Incident Response Timeline - Ransomware Attack & Containment

Ransomware Attack & Containment Detection to Escalation: 1 Minute

Explore a real-world attack on a customer in the utilities industry. The threat actor leveraged a malicious encoded PowerShell Script (Base64) and within a minute of detection, the Arctic Wolf Labs team triggered an investigation.

We’ll show you, step by step, how Arctic Wolf helped this customer both stop this attack as well as develop a roadmap for preventing future ones.

When minutes matter, turn to industry-leading security operations to detect, investigate and escalate incidents before they impact your business.

Industry Average

With Arctic Wolf

View Timeline Navigation

Wednesday, May 4, 2022 | 5:53 PM

Detection: Arctic Wolf Agent

5:53 pm

Possible malicious encoded PowerShell script (Base64) detected on an employee workstation

The suspicious obfuscated LOAD string is decoded

[LOCAL ADMIN PASSWORD] is changed by PowerShell Script

5:54 pm

Wednesday, May 4, 2022 | 5:54 pm

Investigation Triggered

Indicators of compromise (IoC) previously curated by Arctic Wolf Labs triggers an event of interest 

Arctic Wolf Platform correlates potential malicious activity with other known IoCs

Incident escalated to Triage Team forensic dashboard with Urgent status

Wednesday, May 4, 2022 | 5:58 PM

Investigation Escalated

5:58 pm

Triage team identifies a Scheduled Task created by PowerShell

PowerShell activity consistent with Gootloader, a multi-staged JavaScript package, likely dropped via SEO poisoning

Highly probable secondary payload was to be ransomware from a threat actor group like REvil

6:01 pm

Wednesday, May 4, 2022 | 6:01 PM

Endpoint Contained

Investigation concludes, resulting in endpoint containment via Arctic Wolf Agent based upon predefined customer instructions 

Gootloader prevented from launching secondary payload or connecting with C2 server 

Wednesday, May 4, 2022 | 6:05 PM

Incident Ticketed

6:05 pm

Customer notified of incident, containment, and remediations steps

Passwords reset for compromised admin and services accounts

Customer decides to reimage infected device

Begin Post-Incident Zone

6:06 pm

Wednesday, May 4, 2022 | 6:06 PM

Post-Incident Security Journey

The Concierge Security Team works with the customer to identify areas of improvement related to this high-severity incident:

Enforce stricter controls over egress traffic

Implement ability to control browser settings

Consult on implementing PowerShell policies with more restrictive permissions such as Just Enough Administration (JEA) and execution of only signed scripts

Recommend Windows 10 AppLocker for validating PowerShell scripts

Consult on technology solutions and best practices to increase likelihood of preventing an attack outright

Recommend security awareness training to highlight the danger of visiting unknown websites

Minutes Matter

Reach out to learn how Arctic Wolf’s industry-leading security operations workflow can detect, investigate, and escalate incidents like ransomware attacks before they impact your business operations.

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognize and neutralize social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyze.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organization.

Learn how our Concierge Security® and Triage Security Teams help end cyber risk.

SECURITY BULLETINS

CVE-2024-29204, CVE-2024-24996: Critical Vulnerabilities in Ivanti Avalanche

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

COMPANY

Ransomware Attack & Containment Detection to Escalation: 1 Minute

Explore a real-world attack on a customer in the utilities industry. The threat actor leveraged a malicious encoded PowerShell Script (Base64) and within a minute of detection, the Arctic Wolf Labs team triggered an investigation.

We’ll show you, step by step, how Arctic Wolf helped this customer both stop this attack as well as develop a roadmap for preventing future ones.

View Timeline Navigation

Wednesday, May 4, 2022 | 5:53 PM

Detection: Arctic Wolf Agent

Wednesday, May 4, 2022 | 5:54 pm

Investigation Triggered

Wednesday, May 4, 2022 | 5:58 PM

Investigation Escalated

Wednesday, May 4, 2022 | 6:01 PM

Endpoint Contained

Wednesday, May 4, 2022 | 6:05 PM

Incident Ticketed

Begin Post-Incident Zone

Wednesday, May 4, 2022 | 6:06 PM

Post-Incident Security Journey

The Concierge Security Team works with the customer to identify areas of improvement related to this high-severity incident:

Enforce stricter controls over egress traffic

Implement ability to control browser settings

Consult on implementing PowerShell policies with more restrictive permissions such as Just Enough Administration (JEA) and execution of only signed scripts

Recommend Windows 10 AppLocker for validating PowerShell scripts

Consult on technology solutions and best practices to increase likelihood of preventing an attack outright

Recommend security awareness training to highlight the danger of visiting unknown websites

Minutes Matter

Attack Timeline:

Additional Resources

Arctic Wolf Networks 8939 Columbine Rd, Suite 150 Eden Prairie, MN 55347

1.888.272.8429

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.

Privacy Notice

Terms of Use

Cookie Policy

Accessibility Statement

Information Security

Sustainability Statement

Cookies Settings

Arctic Wolf Networks
8939 Columbine Rd, Suite 150
Eden Prairie, MN 55347