Supporting the recovery of “Biman Bangladesh Airlines” from ransomware infection!
The source of infection was identified from 1,100 devices and spread was prevented with quick response.
In recent years, damage caused by ransomware has increased globally. “Ransomware” is a neologism that combines “ransom (ransom),” which means ransom, and “software”. It refers to malware that encrypts data, makes it unusable, and then requests money such as bitcoins or virtual currency in exchange for canceling it.
Once infected, it is extremely difficult to restore data, and losses span a wide range of issues, such as financial damage, suspension of operations, and loss of trust in the enterprise. When an enterprise is attacked, it is essential that experts respond quickly in order to minimize the risk of damage.
Below, we will introduce our incident response case at Bangladesh's national airline Biman Bangladesh Airlines.
Company name: Biman Bangladesh Airlines
Company website: https://www.biman-airlines.com/
Industry: Airline
Business description: Bangladesh's national airline. We operate domestic and international flights.
Implementation department: IT department
Number of employees: 2,318 (as of 2024 https://en.wikipedia.org/wiki/Biman_Bangladesh_Airlines)
Number of terminals surveyed in this assessment (mobile phones, computers, network devices): 1,100
What kind of situation did you fall into when you were infected with ransomware?
On 2024/3/17, in response to a ransomware attack, email servers were hacked, and there was a threat of “permanently blocking access to the server or disclosing the victim's personal data unless a ransom is paid.” We requested a response from the system company, which is also our business partner, and immediately quarantined the suspicious server and interrupted email and all internal communication.
Due to the infection, terminals, data, accounting software, etc. were encrypted and became unusable, and it was reported as news. Fortunately, since the customer management system was managed by outsourcing it to another company, there was no impact such as the leakage of customer personal information. Also, there was no impact on the operation of airplanes.
Since we are a national airline, we are required to report to the country. We asked an external system company, and although it was resolved once, it is not a cybersecurity specialist company, we wanted to carefully check whether a perfect response was possible and whether there were any omissions in the response, so we asked Pipeline, a company that specializes in cybersecurity, to conduct an additional investigation.
Why did you request our response?
This is because it is the only company in Bangladesh that can respond to incidents. There are other system companies that provide comprehensive services, but they are not security experts. As a second opinion, we requested an investigation from your company.
How did Pipeline respond?
The security operations team immediately rushed to the office for emergency response.
To explore threats and identify incidents, we used DatalaiQ to begin collecting system logs for all 1,100 units. Specifically, we collected NetFlow, Syslog, firewall, and endpoint device logs.
Also, in order to identify whether the system is not communicating with command and control servers or known malicious systems such as ransomware and malware, we proceeded with the investigation using ThreatIDR.
Identify users and terminals that were infected with malware and were performing suspicious communication from multiple user terminals. We blocked those devices that were the source of the infection and reset everything, and we were able to fully recover in about 2 weeks.
What is DatalaiQ?
DatalaiQ is a comprehensive data analysis solution designed to collect, manage, and analyze large volumes of log data from various systems such as firewalls, networks, and endpoints. It centralizes data collection and visualization, offering real-time analysis through a unified dashboard.
What is ThreatIDR?
ThreatIDR is a cybersecurity solution designed to protect enterprises by providing real-time monitoring and blocking of malicious activities. It functions as a protective DNS service that blocks malware, ransomware, phishing attacks, viruses, and other malicious sites.
How was the Pipeline's response?
Since we were able to identify the terminal source of the infection at an early stage and block it from the network, we were able to converge without the infection spreading from there, and I am very grateful. Based on their knowledge and experience as experts, while proceeding with the investigation, they consulted on each step of the way on what to do next, so I was very reassuring, and I was able to leave it to them with peace of mind.
What do you expect from the pipeline going forward?
In order to ensure the safety of our environment, we are continuing to join the security team and are receiving support for monitoring dark web information, etc. We have also introduced “DatalaiQ” to enhance security, so we have received support for in-house use.
The scary thing about ransomware is that if even one employee is infected, it will spread throughout the enterprise through the network. In order to prevent recurrence and strengthen cybersecurity, we believe it is essential to strengthen IT security education for employees in addition to prevention through specialized teams and tools. It's a field that hasn't progressed much in Bangladesh, so I would be very happy if you could share the knowledge unique to Pipeline, which is developing globally.
Thank you for your continued advice as a security expert.
<Comment from Pipeline>
Allan Watanabe
Managing Director & CEO
The rise in ransomware attacks poses a significant threat to businesses, causing operational disruptions and financial losses. Staying proactive with advanced cybersecurity measures like ThreatIDR and DatalaiQ is crucial for quick detection and response to minimize damage. Businesses must prioritize cybersecurity awareness and swift action to safeguard against these evolving threats.
Building a Smart Security Pipeline
Gain a new level of insight and knowledge across your organization to speed up decision making and business actions.