Another eDiscovery company was hit with a ransomware attack earlier this month. Here are details on the IST Management ransomware attack.

On June 6th, IST Management Services reported the following:

“On June 4, 2022, IST detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat. As of now, the outage has been resolved and our networks secured. However, as a result, as we get our operations fully back up and running, delays may occur.”

That report also stated: “We have notified law enforcement and we are currently working with computer forensics experts to thoroughly investigate and remediate this issue…At this time, we do not believe any client data has been acquired based on our initial analysis. However, we are continuing to investigate and will provide further updates as we learn more.”

That evening, IST Management noted that they “will provide regular updates on our progress through our website” instead of email and has provided daily updates each weekday on the recovery status from the IST Management ransomware attack to their Facilities Management (FM) here and Lit Support customers here. Both sets of updates are essentially the same, with minimal differences between them, but you can read either or both.

Most of the updates report a continued effort toward restoring their systems and they were unable to report a target date for restoring all systems until last Friday, June 17th. That target date of tomorrow, June 24th (@ 6:00pm ET), was confirmed in yesterday’s update.

Their update from last Friday also provided more information about the group responsible for the IST Management ransomware attack. As they stated: “Some of our clients have asked and, in coordination with law enforcement, and in our continued efforts to provide transparency, we are able to disclose that the variant involved in this incident was Black Basta ransomware. Black Basta is a new ransomware group that has attacked a number of high-profile businesses in recent months. At this time, our investigation still has not found evidence of any unauthorized acquisition of client data in connection with the attack.”

Trend Micro has a report on Black Basta here, including their infection routine. They apparently emerged in April.

It seems to me that the IST Management ransomware attack was handled well by their team. They provided transparency with daily updates and kept clients (and everyone else) informed as to the status of recovery, potential exposure to client data and (eventually) the group responsible. The IST Management ransomware attack also illustrates how long it takes to get systems back online after a ransomware attack – even if your company is on top of it. Kudos to the IST Management team for their transparency on information about their attack – it benefits all of us!

So, what do you think? How would you handle notification of clients in the event of a ransomware attack? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.