Key facts
- Organisation
- Hong Kong Shipping Company
- Threat
- Bert ransomware — a newly emerged, multi-platform strain first observed in early 2025, targeting both Windows and Linux environments
- Initial access
- VPN credentials compromised at an overseas office, enabling remote desktop access to a domain controller under an administrator account
- Impact
- Encryption of domain controller, multiple user endpoints, and a network-attached storage (NAS) device; operations halted across multiple geographic locations
- Core issue
- No multi-factor authentication on VPN, no centralised logging, and no endpoint detection solution — leaving a month-long intrusion undetected until ransomware detonated
What this case shows
- A ransomware group does not need a zero-day exploit. Weak VPN credentials and the absence of MFA are sufficient to access an enterprise environment and spend weeks preparing a full-scale attack.
- The time between first access and ransomware execution — nearly a month — was used to map the network, harvest credentials, install persistent remote access tools, and disable antivirus software. Every day without detection is a day the attacker owns more of the environment.
- Dark web monitoring found credential records associated with the organisation circulating in criminal markets, suggesting exposure that predated and may have enabled the breach.
- Recovery speed depends on preparation. Organisations that have IR assurance in place, with a pre-agreed response plan and rapid deployment capability, contain attacks faster and with smaller blast radii.
Understand how Blackpanda’s IR-1 incident response assurance protects organisations before, during, and after an attack, and how Blackpanda Underwriting covers the financial impact when one occurs.
Summary
Attackers were inside the network for nearly a month before anyone knew. They used that time well — mapping systems, stealing passwords, disabling defences, and installing back doors. The ransomware was the last thing they did, not the first.
The entry point was a VPN connection at an overseas office, protected by a password but no second factor. From there, the attacker moved freely across the network, reached the domain controller, and worked their way into user machines and a network storage device before triggering the encryption.
Blackpanda was engaged the day after the attack surfaced, reconstructed the full intrusion timeline from digital evidence, identified every tool the attacker had used, and located two back doors that had survived the organisation’s initial response. A parallel dark web sweep found credential records associated with the organisation already circulating in criminal markets.
CHALLENGE
The organisation had no shortage of systems to protect. A domain controller, multiple user endpoints spanning more than one geographic location, and a network-attached storage device — all running, all connected, all central to daily operations. What it lacked was the visibility to know when those systems had been touched by someone who should not have been there.
The attacker’s entry point was a VPN connection at an overseas office. VPN — short for virtual private network — is a standard mechanism for connecting remote offices and travelling employees to a central corporate network. Used correctly, it is secure. Without multi-factor authentication, it is only as strong as the password protecting it. The organisation’s VPN had no second layer of verification, and the credentials for an administrator account — one of the most powerful account types in any corporate environment — had been compromised. In a separate ransomware case involving a Singapore investment firm, a single stolen password was similarly all it took.
The first suspicious remote desktop connections appeared in the logs in April 2025. The ransomware detonated in May. Between those two points, the attacker spent approximately four weeks inside the network, undetected. During that time, they moved from the initial foothold to other machines using remote desktop and remote execution tools, harvested passwords from workstations and servers, disabled Microsoft Defender on at least one machine, ran network scans to map reachable systems, and installed a commercial remote access application as a persistent back door. None of this generated an alert the organisation was positioned to act on. Extended dwell without detection is not unusual: in another engagement, attackers mined cryptocurrency undetected for two months using a Hong Kong firm’s servers.
When the ransomware finally executed, it ran in multiple variants across both Windows machines and the Linux-based NAS device. Files were encrypted and renamed with a distinctive extension. A ransom note appeared on affected systems. Operations were brought to a halt. It was only at this point — when the damage was visible and the business had stopped — that the breach became undeniable.
SOLUTION
1. Immediate containment and emergency engagement
Blackpanda was engaged in mid-May 2025, the day after the ransomware was discovered. The organisation’s IT team had already taken initial containment steps — disconnecting internet access, restoring systems from backup where possible, and resetting the domain administrator password. Blackpanda assumed responsibility for the forensic investigation, and an endpoint detection and response (EDR) solution was deployed across machines in the Asia region as an immediate protective measure.
2. Forensic reconstruction of the attacker’s timeline
Blackpanda’s analysts collected and examined digital evidence from affected machines, including event logs, registry artefacts, file execution records, and memory artefacts. The investigation covered the full timeline from initial access through to ransomware execution, identifying each stage of the attack and the tools the attacker had used. Where log sources had been deleted, encrypted, or simply never retained, investigators worked from the evidence that remained, noting the limitations clearly.
