5 Steps of an Actual Maze Ransomware Post Incident

5 Steps of an Actual Maze Ransomware Post Incident

5 Steps of an Actual Maze Ransomware Post Incident

5 Steps of an Actual Maze

Ransomware Post Incident

5 Steps of an Actual Maze

Ransomware Post Incident

By:
投稿者:
Marcus Hartwig
January 5, 2021

Below is a summary of an actual post incident report that shows the steps taken to identify the early indicators of a ransomware attack and prevent the encryption of network file shares.

Vectra has been authorized to publish this post-incident report by ensuring anonymity and protecting the customer’s private data. This type of report is ordinarily kept confidential for internal analysis only.

  1. Inside the compromised network on Day 1 – one week prior to the intended ransomware detonation – the Vectra Consulting Analyst Team detected unmistakable reconnaissance and lateral movement attack behaviors. These phases of the attack lifecycle indicated the attacker was looking for critical systems to compromise before encrypting network file shares for ransom.
  2. Vectra showed that scans came from a wide range of hosts and other scans were related to ransomware activities as network file shares were enumerated.
  3. Uncovering additional evidence, Vectra observed that one compromised host was communicating with a known malicious IP address in Ukraine that has been associated with Sodinokibi malware.
  4. External connections were performed successfully to a Ukraine IP address with a data transfer of about 80 MB.
  5. The number of detections identified by Vectra was concerning due to the sheer volume of data that was being sent to the outside.

Additional information from the customer linked the attack to Maze ransomware.

Check out this post-incident report, which shows the importance of early cyberattack detection to avert damage and catastrophic data breaches. With certainty and precision, it is vital to identify precursor threat behaviors, swiftly investigate incidents, and arm yourself with the appropriate response tools.

About the author

Marcus Hartwig

Marcus Hartwig is a director of product marketing manager at Vectra. Has been active in the areas of IAM, PKI and enterprise security for more than two decades. His past experience includes product marketing at Okta, co-funding a company in cybersecurity professional services, as well as managing a security product company – a combination that has left him passionate about all parts of product marketing, design and delivery.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Moving from Prevention to Detection with the SOC Visibility Triad

February 24, 2020
Read blog post
Security operations

Vectra and Microsoft Join Forces to Fulfill the SOC Triad

June 9, 2020
Read blog post
Breach

MFA is Not Enough - Malicious OAuth Apps in Office 365 are Here to Stay

June 24, 2020
Read blog post