Case study: How CH Media handled a major ransomware attack

CH Media is a Swiss media organisation consisting of newspapers, radio, TV stations, and printing. On March 1, 2023, the company was hit with a major cyberattack.

At the Risk-!n conference in Zurich, Hannes Brunner, CH Media’s chief information security officer, who had been in his role for just 23 days when the breach was detected, shared the story.

The attack was first discovered late at night, and the initial signs were that the breach was not very serious and could be contained. But then, in the early hours of the morning it became clear that the ransomware had started to encrypt parts of the critical infrastructure.

At that point, Brunner says a 24/7 war council was created, including the CEO, CFO, HR and other senior board members. It also included people from the SOC, and a cyber forensics company.

He explained: “Essentially the attack affected our so-called ‘active directory services’, which is basically where all the users and sessions are stored. It started to encrypt those servers and also reached some of our critical infrastructure file servers and operational systems, which stopped working.

“Then everybody needed to know. This is when we established the task force. Fortunately, the company was prepared for this, and so could quickly activate and start this work.”

The war council managed to get the who company back up to almost full operations within two weeks, a considerable achievement. Part of the reason this was possible was due to quick thinking and having a plan in place.

CH Media immediately isolated its system from external connectivity via the internet. It then isolated the four active directory service domain controllers that had been impacted by the attack. This helped to stop the virus from spreading, and meant that the hackers couldn’t regain access while the company recovered.

Three of these domain controllers were already dead, but one was still working. The company saved it by isolating it, disconnecting it, and halting the infection in its tracks. It used sophisticated tools to find and remove the ransomware, but there were still risks.

Brunner says: “You can never be 100% sure that you catch everything. We had a red zone where we potentially could still have some infection.”

To avoid the possibility of the attackers returning, CH Media decided to completely cut off its internet every night. This wasn’t without its challenges. It meant that production processes had to be adapted, no mean feat for a newspaper press that typically runs 24 hours a day.

Brunner explains: “We had to reschedule the production processes to ensure that we could really take down everything at 11 p.m and then put it up in the morning and correct things.

“In the newspaper, things that work automatically [didn’t anymore]. Those are important. So, people had to resort to doing things manually. Ultimately, instead of 12 different versions of our newspaper, we could only do six.”

The company bounced back quickly, but then came the second part of the attack, the extortion. Originally, the hackers had demanded money for the data that was encrypted. But given the speed of CH Media’s response, not much had been lost and there was no question of paying.

Next, the hackers threatened to leak the consumer data that same day, unless a ransom was paid. Brunner says that with the help of the police, negotiations started. There were two key aims, firstly to try and buy some time and secondly to understand what data was at risk.

It turned out that the data that had been stolen was comprehensive, including company salaries right up to the top of the organisation, and customer details and addresses. CH Media responded with a series of transparent communications with all stakeholders.

Brunner says: “I can really congratulate my management on how they dealt with that. We very openly communicated with our staff and told them honestly what happened. We also told our customers and were very open about that. We released details on the attack back to the public afterwards. And this open communication culture helped a lot to give those people some security.

“This is something that I really encourage. It’s very difficult to fight such events and it’s much worse if things come out afterwards, bit by bit.”

Brunner said that the company had nothing to hide, so having alerted customers, employees and other stakeholders, CH Media refused to pay the ransom.

Finally, the company was able to look back forensically and find out how the hackers had got a foothold in the first place.

The result? A remote maintenance department that used to work for a third-party contractor. From there, the hackers were able to up their privileges and cash on a Windows weakness which allowed them to get higher value credentials. Eventually, they could even disable the antimalware.

Indeed, analysis suggests that the attackers had been in the account gaining information for at least a month before they made their move.

The organisation has now completed a migration to two-factor authentication, something that was planned before the attack, but Brunner says the experience enabled the company to pinpoint key areas for improvement, including a focus on third parties.

Finally, Brunner reiterated that the reason the CH Media was up and running so quickly, was having a tried and tested plan in place, so the important thing is to be as prepared as possible.

He concluded: “Cyber security is like an immune system, not a wall… so while you can’t get the risk down to zero, it’s important make it as unlikely as possible.”