Case studies

Harfanglab versus BlackCat ransomware

5 min

Since 2021, HarfangLab has been protecting the 6,000 endpoints of a major French fashion retail group present in some 50 towns and cities, which was confronted with a ransomware attack during the POC phase. The incident was fortunately brought under control, and sealed a relationship of trust between the two players.

*To protect the confidentiality of information relating to its cybersecurity, the group prefers to testify anonymously.

Sector : Distribution
Nationality : French
Number of employees : 14 000
Sales: €4.5 billion
Endpoints monitored: 6,000

Cyber context and threats specific to the retail sector

The Group is well aware of the cyber risk and takes it very seriously: it is ranked as the second major risk, just after terrorist attacks.

For a retail player, the most critical risk is the stoppage of in-store checkouts, and consequent business losses. The group is also exposed to potential data leaks that could damage its reputation and the trust placed in it by customers and various stakeholders, not only in France, but also internationally.

Ransomware is therefore a major risk for the company, as are, to a lesser extent, DDoS attacks.

Objective: strengthen threat detection capability

In 2021, the Group is equipped with antivirus software on Windows servers and PCs. It now wants to strengthen its threat detection capabilities by implementing an EDR to protect its terminals. As the CISO explains: “We were aware that the antivirus was running out of steam and that the EDR would address new threats much more effectively. By implementing a system that combined both solutions, we aimed to ensure a higher level of security.”

After an initial qualification phase, HarfangLab’s EDR competed with a number of different players, and was finally selected for the final test phase, alongside a number of American vendors.

“I appreciated the fact that the EDR was certified by ANSSI, but I was also reassured to find among HarfangLab’s customers companies that do not compromise with security (Thales, Safran, Nexter)”, adds the CISO.

In early November, agents were deployed on ~300 machines in detect-only mode, for test purposes. The POC phase can now begin.

A Christmas present named BlackCat

In mid-December, an attack was detected on part of the machine park. Employees working in the warehouse noticed that some PCs were in safe mode.

The origin of this attack – in the middle of the Christmas period, which is critical for a retailer – was a ransomware that is now recognized as a major cybercriminal threat, but was still unknown at the time. It’s called BlackCat, also known as ALPHV.

The attacker infiltrated the information system by stealing an employee’s login and escalating privileges. He took control of the Active Directory, and programmed a GPO (Group Policy Object). This calls for the deployment of a payload on all Windows PCs and servers, which is supposed to encrypt machines at startup.

Around a hundred Windows servers are taking part, as well as workstations switched on very early in the morning. Fortunately, no data was stolen, and in the end “only” 400 workstations were affected, a small proportion of the total number of machines. No workstations were encrypted, as the payload failed to execute completely.

A task force to counter the threat

Team responsiveness to contain the threat

The CISO calls on HarfangLab to do its utmost to support its future customer during this POC phase.

A task force was set up:

  • The HarfangLab teams went to the group’s head office on Saturday to help the security teams set up the console.
  • A CSIRT was called in to search for traces of the attack.
  • HarfangLab’s CTI teams identify the threat, and investigate alongside the CSIRT to recover logs and IOCs.
  • HarfangLab also assists the customer during crisis meetings.

The result? Thanks to a joint effort by in-house teams, CSIRT and HarfangLab, the next day the threat was identified and contained by in-house teams. The vast majority of machines were able to restart. At the same time, and with the agreement of Harfanglab, in-house teams launched the deployment of agents across the entire user workstation estate, protecting almost all terminals in less than a week.

This reactivity in response shows that the proximity between customer and publisher, too often ignored, can be a real asset in certain situations. The CISO particularly appreciated this teamwork: “When you’re at war, you appreciate being supported like this by your allies. This experience enabled us to see that beyond the solution and the technical tests, we had expert, understanding and helpful teams in front of us.”

The usefulness of EDR for investigation and rapid business recovery

EDR has proved its worth in rapidly assessing the extent of the damage and making a diagnosis, as well as in post-attack investigation. In just 15 days, all the information on the attack was known: the path, the payload deposited by the attacker, etc. Understanding as precisely as possible what had happened, how it had happened, and what had been done to stop the threat, improved the customer’s resilience.

In conclusion

Faced with a major security incident, HarfangLab set up an incident response platform in a matter of hours, while assisting the customer with initial remediation actions and directing them to a CSIRT partner. Within a short time, HarfangLab EDR and its partner were able to investigate the incident so that it could be contained and resolved by in-house teams.

The performance of the solution and the resources deployed to respond to the incident enabled HarfangLab to win the customer’s trust, and establish a lasting relationship: “HarfangLab has a constantly evolving roadmap, and commitments are kept. The support provided is much appreciated by our teams: we have very good visibility of all functionalities, and therefore a guarantee that we are using the solution to 100% effect”, concludes the CISO.

Would you like to see how our solution works and what it can do for you?