 back to blog

5 Steps of an Actual Maze Ransomware Post Incident

January 5, 2021

Below is a summary of an actual post incident report that shows the steps taken to identify the early indicators of a ransomware attack and prevent the encryption of network file shares.

Vectra has been authorized to publish this post-incident report by ensuring anonymity and protecting the customer’s private data. This type of report is ordinarily kept confidential for internal analysis only.

  1. Inside the compromised network on Day 1—one week prior to the intended ransomware detonation—the Vectra Consulting Analyst Team detected unmistakable reconnaissance and lateral movement attack behaviors. These phases of the attack lifecycle indicated the attacker was looking for critical systems to compromise before encrypting network file shares for ransom.
  2. Vectra showed that scans came from a wide range of hosts and other scans were related to ransomware activities as network file shares were enumerated.
  3. Uncovering additional evidence, Vectra observed that one compromised host was communicating with a known malicious IP address in Ukraine that has been associated with Sodinokibi malware.
  4. External connections were performed successfully to a Ukraine IP address with a data transfer of about 80 MB.
  5. The number of detections identified by Vectra was concerning due to the sheer volume of data that was being sent to the outside.

Additional information from the customer linked the attack to Maze ransomware.

Check out this post-incident report, which shows the importance of early cyberattack detection to avert damage and catastrophic data breaches. With certainty and precision, it is vital to identify precursor threat behaviors, swiftly investigate incidents, and arm yourself with the appropriate response tools.

Want to learn more?

Vectra® is a leading provider of “seriously intelligent” network detection and response solutions for hybrid and multicloud environments. Vectra does this across the on-prem networks and cloud (IaaS, SaaS, and PaaS), leveraging purpose-built, patented machine learning and AI that covers 97% of the MITRE ATT@CK network-based techniques.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch