European organisations are among the most targeted in the world. Fortgale identifies the attacker in the early stages — initial access, escalation, reconnaissance, lateral movement — before they touch data or backups. ~11 minutes median containment.
By the time an attacker reaches the backup, encryption is already imminent. The Fortgale SOC intercepts them 21 days earlier, in the early access stages — when they are still noisy, visible and containable.
The SOC acts in the first four stages of the kill chain — initial access, escalation, reconnaissance, lateral movement — during the 21-day average dwell time. MITRE ATT&CK behavioural detection, before the attacker touches data or backups.
Monitoring of C2 infrastructure for LockBit, RansomHub, Play, Akira, Black Basta, Cl0p, Medusa, Qilin, BlackCat. When a group prepares a campaign, Fortgale knows first.
SIEM/EDR generate thousands of alerts/day; without specialised analysts they are noise. Fortgale knows the specific TTPs of the groups hitting European markets and recognises an initial access before it becomes compromise.
Ransomware is not an explosion: it is a 21-day operation. The Fortgale SOC operates in the first four stages, where the attacker is still visible and containable. Exfiltration and encryption do not arrive if interception occurred upstream.
Phishing, exposed VPN/RDP, stolen credentials, known vulnerabilities. Fortgale detects: anomalous logins, impossible geo-velocity, dark-web IoCs, traffic to known C2s.
Kerberoasting, service-account abuse, AD-CS exploitation. Fortgale detects: UEBA patterns, anomalies on Kerberos tickets, Domain Admin escalation outside baseline.
Network mapping, critical assets, file servers, backups, AD. Fortgale detects: anomalous SMB enumeration, massive LDAP queries, off-hours internal scans.
Pass-the-Hash, lateral RDP, PsExec abuse toward DC/ESXi/backup. Fortgale isolates here: host isolated in ~8 s, median containment ~11 min. The attack stops.
Double extortion: confidential data, contracts, IP, emails published on leak sites. Does not occur when Fortgale acts in stages 1-4.
Final stage: mass encryption, production halt, ransom demand. Does not occur when Fortgale acts in stages 1-4.
Every group on this list has hit European customers in the last 24 months. The TTPs are integrated into the SOC's detection rules.
Most active RaaS against European markets. Double extortion, VPN/RDP exploits, aggressive lateral movement.
RaaS since 2024. 9.8% globally. Targeting critical infrastructure, healthcare, finance, government.
Closed group, no public negotiation. Targeting manufacturing, government, transport, legal.
Double extortion, ransomware Linux + Windows + ESXi. Targeting SMEs, education, hospitality.
Conti heirs. QakBot distributor. Targeting healthcare, manufacturing, construction, finance.
Zero-day specialist: MOVEit, GoAnywhere, Accellion. Supply chain attacks on finance, healthcare, legal.
Public blog with countdown. Targeting education, public sector, manufacturing, healthcare.
Go & Rust, VMware ESXi. Targeting healthcare, critical infrastructure, manufacturing.
Phobos-based. Targeting SMEs, construction, retail, transport.
Ex-Hive members. Data-theft focus: manufacturing, finance, logistics.
Public auctions of stolen data. Targeting public sector, healthcare, education, defence.
Rust-based. Triple extortion (encryption + leak + DDoS). Healthcare, energy, manufacturing, finance.
Monitoring of groups active against European markets with IoC feeds, MITRE-mapped TTPs, early warning on new campaigns. Distributed to the SIEM via STIX/TAXII.
Behavioural detection on the first four stages of the kill chain: anomalous access, privilege escalation, internal reconnaissance, lateral movement. Mimikatz/Cobalt Strike signatures, UEBA patterns, dark-web IoCs.
Host isolation ~8 s, median containment ~11 min. Cross-tool response (EDR, firewall, IAM), direct escalation to the CISO, support for CSIRT notification within 24h NIS2.
Chain-of-custody forensics, eradication, recovery, support for national CSIRT (NIS2 24h) and DPA (GDPR 72h) notifications, board and legal communication.
The European SOC orchestrating monitoring, triage and response across every ransomware group active in Europe.
Discover SOC →EDR/XDR governed by the European SOC. Triage in <15 min. Extends ransomware detection beyond traditional antivirus.
Discover MDR →Proprietary feeds on the 12 active ransomware groups. Early warning when a campaign prepares your sector.
Discover CTI →Phishing (email attachments/links), misconfigured VPN/RDP, unpatched vulnerabilities, software supply chain. 70% abuse stolen credentials or exposed remote access. All vectors leave detectable traces.
No. Modern groups (LockBit 3.0, RansomHub) target backups before encryption. Double extortion makes restoration irrelevant if data has already been exfiltrated. Air-gapped immutable backups + early-detection system are required.
In the first four stages: initial access, privilege escalation, internal reconnaissance, lateral movement. This is where — within the 21-day average dwell time before encryption — the attacker is still visible and containable. When Fortgale acts upstream, exfiltration and encryption do not occur.
Isolate immediately (cables, WiFi off) but DO NOT power off devices (volatile-memory forensic traces are lost). Don't pay before assessment. Contact IR. Fortgale 24·7: +39 02 3659 8955. NIS2/DORA entities: national CSIRT notification within 24h.
Manufacturing leads, followed by professional services, IT, transport, construction. Geo: industrial heartlands across Italy, Germany, France and Benelux. No company is too small to be a target.
It depends. GDPR personal-data breach → DPA 72h. NIS2 → national CSIRT 24h early warning. The two can coexist. Fortgale supports the entire post-incident process including authority notifications.
For an average of 21 days the attacker maps the network, escalates privileges, moves laterally — before encrypting. That is the window in which Fortgale acts. A free assessment can reveal whether someone is already in your early compromise stages.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.
