Microsoft Azure provided G&J Pepsi-Cola Bottlers to successfully thwarted both data loss and a ransom payment when confronted with a ransomware attack that posed a threat to the company.
Refusing to succumb to the threat, G&J Pepsi not only emerged unscathed but also steered clear of complacency. Leveraging insights gained from this experience, the company embraced a proactive approach, fortifying existing processes, intensifying backup frequency, and enforcing policies with greater rigour.
Microsoft Azure Backup played a pivotal role in G&J Pepsi’s triumphant response, representing just one facet of the comprehensive suite of Microsoft Security solutions that the company implemented. The immeasurable value of this enhanced security posture is truly beyond measure.
“If I could go back in time to the months leading up to our ransomware attack, I’d tell myself to strengthen our endpoint policies, fully delving into all the capabilities of Defender for Endpoint and Intune.”“Long story short, get to the cloud. Migrate as much as you can to platform and software as a service (SaaS) offerings. G&J Pepsi has gotten a wide range of security benefits, such as platform-based backups, cloud-based identities, and multifactor authentication.”
Happily, his dedicated team skill-fully restored the company’s recent backups on Microsoft Azure Backup, avoiding what might have been a much worse nightmare when a ransomware attack struck. But McKinney can’t forget the 3 AM call days after the Labor Day weekend in September 2021, when his team member on the other end of the phone told him in what would turn out to be an understatement, “Something doesn’t look right.”
Resisting a Cobalt Strike ransomware attack
When McKinney encountered obstacles while attempting to access company virtual machines (VMs) from home, he discovered that his user profile had been encrypted. This revelation prompted a late-night sprint to the office, initiating a two-week marathon for his entire eight-person team to counteract the effects of what was later confirmed as a Cobalt Strike ransomware attack. Ironically, Cobalt Strike, originally a widely used penetration testing tool for identifying network vulnerabilities, had, by 2021, become a tool exploited by ransomware groups to infiltrate corporate systems.
Its surge in popularity among malicious actors was attributed in part to its capability to emulate a legitimate, installed tool. The modus operandi involved hackers gaining entry to systems by deploying a malicious agent, or beacon, on a specific device.
Upon reaching the headquarters, McKinney observed the escalating situation as an increasing number of files on the company’s servers fell victim to encryption. The company categorically ruled out any engagement or payment to the hackers. Just ninety minutes after the discovery of the ransomware, G&J Pepsi’s security team swiftly employed Microsoft Defender for Endpoint to pinpoint and disable all compromised VMs. This action effectively isolated every device suspected of being earmarked for lateral movement by the hackers. Without hesitation, the process of rebuilding their servers commenced immediately.
Due to proficient operations management utilising Azure Backup, G&J Pepsi-Cola Bottlers found a way forward, backed by weekly backup copies for every server. The company initiated a systematic restoration process for each server, commencing with domain controllers and advancing in order of criticality. It was during this process that the team identified the source of the issue—a virtual machine contaminated with the simulated penetration testing tool. Fortunately, at that stage, the attack was limited to a single server.
In McKinney’s words, ““One of the advantages we had in our fight to overcome the attack was our ability to communicate with our organization. Because our communication and collaboration systems were already migrated to Office 365 and Microsoft Teams, we were able to let the organization know with real-time situation reports and next steps on our progress. Our ability to coordinate with various departments impacted helped speed up our recovery efforts and count on them for assistance to help recover.”
In the end, G&J Pepsi-Cola Bottlers managed to prevail. “We got our environment up and running in seven hours, thanks to the data we saved with Azure Backup,” says McKinney. “And we didn’t pay a cent to the attackers.”
Thanks to Azure, more than 90 percent of the company remained oblivious to the occurrence of the attack and remained unaffected by the threat. Interestingly, some of the company’s most critical systems were older applications operating on Azure. G&J Pepsi-Cola Bottlers experienced no data loss, ensuring an uninterrupted flow of refreshing beverages.
However, upon returning to normal operations, McKinney and his team initiated a heightened cybersecurity initiative. They further refined an already advanced security posture and expanded the utilisation of Microsoft Defender for Endpoint and Microsoft Intune.
The G&J Pepsi-Cola Bottlers IT team then took time out to reconsider its cybersecurity approach. “We were very reactive,” admits McKinney. “That’s what bit us when the ransomware attack happened, because we were only seeing the highest-level security events.”
Now the team takes a proactive slant, emphasising a single consolidated view of global activity across the estate, with close attention to endpoints. “If I could go back in time to the months leading up to our ransomware attack, I’d tell myself to strengthen our endpoint policies, fully delving into all the capabilities of Defender for Endpoint and Intune,” he continues. “I don’t view our recovery as a victory so much as a call to double down on security.”
