said. “It turned out that Kaseya VSA had been installed, years ago, on some servers housed in a managed third-party hosting facility.”

The company was perfectly safe, thanks to the steadfast monitoring and quick actions taken by the experts at Mandiant.

On the Mandiant Front Lines

Investigation continued throughout the holiday weekend at Mandiant. Once Managed Defense detected the initial PowerShell script designed to disable Microsoft Windows Defender, Managed Defense initiated a threat hunting campaign to identify evidence of attacker activity across the entire customer base. Managed Defense worked together with affected customers to contain the threat while coordinating closely with Mandiant Incident Response teams to quickly share intelligence of attacker activity.

Each investigation conducted by Managed Defense included threat analysts from our Advanced Practices (AP) team, which worked to ingest, model and correlate the observed activity with past intrusions, and attribute these latest attacks. By working to expand our understanding of this particular adversary, AP analysts were able to provide relevant data to develop a robust set of indicators of compromise (IOCs). These efforts to help affected Managed Defense customers also extended to all Mandiant customers, including Incident Response, Threat Intelligence, and Security Validation, and the full suite of FireEye products.

The Kaseya Aftermath

Because Mandiant Managed Defense was on the frontlines protecting the restaurant company’s infrastructure, the company’s vulnerable servers were quarantined before they could be encrypted. The CISO and his team didn’t rest right away, however. They worked with Mandiant through the night to help ensure that every niche and corner of their infrastructure was unaffected.

“We double- and tripled-checked everything to make sure we weren’t overlooking any Kaseya installations,” said the CISO. “At ten o’clock the next morning, we reconvened, and at that point I was finally able to relax.”

And if Managed Defense hadn’t been in place? “The impact would have been significant,” said the CISO. “That holiday weekend—Independence Day—is one of the top five revenue days for our business. Without Mandiant, we would have had locations shut down and the impact would have been unfathomable.”

Mandiant MDR: What ‘Good’ Looks Like

The restaurant company decided to hire Mandiant Managed Defense for managed detection and response services as part of a broader IT consolidation project. “We implemented a standardized security strategy across all of our subsidiary brands. Engaging with Mandiant was a key element of that strategy,” the CISO explained.  

Contracting with Managed Defense eliminated the risks associated with finding and managing in-house IT security resources. “In the past, I’ve worked with IT security teams that wanted to handle threat monitoring and response in-house,” the CISO explained. “I’ve also watched colleagues in the industry who favor an in-house approach. But the last thing I want to worry about during an incident is whether I have the right security resources in place, and with Mandiant Managed Defense, I don’t have to. I have experts on the job 24x7, monitoring my infrastructure and taking action immediately if there’s an issue.”

At one point after the CISO had engaged Mandiant, the company acquired another holding; this subsidiary had an existing relationship with a different IT security firm. “It was enlightening for my team to interview the other vendor,” said the CISO. “As we described what Mandiant does for us, the other vendor kept saying, ‘no, we don’t do that.’”

“In the end, we replaced them with Mandiant. It wasn’t a hard decision because my team now knows what ‘good’ looks like.”

Protection That Is Early and Routine

Protecting our customers before events hit the headlines is routine for Managed Defense. The expertise of investigators to identify and triage incidents, working hand in hand with Managed Defense consultants to eradicate threats from customer environments is demonstrated time and time again. In the past year alone we reduced attacker dwell time for our customers in significant events such as SolarWindsSonicWall, and Microsoft Exchange. We can act before most services providers because of our unique front-line visibility and threat research. This ability to quickly respond at scale, deploying cutting-edge threat hunting campaigns and detections throughout our customers' environments allows for stories like this where, without joining forces with Mandiant, significant threats would go undetected.

Register today for our next webinar, Tales from the Trenches: How Managed Defense Customers Avoid the Biggest Threats, to hear directly from our team of experts about this and other recent cyber attacks.