3. Mapping lateral movement and persistence mechanisms
The investigation identified multiple techniques the attacker had used to extend their reach across the network. Remote Desktop Protocol connections, execution of PsExec (a legitimate remote administration tool commonly used by IT teams), and a commercial remote access application were all deployed at different stages. Separately, the attacker had installed two persistence mechanisms designed to survive reboots and credential resets: a suspicious kernel-mode driver registered as a service, and a firewall rule that explicitly permitted remote desktop connections. Both were identified and documented.
4. Credential access and password harvesting analysis
Blackpanda identified evidence that the attacker had deployed a range of credential-harvesting tools across multiple machines — utilities designed to extract stored passwords from browsers, mail clients, remote desktop sessions, and other sources. The harvested credentials had been written to plaintext files on the affected systems; those files had subsequently been removed, but traces of their presence and access remained in the forensic record. A variant of Mimikatz — one of the most widely used credential dumping tools in the threat actor toolkit — was among the executables identified.
5. Ransomware analysis and malware classification
The ransomware deployed in this attack, designated Bert, was a newly emerged strain first observed in early 2025. Blackpanda obtained and analysed samples of the malware. The Windows variant terminated a predefined list of processes before beginning encryption, specifically excluded system directories and executable files, and renamed encrypted files with a distinctive extension. A separate Linux variant was deployed against the NAS device via SSH. As of the report date, the specific file hashes had not appeared in public threat intelligence databases, confirming the samples were customised builds.
6. Dark web sweep and credential exposure assessment
Running concurrently with the forensic investigation, Blackpanda conducted a targeted dark web search using the organisation’s domain. The sweep identified three infostealer records and multiple sets of account credentials associated with the organisation circulating in criminal marketplaces. Infostealer malware operates by quietly extracting saved passwords and session data from infected machines and selling the results to other threat actors — in some cases long before those credentials are used in an attack.
RESULTS
1. Breach timeline established
Blackpanda reconstructed the full chronology of the intrusion, from the first suspicious remote desktop connections in April 2025 through ransomware execution in May. Despite the unavailability of logs — some of which had not been retained and others that were inaccessible — investigators assembled a coherent timeline from the artefacts that remained, giving the organisation a clear account of what had happened and when.
2. Attacker’s full toolkit identified
The investigation documented the complete set of tools the attacker had deployed: credential harvesters, a network scanner, a port scanner, a remote process inspection utility, a commercial remote access application, a brute-force tool, and the Bert ransomware itself in both Windows and Linux variants. Understanding the toolkit is the foundation for understanding exposure — each tool leaves a distinct footprint, and knowing which footprints to look for informs both immediate remediation and longer-term monitoring.
3. Persistence mechanisms neutralised
Two persistence mechanisms survived the initial containment actions taken by the organisation’s IT team. The suspicious kernel-mode driver, registered as a service with a non-standard name, and the firewall rule explicitly permitting remote desktop access were both identified during the investigation. Without forensic analysis, these could have remained active, giving the attacker a continuing route back into the environment after the immediate crisis had passed.
4. Dark web exposure surfaced
Three infostealer records and multiple credential sets associated with the organisation’s domain were identified on criminal marketplaces. Credentials exposed via infostealer malware circulate in these markets and are frequently purchased by ransomware groups as a cost-efficient route to initial access. Whether this exposure contributed directly to the breach or represented parallel risk, the findings gave the organisation a concrete basis for targeted remediation. Credential exposure enabling initial access is a recurring theme across Blackpanda cases: a Hong Kong securities firm suffered an estimated USD 3.3M crypto theft after threat actors leveraged compromised access to hijack its AWS environment.
5. Prioritised remediation roadmap delivered
Blackpanda delivered a tiered set of recommendations, stratified by urgency. Critical actions — deploying EDR across all endpoints, resetting all privileged account passwords, and enforcing MFA on external-facing services including VPN — were implemented immediately. Medium-term recommendations covered centralised logging, network segmentation, and continuous security monitoring. The organisation’s willingness to act on critical findings immediately materially reduced its exposure going forward.
The findings in this case reflect a pattern Blackpanda sees repeatedly across the region. Ransomware groups do not typically exploit exotic vulnerabilities. They exploit the gap between what organisations assume their security posture looks like and what it actually is. A VPN without MFA is an open door. No centralised logging means no early warning. No endpoint detection means the attacker can work undisturbed for weeks. Each of these is a solvable problem — but only if it is found before the ransomware does.
Frequently Asked Questions
1. What is Bert ransomware, and how does it differ from other strains?
Bert is a multi-platform ransomware strain first observed in early 2025, targeting both Windows and Linux environments, including network-attached storage devices. What distinguishes it from more established variants is its recency: the specific file hashes associated with this attack had not appeared in public threat intelligence databases at the time of analysis, confirming they were customised builds rather than off-the-shelf malware. Bert follows the double-extortion model common to contemporary ransomware groups — encrypting files to demand payment while also threatening to publish stolen data. For more on how ransomware groups operate, CISA’s ransomware guidance is a reliable reference.
