Identified the source of infection from 1,100 terminals and prevented its spread through rapid response at Biman Airlines

Supporting the recovery of “Biman Bangladesh Airlines” from ransomware infection!

The source of infection was identified from 1,100 devices and spread was prevented with quick response.

In recent years, damage caused by “ransomware” has increased globally. “Ransomware” is a neologism that combines “ransom (ransom),” which means ransom, and “software (software).” It refers to malware that encrypts data, makes it unusable, and then requests money such as bitcoins or virtual currency in exchange for canceling it.

Once infected, it is extremely difficult to restore data, and losses span a wide range of issues, such as financial damage, suspension of operations, and loss of trust in the enterprise. When an enterprise is attacked, it is essential that experts respond quickly in order to minimize the risk of damage.

Below, we will introduce our incident response case at Bangladesh's national airline “Biman Bangladesh Airlines.”

Company name: Biman Bangladesh Airlines (Biman Bangladesh Airlines)

Company website:https://www.biman-airlines.com/

Industry: Airline

Business description: Bangladesh's national airline. We operate domestic and international flights.

Implementation department: IT department

Number of employees: 2,318 (as of 2024 https://en.wikipedia.org/wiki/Biman_Bangladesh_Airlines)

Number of terminals surveyed in this assessment(mobile phones, computers, network devices): 1,100

Problem
In response to a ransomware attack, a situation occurred where terminals, data, accounting software, etc. were encrypted and became unusable. We requested an external system company, and although it was resolved once, it was not a cybersecurity specialist company, concerns arose about whether a perfect response was possible, and our company Pipeline, which specializes in cybersecurity, requested an additional investigation.
Solution
A large-scale ransomware incident investigation was carried out at the local office. The security operations team went to the office and investigated the internal network using our tools (DataLAIQ, ThreatIDR).
Result
Identify users and devices that appear to have been infected or breached by cybercriminals/hackers. I was able to fully recover in about 2 weeks.
-What kind of situation did you fall into when you were infected with ransomware?

On 2024/3/17, in response to a ransomware attack, email servers were hacked, and there was a threat of “permanently blocking access to the server or disclosing the victim's personal data unless a ransom is paid.” We requested a response from the system company, which is also our business partner, and immediately quarantined the suspicious server and interrupted email and all internal communication.

Due to the infection, terminals, data, accounting software, etc. were encrypted and became unusable, and it was reported as news. Fortunately, since the customer management system was managed by outsourcing it to another company, there was no impact such as the leakage of customer personal information. Also, there was no impact on the operation of airplanes.

Since we are a national airline, we are required to report to the country. We asked an external system company, and although it was resolved once, it is not a cybersecurity specialist company, we wanted to carefully check whether a perfect response was possible and whether there were any omissions in the response, so we asked Pipeline, a company that specializes in cybersecurity, to conduct an additional investigation.

-Why did you request our response?

This is because it is the only company in Bangladesh that can respond to incidents. There are other system companies that provide comprehensive services, but they are not security experts. As a second opinion, we requested an investigation from your company.

-How did Pipeline respond?

The security operations team immediately rushed to the office for emergency response.

To explore threats and identify incidents, we used DataLAIQ (data lake) to begin collecting system logs for all 1,100 units. Specifically, we collected NetFlow (NetFlow), Syslog (Syslog), firewall, and endpoint device logs.

Also, in order to identify whether the system is not communicating with command and control servers or known malicious systems such as ransomware and malware, we proceeded with the investigation using ThreatIDR (ThreatIDR).

Identify users and terminals that were infected with malware and were performing suspicious communication from multiple user terminals. We blocked those devices that were the source of the infection and reset everything, and we were able to fully recover in about 2 weeks.

◆What is DatalaiQ (data lake)?

DatalaiQ is a comprehensive data analysis solution designed to collect, manage, and analyze large volumes of log data from various systems such as firewalls, networks, and endpoints. It centralizes data collection and visualization, offering real-time analysis through a unified dashboard.

◆What is ThreatIDR (ThreatIDR)?

ThreatIDR is a cybersecurity solution designed to protect enterprises by providing real-time monitoring and blocking of malicious activities. It functions as a protective DNS service that blocks malware, ransomware, phishing attacks, viruses, and other malicious sites.

—How was the pipeline's response?

Since we were able to identify the terminal source of the infection at an early stage and block it from the network, we were able to converge without the infection spreading from there, and I am very grateful. Based on their knowledge and experience as experts, while proceeding with the investigation, they consulted on each step of the way on what to do next, so I was very reassuring, and I was able to leave it to them with peace of mind.

—What do you expect from the pipeline going forward?

In order to ensure the safety of our environment, we are continuing to join the security team and are receiving support for monitoring dark web information, etc. We have also introduced “DataLAIQ” to enhance security, so we have received support for in-house use.

The scary thing about ransomware is that if even one employee is infected, it will spread throughout the enterprise through the network. In order to prevent recurrence and strengthen cybersecurity, we believe it is essential to strengthen IT security education for employees in addition to prevention through specialized teams and tools. It's a field that hasn't progressed much in Bangladesh, so I would be very happy if you could share the knowledge unique to Pipeline, which is developing globally.

Thank you for your continued advice as a security expert.

<Comment from Pipeline>

Pipeline Stock Company President and CEO Allan Watanabe

The rise in ransomware attacks poses a significant threat to businesses, causing operational disruptions and financial losses. Staying proactive with advanced cybersecurity measures like ThreatIDR and DatalaiQ is crucial for quick detection and response to minimize damage. Businesses must prioritize cybersecurity awareness and swift action to safeguard against these evolving threats.

<Comment from Pipeline>

Pipeline Stock Company President and CEO A.lan Watanabe

The rise in ransomware attacks poses a significant threat to businesses, causing operational disruptions and financial losses. Staying proactive with advanced cybersecurity measures like ThreatIDR and DatalaiQ is crucial for quick detection and response to minimize damage. Businesses must prioritize cybersecurity awareness and swift action to safeguard against these evolving threats.

Building a Smart Security Pipeline

Gain a new level of insight and knowledge across your organization to speed up decision making and business actions.