Full Report
As part of my role at DXC Technology, I oversee our security business, and I frequently deal with attacks on our customers. But on Saturday, July 4, 2020, as I was stepping out of the car to start my family vacation, the company became the target of a ransomware attack. The incident involved Xchanging, a subsidiary based in the United Kingdom, which provides technology-enabled business services to the commercial insurance industry. The attacker sent an often-used image of a beloved cartoon character making an obscene hand gesture with this message: “We have your data. We’ve encrypted your files. If you want to negotiate, we can talk on a secure tool or chat session.” While the network used by the Xchanging business was segregated from DXC’s much larger IT environment, we were nonetheless concerned about whether the incident would have operational impacts to Xchanging customers when London insurance offices opened on Monday.
Analysis Summary
# Incident Report: DXC Technology/Xchanging Ransomware Attack (July 2020)
## Executive Summary
On Saturday, July 4, 2020, DXC Technology suffered a ransomware attack targeting its UK-based subsidiary, Xchanging, which services the commercial insurance industry. Attackers gained initial access two days prior, encrypted files, and demanded negotiation via a ransom note featuring an offensive cartoon image. Due to swift action—including severing connectivity and engaging authorities—the impact was limited, no data was stolen, and systems were restored by Monday morning, July 6, 2020.
## Incident Details
- **Discovery Date:** July 4, 2020 (When the active impact/notification occurred).
- **Incident Date:** Initial access occurred roughly two days prior to July 4, 2020. Ransom notification occurred on July 4, 2020.
- **Affected Organization:** Xchanging (a subsidiary of DXC Technology).
- **Sector:** Technology-enabled Business Services for the Commercial Insurance Industry.
- **Geography:** United Kingdom (primary affected subsidiary location).
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately two days prior to July 4, 2020 (i.e., roughly July 2, 2020).
- **Vector:** Use of a publicly available security testing tool (referred to as "grayware").
- **Details:** The grayware was used to establish a backdoor to exploit Microsoft Windows, which then deployed a new variant of encryption malware (ransomware).
### Lateral Movement
- **Details:** Not explicitly detailed, but the attacker successfully deployed ransomware, implying some level of limited movement within the segregated Xchanging network segment. Only a handful of systems were accessed.
### Data Exfiltration/Impact
- **Date/Time:** Ransom note delivered on July 4, 2020.
- **Details:** Files were encrypted. The attacker claimed to have the victims’ data, although subsequent response actions determined **no data was actually stolen**.
### Detection & Response
- **Date/Time:** Detected on July 4, 2020, as the executive responsible began his vacation.
- **Details:** Response actions included quickly isolating and neutralizing the threat, engaging customers and authorities, shutting off remote access to Xchanging systems (requiring coordination between UK and India IT teams), and cleaning/restoring the environment on Sunday, July 5.
## Attack Methodology
- **Initial Access:** Publicly available security testing tool ("grayware") used to create a backdoor and exploit Microsoft Windows.
- **Persistence:** Implied by the deployment phase, likely established via the backdoor created by the grayware.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** N/A (The use of widely available tools suggests a reliance on vulnerable endpoints rather than sophisticated evasion).
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed, beyond finding a foothold.
- **Lateral Movement:** Achieved limited movement resulting in encryption of a "handful of systems."
- **Collection:** Attacker claimed data collection occurred, though DXC later determined no data was stolen.
- **Exfiltration:** The attackers' domains were located in the United States, suggesting intent to exfiltrate data to infrastructure within the US.
- **Impact:** Encryption of files on affected systems (Ransomware impact).
## Impact Assessment
- **Financial:** Not disclosed, but the company avoided paying a ransom.
- **Data Breach:** **None.** The investigation confirmed no data was stolen.
- **Operational:** Potential for significant disruption, but rapid remediation meant Xchanging was able to process insurance policies by Monday morning (July 6).
- **Reputational:** Public disclosure was made via news release on Sunday, July 5, acknowledging the incident and later confirming containment.
## Indicators of Compromise
- **Network indicators (defanged):** Attackers leveraged domains located in the United States for potential data exfiltration.
- **File indicators:** Deployment of a new variant of encryption malware (ransomware).
- **Behavioral indicators:** Use of "grayware" (publicly available security testing tool) to establish a backdoor.
## Response Actions
- **Containment measures:**
* The security team quickly identified the compromised area while the attack was underway.
* Senior leadership made the decision to **sever all connectivity/shut off remote access** to the Xchanging systems immediately.
- **Eradication steps:**
* The environment was cleaned and restored on Sunday, July 5.
* The threat was isolated and neutralized quickly.
- **Recovery actions:**
* Business operations resumed by Monday morning, July 6, allowing Xchanging to process insurance policies.
* A court order was obtained to take control of the attackers’ internet domains.
## Lessons Learned
1. **Know your infrastructure:** Maintain focus on basic software-patching hygiene and ensure enterprise security tools are properly deployed on all networks and firewalls to detect malicious behavior.
2. **Involve senior leadership from the start:** Establishing clear governance and quick decision-making pathways (such as the decision to shut off all remote access) is crucial.
3. **Engage authorities and experts early:** Law enforcement provided insight, leading to the swift acquisition of a court order to seize attacker domains.
4. **Gain as much leverage as you can — and don’t pay:** The organization was in a strong position (knowing they had backups and had cut off the attack) and opted not to negotiate or pay the ransom.
5. **Be transparent:** Sharing Indicators of Compromise (IOCs) with hundreds of customers helped protect the wider community.
## Recommendations
- Pre-establish clear lines of accountability for emergency decisions (Crisis Management Governance).
- Ensure security testing tools, even those considered "grayware," or similar low-and-slow initial vectors are monitored or blocked if they lead to known malicious behaviors (like backdoor creation).
- Consider retaining an experienced ransom broker as part of incident response preparation, even if the intent is not to pay.