Find out how early detection can save you from a ransomware attack.
At Solis MDR we always hope for the best, but prepare for the worst. So, when we needed to act fast to stop a customer falling victim to a potentially devastating ransomware incident, we were ready.
The investigation began when our endpoint detection and response tool SentinelOne quarantined several files on the customer’s domain controller. The files related to Mimikatz, a tool used by threat actors to obtain privileged credentials, which then enable them to deploy ransomware widely across a target network.
The threat actor then attempted to upload further tools to the customer’s system. These included PCHunter, PEView and ProcessHacker, all of which were quarantined by SentinelOne.
Seeing the customer’s security software thwarting their malicious attempts, the attacker tried to uninstall it. But this action requires administrator approval. So it was blocked.
The Solis MDR team was able to trace the threat actor’s login to a VPN device within the customer’s environment on which two-factor authentication hadn’t been enabled. So, a compromised or guessed password, would have been all the threat actor needed to log in without challenge.
Once inside the customer’s network, the threat actor used the remote desktop protocol (RDP) to connect to the domain controller and deliver the malicious tools.
The instant the Solis MDR team detected this activity, we connected to the affected device and disabled the compromised account. This prevented any further access by the attacker.
We also monitored for any other abnormal behaviour such as remote access, suspicious process execution or attempts to establish persistence within the customer’s network.
Once we had contained the incident, in line with our critical escalation process, one of our analysts called the customer to tell them what we had found and what actions we had taken in response. The customer was then able to verify that the activity was unexpected and had nothing to do with the owner of the affected account. This confirmed that a malicious attack had taken place.
Following a thorough investigation, the Solis MDR team concluded that no further malicious activity had taken place, and that no other suspicious tools were present within the customer’s network. Taking nothing for granted, we maintained elevated monitoring across the client’s environment until we were sure the threat had passed.
With the domain controller now returned to a clean state, we provided the customer with further recommendations. These included changing the credentials of the compromised account and enforcing multi-factor authentication on its VPN.
This thwarted attack underlines the value of having, not just market-leading security software, but also a team of cyber security professionals monitoring activity 24/7.
By stepping in promptly as soon as suspicious activity was detected, the Solis MDR team was able to neutralise the threat before it developed into a more severe and widespread incident.