In May 2020, the power grid middleman Elexon had its servers infected with Sodinokibi Ransomware after a cyberattack. The company reported that the attack only affected internal systems, such as the company email server and employee laptops. The email server was taken down following the incident and shortly after, Elexon announced that they’d found the root cause of the attack but did not provide details. Elexon opted to not pay the ransom request and relied on backups to restore their data. The Sodinokibi operators responded by publishing around 1,280 files that they allegedly stole from Elexon. These files were copies of employee passports and company insurance application forms. While Elexon itself did not reveal how Sodinokibi made its way into their system, researchers from Bad Packets stated that they were using an outdated version on Pulse Secure VPN which may have been exploited.
Responding to a ransomware incident promptly is key when attempting to minimize the effect it may have. Discovering and stopping an attack in the first hour makes it very difficult for attackers to discover and download a large quantity of files that they can use as leverage by threatening to release the files publicly if the ransom is not paid. A good defense in depth strategy that incorporates an Endpoint Detection and Response (EDR) solution can help to identify attacks in the early stages before they make their way into critical systems and servers. This is extremely effective when having a Security Operations Center (SOC) that is providing 24/7/365 monitoring of endpoints that can respond by taking any affected systems offline quickly.