| NOTICE TIME ZONE | Brisbane UTC +10 |
|---|---|
| STATUS (Open/Closed) | Closed |
| INCIDENT CAUSED BY A 3RD PARTY? | N/A |
| IF YES, NAME OF 3RD PARTY | N/A |
| INCIDENT START DATE | 2022-03-20 |
| INCIDENT START TIME (HH:MM) | 10:55 |
| ESTIMATED TIME TO RESOLUTION | 72 Hours |
| INCIDENT END DATE | 2022-03-23 |
| INCIDENT END TIME (HH:MM) | 00:00 |
| INCIDENT TOTAL DURATION | 72 Hours |
| XCRM TICKET NUMBER | Not Applicable |
| BRAND | XCARE |
| PRIORITY | P1 |
| CLIENTS AFFECTED | A small set of Clients – 7 in total |
| DESCRIPTION OF INCIDENT | Clients unable to access their systems hosted with XSTRA |
| EVENT TIMELINE | |
| Sunday 20th March 2022 | |
| 10:55 | XSTRA noticed a client with Crypto. Checks on other systems also showed they were effected. We are unsure how this happened. Restoring from backups. |
| 13:00 | Completed changing all passwords for admin accounts handled by XSTRA |
| Monday 21st March 2022 | |
| 05:00 | Found more clients |
| 06:00 | Sharing a link to clients effected: LINK |
| Tuesday 22nd March 2022 | |
| 09:54 | UPDATE from Lyndon Vincent Notes on incident from Sunday 20th March 2022 By now, I have called and spoken directly to the owners or staff of the clients effected. If you are receiving this email then you were one of the clients impacted. Here is a brief update from the SDN found here: 20220320 – Multiple Clients Effected By Ransomware Attack – PUBLIC – 1 (x.direct) 1. On Sunday 20th, we identified 24 virtual machines across 7 clients that had signs they had been compromised 2. Naturally, we have been very busy of the past 48 hours, so updates have been short and basically restricted to updates on the following excel spreadsheet: https://xstragroupptyltd.sharepoint.com/%3Ax%3A/s/XSTRAADMINISTRATION/EWh_uZh-1wVMgjsEFAFwqtEBDLuUIEidN0t4dTwP24bR4g?e=OhZU2E 3. We knew that they had been compromised because some files were encrypted. The result of a classic ransomware attack. 4. We immediately shutdown all effected virtual machines for each client, whether the machines were effected or not. This was a best practise measure to prevent further damage to files or spread of the issue. 5. Most machines were back and operational before Monday, meaning most users were not impacted or even knew that there had been an issue. 6. We do not know and there is no way we can know, if any information has been copied off the effected machines. However, as with most ransomware attacks, those involved are not interested in the contents of files, they are really just wanting money to have all impacted files decrypted. The window of opportunity for any files to be copied was likely small, owing to the fact that we know there was no impact to users on Friday 18th. 7. We believe that one of XSTRA’s administrator account passwords had been compromised. So our passwords were changes on ALL client machines whether they were impacted or not as a precaution. 8. Any work undertaken by users from approx. Friday 9pm until Sunday 11am will not be in the restored machines. If this is an issue, we may be able to recover that data on a case by case basis. With everyone I have spoken to so far, only one client has reported the potential for missing data in the recovered systems. 9. Being Tuesday and no re-occurrence of the same or similar issues, we believe we have safely dealt with this incident. 10. RECOMMENDATION: We suggest strongly that all users change their passwords as a precaution and best practise. To do this, and while logged into your virtual desktop, hold down the “Ctrl + Alt + End” keys on your keyboard and select the option “Change a password” 11. Mitigation plans are being worked out and will involve the rollout of Multi-Factor Authentication (MFA) to all clients, whether impacted or not, as a mandatory requirement. XSTRA administrator accounts and VPN’s will most likely be eliminated in preference to an “out-bound” access protocol. More on this to come. In 18 years of providing remote virtual infrastructure this is XSTRA’s first incident of this type and we regret the occurrence and impact it may have had on some users. |
| 11:10 | A review of our core internet feed shows no increase in traffic usage over the past 4 days meaning there was no spike in data leaving our data centre which you would expect if data was being copied. |
| RECOVERY & RESOLUTION | See Above |
| ROOT CAUSE | Unknown but suspect a password was compromised |
| CORRECTIVE & PREVENTATIVE MEASURES | See Above |
Revision:
12
Last modified:
Apr 27, 2022
Post your comment on this topic.