" On February 18, 2021, Afnor's entire business was brought to a standstill by a computer attack. The Ryuk ransomware had claimed yet another victim. Jean-Marc Aubert, Afnor's CISO, recounts the details of this long-term crisis management.
For the outside world, on the afternoon of February 18, 2021, the Association française de normalisation (AFNOR) modestly refers to technical problem" with its websites. Its press service, fortunately more transparent, mentions the Ryuk ransomware. Behind the scenes, it all began a few hours earlier.
At 8:02 a.m., a message from the technical team alerted Afnor's CIO to a "small" problem: the sudden appearance of .RYK files on the company network. He immediately interrupted his vacation and called Jean-Marc Aubert, Afnor's current CISO, who was then in charge of security. This marked the start of a race against time to block the attack, followed by months of work to get the information system back into production.
Just 18 minutes after the alert began, the CIO and ComEx decided to shut down the entire information system. "All computers were shut down, and everyone went back to paper and pencil," explains Jean-Marc Aubert. "We were in the middle of the Covid phase, and all employees were in lockdown. We call back all ISD staff, and set up a crisis management room. "
All hell breaks loose at AFNOR headquarters
The entire information system is shut down, and the crisis management team quickly gets organized. The IT team calls its contacts for help and handles the reporting aspect of the cyberattack. The Agence nationale de la sécurité des systèmes d'information (Anssi) is notified, as is the insurer. A complaint is lodged with the local police station, and the mandatory declaration to the CNIL is made within 72 hours.Jean-Marc Aubert also turned to the Office central de lutte contre la criminalité liée aux technologies de l'information et de la communication (OCLCTIC), which is familiar with this type of attack on French companies. "Fortunately, we had taken out cyber insurance a year before the attack. Another invaluable asset was the assistance contract we had signed with Airbus Protect, which enabled us to start our crisis management very quickly. And while our first call was to Anssi, the second was to our sales contact at Airbus Protect." "
Link to article: https: //www.lemagit.fr/etude/Ransomware-le-RSSI-de-lAfnor-raconte-la-cyberattaque-de-fevrier-2021
Credit: Alain Clapaud - LeMagIT