McKinney shares the following insights to provide other organisations with the advantage of his experiences and lessons:
Create unified security
As a longtime Microsoft 365 E5 user, G&J Pepsi had implemented and reaped the benefits of Microsoft 365 Defender, a top-notch XDR solution. This toolset offers security coverage across all essential user workloads within the organisation, encompassing endpoints, email, documents, cloud apps, and identities.
It served as the foundation G&J Pepsi required to fortify security post-recovery from the ransomware attack. Microsoft 365 Defender, by correlating signals across these diverse areas, possesses a unique capability to detect and respond to ransomware threats, similar to the one encountered by G&J Pepsi.
McKinney emphasises, “Maintaining a robust security posture that prioritises physical security and the protection of devices, identities, and data is crucial for company stability and constitutes key elements in successfully defending against cyberattacks. We also advocate leveraging all recommendations available in Microsoft solutions, including the security tools in Azure and Defender for Endpoint.”
Focus on backup capability
The initial move by G&J Pepsi involved enhancing backup practices by implementing Azure Backup on each Azure Virtual Machine device nightly and extending backup retention. McKinney places confidence in Azure Backup due to its distinctive approach compared to other backup solutions. Unlike alternatives that back up device images to a Server Message Block (SMB) file share – enabling network applications to read and write files and potentially facilitating dangerous lateral movement during an attack – Azure Backup operates at the platform layer. This installation on the platform layer prevents attackers from moving laterally into the broader estate to access backup files, as highlighted by McKinney: “Azure Backup stands out from many other backup systems because it operates on the platform layer, thwarting attackers from lateral movement to access backup files. Fortunately, we successfully restored our environment to its pre-attack state.”
Make sure you have strong identity protection
The recuperation of G&J Pepsi-Cola Bottler from the ransomware incident prompted a comprehensive reassessment of every facet of endpoint defense. McKinney emphasises the importance of robust identity protection, advising, “Ensure the implementation of strong identity protection measures. Establish conditional access policies to limit dubious sign-ins.” His team secures administrative IDs through multi-factor authentication, employing conditional access policies in Azure Active Directory, an integral component of Microsoft Entra, to thwart suspicious sign-in attempts. Additionally, the company refined its Intune policies, instituting restrictions on downloads to USB devices and all executable content.
Distill security events down to real threats
The challenge with comprehensive threat monitoring lies in the abundance of events, many of which turn out to be false positives, posing the risk of overwhelming a security team. In response, G&J Pepsi sought the assistance of a managed detection and response provider precisely for this purpose. McKinney explains, “We lack the resources to sift through the 84 million security events flagged by our security solutions. Our managed detection and response provider extracts crucial threats from this vast information pool, keeping our team informed for more prompt responses.”
McKinney highlights a pivotal capability provided by G&J Pepsi’s chosen managed detection and response (MDR) provider, selected for overseeing security events. This provider seamlessly integrates with Microsoft Defender for Cloud Apps through native connectors, eliminating the necessity for customized configuration. McKinney clarifies, “Many MDRs deploy agents on devices and sensors within the company network, but this doesn’t align with our modern workplace. Employees can sign in from various sources that don’t have sensors.”
Roll out the most effective security tools – no exceptions, no apologies
Once more, McKinney underscores the significance of endpoint security in G&J Pepsi’s refined security strategy, recognizing the essential need to navigate the inherent tension between productivity, convenience, and security. “For any cybersecurity team, my advice is to concentrate on endpoints and identity,” he recommends. “Leverage an endpoint detection and response tool such as Intune to its fullest, reinforce those policies, and don’t shy away from it.” McKinney stresses the importance of G&J Pepsi employees utilising Microsoft productivity apps for content creation and storage, advocating for safer collaboration through platforms like SharePoint and OneDrive.
Go Cloud as much as possible
The conventional arguments supporting the cloud—enhanced scalability, robust capabilities, and an appealing cost structure—resonate strongly with McKinney. However, he contends that the emphasis often overlooks a crucial advantage. “In a nutshell, make the move to the cloud,” he advises. “Shift as much as possible to platform and software-as-a-service (SaaS) solutions. G&J Pepsi has reaped numerous security benefits, including platform-based backups, cloud-based identities, and multifactor authentication, utilizing native tools that effectively recommend and identify risks.” These advantages, McKinney asserts, would be challenging to replicate without the cloud. He elaborates, “If we had to host systems independently, they would be on-premises or on virtual machines (VMs). Malicious actors would inevitably compromise them, targeting vulnerabilities in applications and operating systems to advance their attacks.”