Incident Response Timeline – Ransomware


Arctic Wolf's Platform


Arctic Wolf Triage Team


Arctic Wolf Customer


Arctic Wolf Concierge Security Team


Arctic Wolf Platform


Arctic Wolf Triage Team


Arctic Wolf Customer


Arctic Wolf Concierge Security Team

Ransomware attack

Incident Response Timeline 5 Minutes or less

For the first time, we invite you to take an exclusive and real life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organization.



Active Directory 5:23am

Ransomware attack against [CUSTOMER] begins in the early morning. Within Active Directory, the Arctic Wolf Platform detects [USER] logging into multiple systems.
  • 5:23am


In the four years since January 2016, more than 4,000 ransomware attacks have been carried out daily, according to ransomware statistics from 2020 published by the FBI. 




The Arctic Wolf Sensor is continuously scanning network traffic. It reads HTTP header information containing outbound communication with [IP ADDRESS], a suspected C2 server. In parallel, the sensor also detects
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
PowerShell Empire activity detected on [SERVER].
  • 5:26am

Coming with little surprise, remote desktop protocol connections (RDP) was *the most common attack vector in Q1 2021 with many vulnerabilities in securing remote connections. *


5 minutes since initial activity:

investigation triggered 5:28am

The Arctic Wolf Platform correlates C2 traffic with PowerShell Empire activity on [SERVER]. The incident is escalated to
Triage Team level 3 is Arctic Wolf’s most senior and experienced team of security experts. They handle the most critical and complex incidents discovered by the Arctic Wolf Platform.
Triage Team Level 3 forensics dashboard with
Urgent is Arctic Wolf’s highest level of alert. It is reserved for critical events, such as active ransomware.
Urgent status.
  • 5:28am

Dwell Time

The time it takes to deploy patches for critical vulnerabilities increased by an *extra 40 days since March. Higher CVE volumes, more critical CVEs, and a disruption of patching programs caused by the dispersed workforce have all contributed to this increase. *Arctic Wolf Annual Report

Ransomware Cases Rise

As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019. 



The Investigation Starts 5:29am

The Arctic Wolf Triage Team begins investigation and finds activity within Active Directory logs of [USER] logging into many systems in a short amount of time. They also confirm that the network and PowerShell Empire alerts are a true positive and begin to assess the scope of the attack.

2021 Ransomware outlook

The healthcare and education sectors were easy targets for ransomware in 2020 due to the disruptions caused by the global pandemic. Analysts are predicting that *the parcel and shipping sector may be hit hard in 2021 driven by an increase in dependency on these services. *


Following Investigation:

Incident Ticketed 5:48am

The Triage Team conclude their investigation and contact customer detailing the C2 traffic as well as logins which preceded the connections. They recommend the customer immediately:
  • Contain the device / disconnect from network
  • Change passwords for the [USER]and service accounts
  • Run Antivirus scans on endpoints

state of ransomware

Data breach costs rose from $3.86 million in 2020 to *$4.24 million in 2021, the highest average total cost in the history of the IBM Security Cost of a Data Breach Report. *


In Less than 1 hour:

Remediation 6:13am

Customer responds they have contained [SERVER] and reset the password of [USER]. The Arctic Wolf Triage Team verifies that communication with C2 has stopped on the network.
*According to statistics, the average downtime from a ransomware attack was up to 19 days. Imagine having a threat remediated in under an hour from detection! *

Next, the security journey continues

  • 6:13am

  • Arctic Wolf Platform
  • Arctic Wolf Platform
  • Arctic Wolf Sensor
  • Investigation Triggered
  • Investigation Begins
  • Incident Ticketed
  • Remediation

Security journey

with our concierge security team

Although many Managed Detection and Response services would end once the threat of ransomware was finished, the
With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Arctic Wolf Concierge Team is focused on using this attack to improve the security posture of the customer.

Implement principle of least privilege for remote tools

Geofence firewalls

Enable MFA

Setup GPO to block use of PowerShell

With the Arctic Wolf Agent, the Arctic Wolf Triage Team can take containment action on behalf of customers, reducing time to remediation.
Arctic Wolf Agent on all machines

Ransomware Attacks

Are Affecting Every Industry

Minutes Matter.

We’re here to help.

Reach out to learn how Arctic Wolf’s industry-leading Security Operations workflow can detect, investigate, and escalate incidents before they impact your business operations.


Ransomware in the News

View the most recent ransomware news, updates, and videos from the cybersecurity experts at Arctic Wolf.

Recent Headlines