Full Report
Oklahoma-based ENGlobal Corporation said in an updated 8-K filing with the SEC that company officials were locked out of financial systems for six weeks because of a November ransomware attack.
Analysis Summary
# Incident Report: ENGlobal Corporation Ransomware Attack and System Disruption
## Executive Summary
ENGlobal Corporation, an energy industry and federal government contractor, suffered a ransomware attack starting November 25th that resulted in a significant six-week disruption to critical business applications, including financial and operational reporting systems. The attack led to data encryption and the confirmed access of a portion of the IT system containing sensitive personal information. Full system restoration and presumed threat actor eviction were achieved after an extended response period.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported to SEC in December (suggesting discovery occurred late November/early December).
- **Incident Date:** November 25 (Attack commencement).
- **Affected Organization:** ENGlobal Corporation.
- **Sector:** Energy Industry and Federal Government Contracting (Specializing in automation and instrumentation systems).
- **Geography:** Oklahoma-based firm (US operations mentioned).
## Timeline of Events
### Initial Access
- **Date/Time:** November 25
- **Vector:** Ransomware attack. Specific initial vector (e.g., phishing, RDP compromise) is unknown.
- **Details:** Threat actor gained access to IT systems and initiated data encryption activities.
### Lateral Movement
- **Details:** Attackers were able to access and compromise a portion of the company's IT system, implying successful lateral movement to deploy ransomware or access sensitive data.
### Data Exfiltration/Impact
- **Details:** Data encryption occurred. The threat actor also accessed a portion of the IT system containing **sensitive personal information**.
### Detection & Response
- **Date/Time:** The incident was publicly disclosed via SEC filings in December, confirming the attack.
- **Response actions taken:** Employee access to the IT system was restricted, limiting operations to essential business functions for approximately six weeks.
## Attack Methodology
- **Initial Access:** Ransomware deployment (Specific vector unknown).
- **Persistence:** Not detailed, but must have been established to maintain access for six weeks of disruption.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, as the attack resulted in full operational disruption.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Confirmed access to multiple parts of the IT system leading to encryption.
- **Collection:** Confirmed access to sensitive personal information, suggesting reconnaissance and collection occurred prior to, or concurrent with, deployment.
- **Exfiltration:** Potential exfiltration occurred, as sensitive data was accessed, but confirmed exfiltration volume is unknown.
- **Impact:** Encryption of files, leading to operational downtime for financial and corporate reporting systems for six weeks.
## Impact Assessment
- **Financial:** The company stated it does not believe the attack will have a "material impact" on its financial position.
- **Data Breach:** Confirmed access to a portion of the IT system containing **sensitive personal information**. Affected individuals will be notified.
- **Operational:** Significant disruption lasting approximately six weeks, severely limiting the ability to access and utilize business applications supporting financial and operating reporting functions.
- **Reputational:** None explicitly stated, though disclosure was made via SEC filings.
## Indicators of Compromise
*(No specific IOCs like IPs, domains, or hashes were provided in the summary text. The following are behavioral indicators.)*
- **Network indicators:** None provided (Defanged).
- **File indicators:** File encryption (Ransomware).
- **Behavioral indicators:** Restriction of employee access to core business applications for prolonged periods (six weeks).
## Response Actions
- **Containment measures:** Restricted employee access to the IT system; limited operations only to essential business processes.
- **Eradication steps:** At the time of the final report, the company believed the threat actor no longer had access to the IT system.
- **Recovery actions:** Fully restored operations and corporate functions after approximately six weeks.
## Lessons Learned
- **Key takeaways:** Comprehensive ransomware attacks can cause extensive operational downtime, exceeding typical remediation times (17 days average vs. 42 days experienced here). Even companies involved in critical infrastructure/government contracting are prime targets.
- **What could have been done better:** The extended six-week outage suggests challenges in detection, containment, or restoration processes compared to industry averages.
## Recommendations
- Implement enhanced network segmentation to limit the lateral spread of ransomware.
- Review and enhance backup and recovery protocols to significantly reduce potential downtime following a destructive attack.
- Conduct regular threat hunting, specifically targeting persistence mechanisms and signs of data staging/exfiltration targeting sensitive personal information.