{"id":1525,"date":"2020-11-19T19:55:00","date_gmt":"2020-11-19T17:55:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1525"},"modified":"2026-06-08T22:09:08","modified_gmt":"2026-06-08T22:09:08","slug":"ransomware-attack-incident-response-story","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ransomware-attack-incident-response-story\/","title":{"rendered":"Under Ransomware attack \u2014 the story of an incident response"},"content":{"rendered":"\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\" style=\"grid-template-columns:24% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/hbc-684x1024.png\" alt=\"\" class=\"wp-image-1611 size-full\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"wp-block-paragraph\"><strong>Fortgale Incident Response<\/strong> (FIR) is the service delivered by Fortgale to support organisations experiencing a <strong>cyber-attack<\/strong>. But what does this mean and why do we consider it so valuable? <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To answer this, we first identify the primary objectives for closing and managing a security incident:  <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>restoration<\/strong> of operational functionality<\/li>\n\n\n\n<li><strong>eradication<\/strong> of the threat from systems and infrastructure<\/li>\n\n\n\n<li><strong>investigation<\/strong>: What happened? How? For how long?<\/li>\n\n\n\n<li><strong>implementation<\/strong> of security solutions to prevent similar cases<\/li>\n<\/ul>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The activities of the <strong>FIR<\/strong> service enable us to address and respond to these aspects, related not only to <strong>Ransomware<\/strong> cases, but also to <strong>website compromises<\/strong> and, more generally, cases of <strong>unauthorised access<\/strong> to systems\/accounts (email, servers, etc.). <\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\" \/>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">In this article we share the account of a <strong>real Incident Response activity<\/strong> relating to a <strong>Ransomware<\/strong> attack on an infrastructure of approximately <strong>2 000 systems<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Activity Results<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-justify has-tablet-text-align-justify has-mobile-text-align-justify wp-block-paragraph\">The security incident, in this specific case, manifests with a series of service disruptions encountered by some users attempting to access corporate applications. Initial checks by technical departments reveal that the disruptions are caused by a Ransomware attack that has encrypted server disks, blocking their functionality. <strong>Both Windows and Linux servers have been impacted.<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify has-tablet-text-align-justify has-mobile-text-align-justify wp-block-paragraph\">The results of our activities have allowed us to trace the cyber-attack to an activity known as &#8220;<strong>Big Game Hunting<\/strong>&#8221; (BGH), that is, a <strong>targeted cyber-attack<\/strong> of the <strong>Ransomware<\/strong> type. This type of attack, particularly growing in the international landscape, originates from the initial compromise of workstations belonging to some company employees through <strong>phishing<\/strong> activities, then evolves into a cyber-attack involving workstations, users and servers. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lifecycle<\/h2>\n\n\n\n<p class=\"has-text-align-justify has-tablet-text-align-justify has-mobile-text-align-justify wp-block-paragraph\">The entire <strong>attack lifecycle<\/strong> has been established to be approximately <strong>6 months<\/strong>. From the initial compromise of workstations to the actual launch of the Ransomware attack, the criminals had access to critical company systems.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The <strong>Ransomware attack escalation<\/strong> instead is concentrated in a shorter timeframe, approximately 14 days, during which the attacker tampers with the entire Backup system flow before launching the encryption of all server disks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attribution<\/h2>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The first attack vector used in this type of intrusion is the use of email containing malware (<strong>trojan<\/strong>) for the initial compromise of workstations, replaced, in the second phase, by tools that offer more flexibility for offensive operations (<strong>Cobalt Strike<\/strong> <strong>&#8211; Powershell &#8211; Wmic &#8211; Mimikatz<\/strong>). <br>We established a direct connection with the use of the <strong>Gootkit trojan<\/strong> during the initial phases; the indicators of compromise relating to the final phase of the attack also appear to be associated with the offensive infrastructure used in past campaigns by the Gootkit malware.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">Gootkit is a malware particularly active in the Italian context; one of the criminal groups with which this operator collaborates is known by the name <strong>Mummy Spider<\/strong>, a criminal group known for <strong>BGH<\/strong> activities.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/MummySpider.png\" alt=\"\" class=\"wp-image-1528\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Tools Used<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">Some of the tools used by the criminal group for the compromise of the company&#8217;s systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cobalt Strike<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used for the compromise of Server systems. Cobalt Strike is a penetration testing tool, improperly used for the execution of targeted attacks; the tool also allows the launch of post-exploitation activities. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mimikatz \/ DCSync<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used to perform credential dumps of the entire Active Directory environment<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Powershell \/ WMIC<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used for compromise and interaction <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Gootkit Malware<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used for the compromise of company workstations. Trojan-type malware used for the compromise of systems and passwords of affected users. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Netscan<\/strong>\n<ul class=\"wp-block-list\">\n<li>The attacker used the executable file &#8220;netscan.exe&#8221; to perform various Network Scanning activities. Specifically, positioning the executable within the path &#8220;C:\\Users\\Public\\&#8230;&#8221; <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TOR<\/strong>\n<ul class=\"wp-block-list\">\n<li>The criminal group used &#8220;The Onion Routing&#8221; (TOR) software to camouflage its illicit activity by routing traffic through secure and anonymous networks. <br><mark><strong>The TOR service was disguised as a &#8220;Google Update&#8221; service<\/strong><\/mark><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image is-style-zoooom\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/tor.png\" alt=\"\" class=\"wp-image-1529\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><em>Installed Tor-relay service<\/em><\/figcaption><\/figure>\n<\/div>\n\n<p><!--StartFragment--><\/p>\n\n\n<h3 class=\"wp-block-heading\"><strong>Detection and Response Capabilities<\/strong><\/h3>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The attack chain observed in this incident demonstrates the value of continuous monitoring and threat detection. Our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities integrate specialised activities of <strong>Cyber Threat Intelligence<\/strong> and <strong>Threat Hunting<\/strong> to identify and respond to such multi-stage intrusions before they reach the encryption phase. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Where to find us<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reach our social channels <a aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/Fortgale_Cyber\" target=\"_blank\" class=\"ek-link\">Twitter<\/a>,&nbsp;<a aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/www.linkedin.com\/company\/fortgale\/\" target=\"_blank\" class=\"ek-link\">LinkedIn<\/a>, and <a aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/channel\/UChhR-BiAwUzaBSQmppnsZXw\" target=\"_blank\" class=\"ek-link\">YouTube<\/a><\/li>\n\n\n\n<li>Visit our website <a href=\"https:\/\/arcticwolf.com\/\" class=\"ek-link\">fortgale.com<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Field account of a ransomware incident response engagement: initial scoping, eradication, recovery decisions and lessons learned about preparation gaps.<\/p>\n","protected":false},"author":1,"featured_media":1623,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[53,71,72,107,3138,3137,435,175,177,228,283,3136,313,314,360],"class_list":["post-1525","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-bgh","tag-cobalt","tag-cobaltstrike","tag-dcsync","tag-eradication","tag-forensics","tag-fortgale-report","tag-hunting","tag-incident-response","tag-mimikatz","tag-ransomware","tag-ransomware-recovery","tag-sfile2","tag-sfile3","tag-tor"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1525"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1525\/revisions"}],"predecessor-version":[{"id":9848,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1525\/revisions\/9848"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}