3B Data Security
3B Data Security
Situation: The client identified a Ransomware attack impacting two of their business locations located in the Middle East. During this attack, data present upon numerous
systems was encrypted, including critical servers where personal information about staff and clients was stored, along with a number of individual workstations. The attacker(s) responsible for the compromise
claimed to have exfiltrated data from the network environment and threatened to publish this data via the internet if their demands were not met.
Task: 3B Data Security were engaged to carry out an Incident Response Forensic Investigation within the entity’s network environment to confirm whether a compromise of sensitive business
information had occurred following the ransomware attack.
3B Data Security were instructed to focus their attention on identifying the root cause of the compromise of the network environments to ascertain how the threat actor(s) gained unauthorised access to
the systems, and to confirm whether data was successfully exfiltrated from the network environment prior to the encryption of in-situ copies of the data.
Due to the locations of the impacted environments and restrictions on international travel, 3B Data Security worked with the entity’s onsite IT staff to carry out the investigation
remotely. Instructions for the acquisition and preservation of forensic evidence to support the Incident Response investigation were provided to the onsite staff. Evidential data provided to 3B Data Security
included logs from the perimeter firewalls of the network environments, and forensic images of workstations and servers that had been impacted by the ransomware attack.
The acquired data was analysed within 3B Data Security’s forensic lab environment to identify any artefacts pertaining to the compromise, including evidence of unauthorised remote access,
traversal through the network, and suspicious user activity, such as execution of known hacking tools and malware, or the exfiltration of data through common channels.
To assist with the entity’s containment of the compromise and recovery, 3B Data Security deployed their threat hunting and monitoring toolset to the entity’s restored network environment in order to
monitor and respond to any indicators of further attacks against the network. 3B Data Security also provided the entity with recommendations to further improve security of the network environment and to
help mitigate against any future compromises.
The investigation determined that user account credentials for two domain accounts with administrator-level privileges were compromised by the attacker(s). Using these
accounts, the attacker(s) gained access to several systems within the entity’s network environment. This access allowed the attacker(s) to deploy malware identified as the Target_Company (Tohnichi)
ransomware application upon the systems, resulting in the encryption of files.
3B Data Security provided the entity with assistance with recovering from the compromise, allowing them to return to Business as Usual (BAU) as soon as possible.