According to TechCrunch, the defence contractor shelled out a ransom of about $500,000 shortly after the incident in mid-January, but the company was not yet fully operational.
CPI makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology for the US Department of Defense and its advanced research unit DARPA.
The company confirmed the ransomware attack took place and the coppers have been informed.
According to the source, a “domain admin” — a user with the highest level of privileges on the network — clicked on a malicious link while they were logged in, which triggered the file-encrypting malware. Because the thousands of computers on the network were on the same, unsegmented domain, the ransomware quickly spread to every CPI office, including its on-site backups, the source said.
TechCrunch described the company in “panic mode,” as only about one-quarter of its computers are back up and running as of the end of February.
Some computers containing sensitive military data have been recovered using the decryption key, which the company obtained by paying the ransom. One system is said to have files related to Aegis, a naval weapons system developed by Lockheed Martin.
Many of the remaining computers are having their operating systems installed from scratch, the source said. A portion of the defence contractor’s systems — about 150 computers — are still running Windows XP, which stopped receiving security patches in 2014.