Case study

Background

A mid-sized financial institution with over 500 employees experienced a sophisticated ransomware attack. The organization had a well-established Security Operations Center (SOC) that monitored and responded to cyber threats in real time.

Incident Summary

One morning, employees reported being locked out of their systems, with a ransom note demanding 50 Bitcoin (BTC) to regain access. The SOC team identified that a strain of ransomware, Lock Bit, had encrypted critical financial data. The attack had bypassed traditional endpoint detection, suggesting an advanced persistent threat (APT).

Incident Timeline

SOC Detection & Analysis

Phase 1: Threat Detection

• Alert 1: Unusual PowerShell Execution
  • The SIEM system flagged unusual PowerShell commands executed on an employee workstation, indicating potential malicious activity. The EDR logs revealed an external communication with a Command-and-Control (C2) server.
• Alert 2: Lateral Movement Detected
  • Windows Event Logs showed suspicious login attempts from non-admin accounts to domain controllers. The SOC identified Pass-the-Hash attacks, correlating with tactics from the MITRE ATT&CK framework.
• Alert 3: Mass File Encryption Detected
  • The SIEM system detected a rapid increase in file modifications across multiple systems. Endpoint logs showed file extension changes to .lockbit, indicating ransomware encryption.

Phase 2: Incident Response & Containment

• Step 1: Isolating Affected Systems
  • The SOC used EDR tools (CrowdStrike, SentinelOne) to quarantine compromised endpoints. Active Directory was used to disable affected user accounts immediately.
• Step 2: Network Segmentation & Blocking C2 Communications
  • The SOC updated firewall rules to block outgoing traffic to malicious IP addresses. Threat intelligence feeds confirmed the attacker’s C2 server had been used in prior LockBit campaigns.
• Step 3: Digital Forensics Investigation
  • Memory forensics with Volatility confirmed the use of Mimikatz, which indicated credential dumping. Ghidra was used to reverse-engineer the malware, revealing exploitation of CVE-2023-23397 (Outlook Privilege Escalation).

Phase 3: Recovery & Post-Incident Analysis

• Step 1: Restoring Systems
  • The institution restored its systems from air-gapped backups, ensuring that the backup data was not compromised and avoiding reinfection by the ransomware.
• Step 2: Implementing Security Enhancements
  • The company enforced Multi-Factor Authentication (MFA) for all remote access points.
  • Zero Trust Architecture (ZTA) was introduced to monitor and control lateral movement within the network.
  • Behavioral analytics were added to the SIEM to identify abnormal activities in real time.
• Step 3: Employee Cyber Security Training
  • Employees who were affected by the attack were required to undergo phishing awareness training.
  • Simulated phishing exercises were conducted across the organization to test employee awareness and resilience against future attacks.

Outcome & Lessons Learned

The institution’s rapid and well-coordinated response enabled it to:

• Contain the threat within 24 hours.
• Restore critical systems with no ransom paid.
• Avoid any regulatory breaches or public disclosure.

Key Takeaways:

1. Early detection of lateral movement is critical to containing APT-style attacks.
2. Regular patching could have prevented the exploitation of a known vulnerability.
3. Air-gapped backups ensured business continuity and avoided ransom payments.
4. SOC rules were enhanced to monitor for abnormal encryption behaviour.
5. Security awareness training remains essential in preventing phishing attacks.