Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research

Infrastructure Manufacturer Reclaims Control After Dual Ransomware Attacks

With potential financial, operational, and reputational consequences looming large, the client looked to Unit 42® to help protect operations and sensitive data.

Results
Challenge
Outcomes
Get in Touch
Results
73%reduction

In ransom payment due to expert negotiation

<5days

To identify patient zero, the extent of data exfiltration, and block all known ransomware IoCs

2.5+million

Files prevented from being exposed through negotiations

The Client

A U.S.-based manufacturer of infrastructure equipment and materials

The Challenge

Dual ransomware attacks from Black Basta and LockBit crippled the operations of an infrastructure equipment manufacturer. The adversaries first exfiltrated sensitive data, then detonated ransomware that encrypted critical files within 24 hours. Unit 42 stepped in to help:

  • Assess the scopes of the attacks and identify the initial access points and the extent of data exfiltration.
  • Contain the threats by blocking ransomware indicators of compromise (IoCs) and initiate 24/7 threat monitoring.
  • Eradicate the threat actors from the environment to prevent further lateral movement or damage and negotiate down the ransom demands.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

Simultaneously assessed the scope of the ransomware attacks, utilizing existing firewall and VPN logs.

Investigate

Identified initial access point as a compromised contractor VPN account, immediately began threat actor negotiation, and discovered 3 TB+ of data was exfiltrated.

Secure

Blocked ransomware IoCs leveraging Cortex XDR® and initiated 24/7 threat monitoring. Successful negotiation led to a 73% reduction in the ransom demand.

Recover

Decrypted systems, restored data access, and helped the client regain operational capacity within 12 days.

Transform

Expanded Cortex XDR coverage from 70% to 100% of endpoints, implemented enhanced firewall rules, and provided ongoing threat monitoring through Unit 42 MDR.

"This attack was very challenging but Unit 42's knowledge, patience and guidance was invaluable."

Senior Director of Risk Management

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

Days 0 - 4
Crisis Intervention

Assessed firewall and VPN logs for initial visibility. Used Cortex Xpanse® to map the attack surface and identify potential vulnerabilities.

Identified Black Basta ransomware and initial access point as a compromised contractor VPN account without MFA.

Blocked ransomware IoCs and initiated 24/7 threat monitoring.

Days 5 - 7
Decryption

Determined full scope of the attack, including extent of data exfiltration — 3 TB+.

Uncovered previous impact and data theft by LockBit.

Identified ~20 systems impacted by file encryption and 80 systems with attacker tool presence.

Initiated and successfully negotiated with Black Basta attackers, resulting in a 73% reduction in the ransom demand.

Days 8 - 14
Restoration

Ensured system integrity and blocked further malicious activity.

Rebuilt systems and restored data from backups, enabling the client to regain operational capacity within 12 days.

Expanded Cortex XDR deployment to cover 100% of endpoints to enhance visibility and protection.

Days 15 - 30
Fortification

Implemented enhanced firewall rules to block identified IoCs. Continued 24/7 threat monitoring with Unit 42 MDR.

Provided guidance to ensure long-term resilience against future attacks. Successfully negotiated with LockBit to prevent data exposure.

Ensured continuous security posture improvement through proactive threat hunting and ongoing monitoring.

Last trigger point

Threat-Informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

SPEAK TO AN EXPERT TODAY

Backed by Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.

Get the latest news, invites to events, and threat alerts