Â鶹¹û¶³

Incident Response Timeline – Ransomware Attack & Containment

Incident Response Timeline

Ransomware Attack & Containment Detection to Escalation: 1 Minute

Explore a real-world attack on a customer in the utilities industry. The threat actor leveraged a malicious encoded PowerShell Script (Base64) and within a minute of detection, the Â鶹¹û¶³ Labs team triggered an investigation.
We¡¯ll show you, step by step, how Â鶹¹û¶³ helped this customer both stop this attack as well as develop a roadmap for preventing future ones.
START THE ATTACK
When minutes matter, turn to industry-leading security operations to detect, investigate and escalate incidents before they impact your business.
Ready to End Cyber Risk?
Industry Average

Average number of days to detect and remediate a ransomware attack

With Â鶹¹û¶³

Actual time from detection to remediation in this real-world Â鶹¹û¶³ ransomware response

View Timeline Navigation

Wednesday, 4 May, 2022 |5:53 PM

Detection: Â鶹¹û¶³ Agent

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

5:53 pm

Possible malicious encoded?PowerShell script (Base64) detected on an employee workstation

The suspicious obfuscated LOAD string is decoded

[LOCAL ADMIN PASSWORD] is changed by PowerShell Script

5:54 pm
1 Minute Since Attack

Wednesday, 4 May, 2022 | 5:54 pm

Investigation Triggered

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

Indicators of compromise (IoC) previously curated by?Â鶹¹û¶³ Labs triggers an?event of interest?

Â鶹¹û¶³ Platform correlates potential malicious activity with other known?IoCs

Incident escalated to Triage Team forensic dashboard with Urgent status

5 Minutes Since Attack

Wednesday, 4 May, 2022 | 5:58 PM

Investigation Escalated

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

5:58 pm

Triage team identifies a Scheduled Task?created by PowerShell

PowerShell activity consistent with Gootloader, a multi-staged JavaScript package, likely dropped via SEO poisoning

Highly probable secondary payload was to be ransomware from a threat actor group?like?REvil

6:01 pm
8 Minutes Since Attack

Wednesday, 4 May, 2022 | 6:01 PM

Endpoint Contained

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

Investigation concludes, resulting in endpoint containment via Â鶹¹û¶³ Agent based upon predefined customer instructions?

Gootloader prevented from launching secondary payload or connecting with C2 server?

12 Minutes Since Attack

Wednesday, 4 May, 2022 | 6:05 PM

Incident Ticketed

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

6:05 pm

Customer notified of incident, containment, and remediations steps

Passwords reset for compromised admin?and services accounts

Customer decides to reimage infected device

Begin Post-Incident Zone
6:06 pm
13 Minutes Since Attack

Wednesday, 4 May, 2022 | 6:06 PM

Post-Incident Security Journey

Â鶹¹û¶³ Attacker icon Â鶹¹û¶³ Platform icon Â鶹¹û¶³ Customer icon Â鶹¹û¶³ Triage icon Â鶹¹û¶³ CST icon

The Concierge Security Team works with the customer to identify areas of improvement related to this high-severity incident:

Enforce stricter controls over egress traffic

Implement ability to control browser settings

Consult on implementing PowerShell policies with more restrictive permissions such as Just Enough Administration (JEA) and execution of only signed scripts

Recommend Windows 10 AppLocker for validating PowerShell scripts

Consult on technology solutions and best practices to increase likelihood of preventing an attack outright

Recommend security awareness training to highlight the danger of visiting unknown websites

Minutes Matter

Reach out to learn how Â鶹¹û¶³¡¯s industry-leading security operations workflow can detect, investigate, and escalate incidents like ransomware attacks before they impact your business operations.
Attack Timeline:

Additional Resources
VISIT THE RESOURCE LIBRARY