The important thing here is, that no computers that are infected are connected to the internal network. So they don’t instantly get infected again after reimaging.
Everything is going well, all the computers are re-imaged and the monitoring system is back up and running. I’m about to close this case when one by one they start getting infected again. Which should be impossible, because the PLC’s cannot be infected by this malware, and the monitoring system consists of 4 computers and he re-imaged them all.
So at this point, the operator mentions that he could really use some coffee. So I tell him it’s ok for him to get some coffee while I try to figure out why these computers keep getting reinfected. Only then he tells me, he wasn’t able to get coffee, because all the coffee machines were showing the same ransomware attack message.
So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network, however, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network. The operator contacted us about his monitoring system not working but forgot to mention the coffee machines were showing the same error.
The external company responsible for managing our coffee machine got an angrily worded letter for getting all those machines infected, and all their clients were without working coffee machines for a couple of days.
Coffee is too important to entrust to a network.