Back to Blog

5 Steps of an Actual Maze
Ransomware Post Incident

By
Marcus Hartwig
|
January 5, 2021

Below is a summary of an actual post incident report that shows the steps taken to identify the early indicators of a ransomware attack and prevent the encryption of network file shares.

Vectra has been authorized to publish this post-incident report by ensuring anonymity and protecting the customer’s private data. This type of report is ordinarily kept confidential for internal analysis only.

  1. Inside the compromised network on Day 1—one week prior to the intended ransomware detonation—the Vectra Consulting Analyst Team detected unmistakable reconnaissance and lateral movement attack behaviors. These phases of the attack lifecycle indicated the attacker was looking for critical systems to compromise before encrypting network file shares for ransom.
  2. Vectra showed that scans came from a wide range of hosts and other scans were related to ransomware activities as network file shares were enumerated.
  3. Uncovering additional evidence, Vectra observed that one compromised host was communicating with a known malicious IP address in Ukraine that has been associated with Sodinokibi malware.
  4. External connections were performed successfully to a Ukraine IP address with a data transfer of about 80 MB.
  5. The number of detections identified by Vectra was concerning due to the sheer volume of data that was being sent to the outside.

Additional information from the customer linked the attack to Maze ransomware.

Check out this post-incident report, which shows the importance of early cyberattack detection to avert damage and catastrophic data breaches. With certainty and precision, it is vital to identify precursor threat behaviors, swiftly investigate incidents, and arm yourself with the appropriate response tools.