Find our how we detected, contained, and stopped a ransomware attack in real time.
The Incident: a breach in the making
It was just past midday when the Solis team received a call that would quickly turn into a high-stakes cybersecurity incident. An organisation reached out, reporting a sudden surge of strange activity across their network.
The organisations employees had been bombarded with huge numbers of unsolicited spam emails, with one employee subsequently receiving a suspicious Microsoft Teams call. The caller, who claimed to be from the organisations “Helpdesk,” explained they were calling to fix an issue with the employee’s email. The preceding email bombardment making this offer seem more plausible.
The organisation was naturally concerned about the imminent possibility of a fully-fledged breach. With the risk of further compromise hanging in the balance, they urgently needed our assistance to investigate, secure their systems, and assess the potential damage. The clock was ticking.
The Response: mobilising the team
Our Cyber Incident Management leapt into action, rapidly reviewing the latest threat intelligence. It didn’t take them long to spot a connection. The pattern of the attack closely resembled tactics employed by Black Basta ransomware affiliate Storm-1811. This group had recently been using email bombings to establish a seemingly legitimate reason why representatives of a ‘helpdesk’ might be contacting employees, luring them into interactions that could help initiate a ransomware attack.
Based on this insight, our Incident Response team immediately started deploying Endpoint Detection and Response (EDR) tooling across the organisation's network. The priority was clear: identify any indicators of compromise and prevent further damage.
At the same time, the organisation raised concerns that the targeted employee might have had access to sensitive Personal Identifiable Information (PII). With this regulatory risk in mind, we recommended an immediate forensic investigation of the user’s endpoint, alongside other ongoing containment actions.
The Solution: containing the threat and investigating the breach
Within hours, our team had fully deployed EDR tooling across the organisation’s network, launching initial scans to detect any lingering indications of compromise. The scans revealed no ongoing threats, offering some provisional reassurance to the organisation.
Meanwhile, as part of the containment phase, the affected employee’s endpoint was isolated, and forensic experts began a deep dive into the device to determine the extent of the breach.
It didn’t take long to uncover the specifics of the attack. The employee had an external Microsoft Teams call from the supposed “Helpdesk,” in the mistaken belief they were dealing with a legitimate internal IT support function. Posing as a member of the organisation’s IT team, the caller had convinced the employee to grant remote access using the built-in Windows Quick Assist application.
Once inside, the threat actor had wasted no time. They quickly downloaded and executed scripts associated with a malware variant known to be used by Storm-1811. However, just as the malware began to deploy, the endpoint’s antivirus protection kicked in. This stopped the execution and prevented the attacker from gaining a persistent foothold within the network.
Further forensic analysis showed that, during the time the attacker had access to the endpoint, no PII had been compromised. This important finding helped allay the organisation’s regulatory concerns.
The Final Outcome: a swift recovery
As the investigation rapidly progressed, our team continued to monitor the situation in real time using our EDR tooling, to ensure that no further threats emerged. Once our forensic investigation was complete, we delivered a comprehensive report to the organisation, outlining the full scope of the incident and our findings.
The good news was that the breach had been contained to a single user endpoint. Thanks to our rapid response, proactive containment and expert forensic analysis, the organisation could soon be confident that no further systems had been compromised. The network was secure, and the organisation was able to resume normal operations with no lasting harm done.
