Full Report
According to the GD, prior to August last year, the Qilin ransomware group, LockBit 5.0, and other unidentified cybercriminals sent a malicious phishing link to the official emails of Shwapno employees. Some employees clicked on the link, allowing malware to infiltrate the organisation's network. On 19 August at around 2pm, computers at the ACI Logistics Limited head office in Tejgaon suddenly became inoperable, followed by a message from the "Qilin" ransomware group. The hackers demanded $1.5 million in exchange for not leaking the data, setting a 10-day deadline and threatening to release the information otherwise. The GD further stated that immediately after the incident, Shwapno's MIS (Management Information System) team disconnected internet access, inspected all devices, removed the malware, and strengthened security measures.
Analysis Summary
# Incident Report: Shwapno (ACI Logistics) Qilin Ransomware Attack
## Executive Summary
Prior to August 2023, the Shwapno retail chain (ACI Logistics Limited) fell victim to a sophisticated ransomware attack orchestrated by the Qilin group, with potential involvement from LockBit 5.0. The breach originated via a targeted phishing campaign that compromised employee credentials and facilitated network infiltration. The incident resulted in system-wide encryption and a $1.5 million extortion demand, though the organization successfully initiated recovery through its MIS team.
## Incident Details
- **Discovery Date:** 19 August 2023, 2:00 PM
- **Incident Date:** Pre-August 2023 (Initial Access) to 19 August 2023 (Impact)
- **Affected Organization:** ACI Logistics Limited (Shwapno)
- **Sector:** Retail / Logistics
- **Geography:** Tejgaon, Dhaka, Bangladesh
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to August 2023
- **Vector:** Phishing Email
- **Details:** Cybercriminals (Qilin, LockBit 5.0, and others) sent malicious phishing links to official employee emails. Several employees clicked the links, facilitating the initial malware infection.
### Lateral Movement
- **Details:** Following the phishing success, malware infiltrated the organization's internal network. Attackers bypassed initial security to move from employee workstations to broader network infrastructure.
### Data Exfiltration/Impact
- **Details:** The attackers encrypted systems at the Tejgaon head office. A ransom note from "Qilin" demanded $1.5 million in exchange for a decryption key and a promise not to leak stolen data. A 10-day deadline was issued.
### Detection & Response
- **Discovery:** 19 August 2023 at 2:00 PM when head office computers became inoperable.
- **Response actions taken:** The MIS (Management Information System) team immediately disconnected internet access to contain the spread, audited all devices, removed the malware, and implemented hardened security measures.
## Attack Methodology
- **Initial Access:** Phishing (Malicious links sent to official emails).
- **Persistence:** Infiltration via malware dropped from phishing sites.
- **Impact:** System encryption and extortion (Ransomware as a Service - RaaS).
- **Other Tactics:** Not explicitly detailed in the report, but consistent with Qilin's known TTPs (Tactics, Techniques, and Procedures) involving double extortion.
## Impact Assessment
- **Financial:** $1.5 million ransom demand (unpaid); additional costs related to recovery and security upgrades.
- **Data Breach:** Compromise of internal organizational data and potential customer information.
- **Operational:** Total loss of system functionality at the head office beginning 19 August.
- **Reputational:** Public disclosure of the breach and a seven-month delay in filing the General Diary (GD) with authorities.
## Indicators of Compromise
- **Network indicators:** Phishing URLs (specific links not provided; should be treated as hxxp[://]malicious-link[.]com).
- **File indicators:** Presence of "Qilin" ransomware notes and encrypted file extensions.
- **Behavioral indicators:** Sudden loss of system access; high-volume outbound traffic to unknown IP addresses (inferred from data leak threats).
## Response Actions
- **Containment:** Intentional disconnection of global internet access for the organization.
- **Eradication:** Thorough inspection of all corporate devices and removal of identified malware.
- **Recovery:** Restoration of systems followed by a strengthening of existing security architecture.
## Lessons Learned
- **Delayed Reporting:** The seven-month gap between the incident and the official police filing suggests a need for a more streamlined legal and incident response policy.
- **Human Factor:** Phishing remains the primary entry point; technical controls were bypassed by human interaction with malicious links.
- **Response Speed:** Rapid action by the MIS team to sever internet access likely prevented further data exfiltration.
## Recommendations
- **Security Awareness Training:** Implement recurring phishing simulation exercises for all employees.
- **Email Security:** Deploy advanced email filtering solutions (Link rewriting/Sandboxing) to block malicious URLs before they reach the inbox.
- **Multi-Factor Authentication (MFA):** Ensure MFA is mandatory for all official email and network access points.
- **Endpoint Detection and Response (EDR):** Deploy EDR tools to detect and block lateral movement and ransomware execution in real-time.