2. How did the attackers get in if there was no obvious phishing email?
In this case, initial access appears to have occurred through the organisation’s VPN at an overseas office, using compromised administrator credentials. The absence of multi-factor authentication meant a valid username and password — however obtained — was sufficient to authenticate. Credentials can be acquired through infostealer malware (which harvests saved passwords from infected machines), through credential stuffing (testing previously leaked password combinations against live services), or through direct brute-force attacks. The dark web sweep in this case found credential records associated with the organisation already circulating in criminal markets, pointing to at least one pathway that did not require a phishing email at all. For cases where attackers do exploit email as a vector, see how a Hong Kong manufacturer’s customers were defrauded through domain impersonation.
3. The attack was detected when the ransomware detonated. Why wasn’t it caught earlier?
The attacker spent approximately four weeks inside the network before encryption ran. During that time, no centralised logging was in place to aggregate and correlate events across systems, and no endpoint detection solution was deployed to flag the execution of known attack tools. The attacker also took active steps to reduce their visibility: Microsoft Defender was disabled on at least one machine, credential files were removed after use, and a cleanup script was executed to erase remote desktop connection history. The combination of absent monitoring and active evasion created the conditions for a prolonged, undetected intrusion.
4. What does "lateral movement" mean, and why does it matter?
Lateral movement refers to the techniques an attacker uses to expand their access beyond the initial compromised machine. Rather than staying in one place, the attacker pivots across the network, accessing additional systems using stolen credentials and legitimate remote administration tools. In this case, the attacker moved from the initial VPN entry point to a domain controller, then to multiple endpoints and a NAS device. Lateral movement matters because it determines the blast radius: an organisation that catches an intrusion while it is still limited to one machine faces a very different remediation challenge than one where the attacker has reached every corner of the environment.
5. Should the organisation pay the ransom?
Blackpanda’s general position, consistent with guidance from CISA and the FBI, is that paying a ransom does not guarantee data recovery, does not remove the attacker from the environment, and funds further criminal activity. In this case, the organisation was able to restore critical systems from backup, which is the recommended recovery path. The more important question — rarely asked before an incident — is whether current backups are clean, tested, and stored in a location the ransomware cannot reach. Offline or air-gapped backups are the most reliable safeguard against encryption-based extortion.
6. What is an infostealer, and could it have contributed to this breach?
An infostealer is a category of malware designed to silently extract saved credentials, browser session tokens, and other sensitive data from an infected machine and transmit them to a criminal infrastructure. The resulting credential sets are typically sold on dark web marketplaces, where ransomware operators and other threat actors purchase them for use in subsequent attacks. Blackpanda’s dark web sweep identified three infostealer records and multiple credential sets associated with the organisation’s domain in circulation. Whether this directly enabled the breach or represented a parallel exposure, the finding underscores that credential risk does not begin and end at the organisation’s perimeter.
7. How can organisations protect themselves against this type of attack?
The most impactful controls are not complex. Enforce multi-factor authentication on every external-facing service, beginning with VPN. Deploy an endpoint detection and response solution that can identify the execution of known attack tools in real time. Centralise logging so that suspicious activity can be correlated across systems rather than isolated on individual machines. Conduct regular, tested backups with at least one offline or air-gapped copy. And consider subscribing to a pre-engaged incident response service — so that when something does happen, the response is immediate rather than a procurement exercise at two in the morning. Blackpanda’s IR-1 is built precisely for this purpose.
What This Means for Your Organisation
The attacker in this case did not need a sophisticated exploit. They needed one thing: a valid set of administrator credentials and a VPN service with no second factor. From that single point of access, they had four weeks to operate without interruption — mapping the network, harvesting passwords, disabling defences, and positioning the ransomware before anyone knew they were there. That dwell time is not unusual. It is, in fact, close to the industry median for ransomware intrusions. What made it possible here was the absence of the controls that would have shortened it: no EDR, no centralised logging, no MFA on the VPN.
For any organisation with a similar profile — multiple offices, remote access capabilities, mixed Windows and Linux infrastructure, and a small or stretched IT team — the question this case raises is not abstract. It is operational. If an attacker accessed your environment through a valid credential today, when would you know? The honest answer, for many organisations, is: when something stops working.
The practical response is not to attempt a complete security transformation overnight. It is to address the highest-value controls first. MFA on external-facing services. An EDR solution with real-time alerting. Centralised log collection. A tested, offline backup. And a pre-engaged incident response provider so that the first call in a crisis goes to people who already know your environment. Blackpanda’s IR-1 subscription is designed for organisations that need enterprise-grade incident response capability at a cost that fits outside the Fortune 500.
About Blackpanda
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
