Finalsite, a cloud and SaaS service provider to roughly 8,000 schools and universities, has suffered a ransomware attack and hired a third-party forensics team to investigate the attack and assist the recovery, the company disclosed in a January 6, 2022 statement. Finalsite did not mention the name of the cyber forensics team involved in the investigation.
Finalsite Ransomware Attack, Recovery, Restore and Investigation
The FinalSite attack timeline and recovery process looks like this, according to paraphrased information culled by MSSP Alert from FinalSite’s status page:
Tuesday, January 4: Finalsite discloses error rates and performance issues across some of its legacy modules, though the term Ransomware is not mentioned. The impacted systems apparently include Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager.
Wednesday, January 5: CTO Tim McDonough said the team worked through the night in an attempt to restore systems, but the system continued to experience a “disruption” to certain computer systems on the network. Again, no mention of ransomware is made. By the end of the day, McDonough says significant progress has been made to restore systems.
Thursday, January 6: In a lengthy update, McDonough discloses that ransomware was discovered on the network on January 4, and that a third-party forensics team has been hired to assist with the investigation and recovery. The company has full access to files and data, and sees no evidence that company or customer data was taken.
Friday, January 7: The vast majority of sites have been restored, though the company still has work to do to “bring everything back to normal.”
Tips to Protect Against Ransomware Attacks
To mitigate the risk of ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
require multi-factor authentication (MFA);
implement network segmentation;
scan for vulnerabilities and keep software updated;
remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
implement endpoint and detection response tools;
limit access to resources over the network, especially by restricting RDP; and
secure user accounts.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions: