🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for Ransomware Recovery
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

Ransomware Recovery

As they say:

The best time to plant a tree was 20 years ago. The second best time is today.

Likewise, it’s best to deploy Wirespeed before you’re attacked, but if you’re attacked, deploy us immediately. We work well with Incident Response teams. Here are a couple examples, but the takeaway is obvious: it’s not the lack of telemetry, it’s the lack of action that resulted in ransomware.

#Case 1: We have EDR (but we don’t watch it)

A medical firm purchased decent security controls, including EDR (endpoint detection & response), but they had nobody watching it 24x7. So when a bad guy gained access and deployed legitimate looking tools, such as the mesh agent, a RMM (remote management) tool, and psexec (for lateral movement), the alerts became the proverbial tree in the forest with no one nearby to hear it.

Once they knew they were under attack, they contacted an Incident Response team that partners with us, and that firm deployed Wirespeed. We pulled historical detections over the prior 90 days, triaging and summarizing in seconds. It became very obvious what happened, saving the IR team a ton of time.

Case Summary Hundreds of alerts across hundreds of endpoints, but nobody watching = ransomware.

#Case 2: The slow, inattentive, and unhelpful MDR Provider

In this case, the company not only had purchased EDR, but also purchased MDR (managed detection & response) from a big name provider in existence for ever a decade. Of the hundreds of alerts across hundreds of endpoints, most were never reported to the victim organization, some were escalated 6+ hours after they happened.

Once the company realized they were being attacked, they initiated Incident Response with a partner of ours, who deployed Wirespeed immediately. We went back in time, triaging the previous 90 days, and again, it’s very clear what happened in this case. It reads like the horrible day it was.

The legacy MDR provider’s alert, “powershell ran from an unusual location,” instantly puts anyone to sleep and doesn’t even come close to our explanation of what happened. When you’re that late and that off-target with no urgency, your customers will bex compromised.

Case Summary Hundreds of alerts across hundreds of endpoints

The victim organization ended up with a cyberinsurance claim, two IR firms working together for weeks, and a contract dispute between their legacy big name MDR provider and the VAR who locked them into that tough contract. Not fun.

#If you’re an IR firm …

We’ll gladly let you use Wirespeed for free during your recovery process. Contact us today!.

Wirespeed