Incident Response Timeline - Ransomware Attack & Containment

Ransomware Attack & Containment Detection to Escalation: 1 Minute

Explore a real-world attack on a customer in the utilities industry. The threat actor leveraged a malicious encoded PowerShell Script (Base64) and within a minute of detection, the Arctic Wolf Labs team triggered an investigation.

We’ll show you, step by step, how Arctic Wolf helped this customer both stop this attack as well as develop a roadmap for preventing future ones.

When minutes matter, turn to industry-leading security operations to detect, investigate and escalate incidents before they impact your business.

Industry Average

With Arctic Wolf

View Timeline Navigation

Wednesday, May 4, 2022 | 5:53 PM

Detection: Arctic Wolf Agent

5:53 pm

Possible malicious encoded PowerShell script (Base64) detected on an employee workstation

The suspicious obfuscated LOAD string is decoded

[LOCAL ADMIN PASSWORD] is changed by PowerShell Script

5:54 pm

Wednesday, May 4, 2022 | 5:54 pm

Investigation Triggered

Indicators of compromise (IoC) previously curated by Arctic Wolf Labs triggers an event of interest 

Arctic Wolf Platform correlates potential malicious activity with other known IoCs

Incident escalated to Triage Team forensic dashboard with Urgent status

Wednesday, May 4, 2022 | 5:58 PM

Investigation Escalated

5:58 pm

Triage team identifies a Scheduled Task created by PowerShell

PowerShell activity consistent with Gootloader, a multi-staged JavaScript package, likely dropped via SEO poisoning

Highly probable secondary payload was to be ransomware from a threat actor group like REvil

6:01 pm

Wednesday, May 4, 2022 | 6:01 PM

Endpoint Contained

Investigation concludes, resulting in endpoint containment via Arctic Wolf Agent based upon predefined customer instructions 

Gootloader prevented from launching secondary payload or connecting with C2 server 

Wednesday, May 4, 2022 | 6:05 PM

Incident Ticketed

6:05 pm

Customer notified of incident, containment, and remediations steps

Passwords reset for compromised admin and services accounts

Customer decides to reimage infected device

Begin Post-Incident Zone

6:06 pm

Wednesday, May 4, 2022 | 6:06 PM

Post-Incident Security Journey

The Concierge Security Team works with the customer to identify areas of improvement related to this high-severity incident:

Enforce stricter controls over egress traffic

Implement ability to control browser settings

Consult on implementing PowerShell policies with more restrictive permissions such as Just Enough Administration (JEA) and execution of only signed scripts

Recommend Windows 10 AppLocker for validating PowerShell scripts

Consult on technology solutions and best practices to increase likelihood of preventing an attack outright

Recommend security awareness training to highlight the danger of visiting unknown websites

Minutes Matter

Reach out to learn how Arctic Wolf’s industry-leading security operations workflow can detect, investigate, and escalate incidents like ransomware attacks before they impact your business operations.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Our annual recap of the most noteworthy, high-profile, and damaging cybercrimes of the year.

The 2024 Gartner® Market Guide for MDR Services provides a comprehensive overview of the evolving MDR landscape.

Security Bulletins

Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities

CVE-2025-31324: Maximum-Severity File Upload Vulnerability in SAP NetWeaver Exploited in the Wild

CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center

Partners

Company

Careers

Press

Ransomware Attack & Containment Detection to Escalation: 1 Minute

Explore a real-world attack on a customer in the utilities industry. The threat actor leveraged a malicious encoded PowerShell Script (Base64) and within a minute of detection, the Arctic Wolf Labs team triggered an investigation.

We’ll show you, step by step, how Arctic Wolf helped this customer both stop this attack as well as develop a roadmap for preventing future ones.

View Timeline Navigation

Wednesday, May 4, 2022 | 5:53 PM

Detection: Arctic Wolf Agent

Wednesday, May 4, 2022 | 5:54 pm

Investigation Triggered

Wednesday, May 4, 2022 | 5:58 PM

Investigation Escalated

Wednesday, May 4, 2022 | 6:01 PM

Endpoint Contained

Wednesday, May 4, 2022 | 6:05 PM

Incident Ticketed

Begin Post-Incident Zone

Wednesday, May 4, 2022 | 6:06 PM

Post-Incident Security Journey

The Concierge Security Team works with the customer to identify areas of improvement related to this high-severity incident:

Enforce stricter controls over egress traffic

Implement ability to control browser settings

Consult on implementing PowerShell policies with more restrictive permissions such as Just Enough Administration (JEA) and execution of only signed scripts

Recommend Windows 10 AppLocker for validating PowerShell scripts

Consult on technology solutions and best practices to increase likelihood of preventing an attack outright

Recommend security awareness training to highlight the danger of visiting unknown websites

Minutes Matter

Attack Timeline:

Additional Resources

Arctic Wolf Networks 8939 Columbine Rd Eden Prairie, MN 55347

1.888.272.8429

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.

Privacy Notice

Terms of Use

Cookie Policy

Accessibility Statement

Information Security

Sustainability Statement

Cookies Settings

The 2024 Gartner^® Market Guide for MDR Services provides a comprehensive overview of the evolving MDR landscape.

Arctic Wolf Networks
8939 Columbine Rd
Eden Prairie, MN 55347