Ransomware attack
Incident Response Timeline 5 Minutes or less
For the first time, we invite you to take an exclusive and real life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organization.
01
SOURCE
Active Directory 5:23am
Ransomware attack against [CUSTOMER] begins in the early morning. Within Active Directory, the Arctic Wolf Platform detects [USER] logging into multiple systems.
-
5:23am
DID YOU KNOW?
In the four years since January 2016, more than 4,000 ransomware attacks have been carried out daily, according to ransomware statistics from 2020 published by the FBI.
02
SOURCE
ARCTIC WOLF SENSOR 5:26am
The Arctic Wolf Sensor is continuously scanning network traffic. It reads HTTP header information containing outbound communication with [IP ADDRESS], a suspected C2 server. In parallel, the sensor also detects
PowerShell Empire activity detected on [SERVER].
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
-
5:26am
Coming with little surprise, remote desktop protocol connections (RDP) was *the most common attack vector in Q1 2021 with many vulnerabilities in securing remote connections. *Coveware.com
03
5 minutes since initial activity:
investigation triggered 5:28am
The Arctic Wolf Platform correlates C2 traffic with PowerShell Empire activity on [SERVER]. The incident is escalated to
Triage Team Level 3 forensics dashboard with
Urgent status.
Triage Team level 3 is Arctic Wolf’s most senior and experienced team of security experts. They handle the most critical and complex incidents discovered by the Arctic Wolf Platform.
Urgent is Arctic Wolf’s highest level of alert. It is reserved for critical events, such as active ransomware.
-
5:28am
Dwell Time
The time it takes to deploy patches for critical vulnerabilities increased by an *extra 40 days since March. Higher CVE volumes, more critical CVEs, and a disruption of patching programs caused by the dispersed workforce have all contributed to this increase. *Arctic Wolf Annual Report
Ransomware Cases Rise
As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.
04
ONE MINUTE LATER:
The Investigation Starts 5:29am
The Arctic Wolf Triage Team begins investigation and finds activity within Active Directory logs of [USER] logging into many systems in a short amount of time. They also confirm that the network and PowerShell Empire alerts are a true positive and begin to assess the scope of the attack.
2021 Ransomware outlook
The healthcare and education sectors were easy targets for ransomware in 2020 due to the disruptions caused by the global pandemic. Analysts are predicting that *the parcel and shipping sector may be hit hard in 2021 driven by an increase in dependency on these services. *Safeatlast.co