Key facts
- Organisation
- Hong Kong lifestyle brand
- Threat
- BlackNevas ransomware — double extortion (encryption + data exfiltration)
- Initial access
- Compromised administrator credentials authenticated via VPN from foreign IP addresses across multiple countries
- Impact
- Seven assets encrypted (one domain controller, three servers, three laptops); backup application removed and all backup data deleted; data exfiltration assessed with high confidence prior to encryption
- Core issue
- No multi-factor authentication on VPN; weak account passwords enabling brute-force access; no centralised log management, allowing six days of attacker activity to go entirely undetected
What this case shows
- A single compromised administrator account gave the attacker full run of the network. Rather than move immediately, they spent six days escalating privileges, harvesting credentials, and mapping internal systems before triggering the ransomware — undetected throughout.
- Deleting backups is now standard ransomware procedure. Organisations that rely on on-network backups as their recovery plan are one batch script away from having no recovery path at all.
- Double-extortion groups like BlackNevas steal data before encrypting it. Restoring from backup does not resolve the exfiltration problem. The two consequences require separate responses, including separate consideration of notification obligations under applicable data protection law.
- Staff credentials exposed in historical data breaches remain actionable attack material years later. Accounts found in this organisation's dark web data dated as far back as 2012.
Understand how Blackpanda responds to active ransomware with IR-1 and on-demand incident response.
Summary
Staff at a Hong Kong lifestyle brand arrived one morning in late 2025 to find their point-of-sale system inaccessible. Within hours, it was clear this was not routine. Seven systems had been encrypted. Ransom notes — addressed to the organisation by name — sat in affected directories, and emails bearing those same demands had already been sent internally from a compromised employee’s account. The backup application had been uninstalled. The backup data was gone.
What followed was a Blackpanda investigation that reconstructed nearly a week of attacker activity the organisation had never seen coming. The threat actor had entered through the organisation’s VPN using a stolen administrator password, moved quietly across the internal network, and spent six days harvesting credentials, browsing file servers, and staging data for exfiltration — before deploying a ransomware payload customised specifically for this victim.
The ransomware was the final act. Everything that made recovery difficult — the deleted backups, the cleared logs, the weakened credential protections — had been methodically executed in the six days before a single file was encrypted.
CHALLENGE
Staff at a Hong Kong lifestyle brand arrived one morning in late 2025 to find their point-of-sale system unresponsive. Within the hour, it was clear this was not a routine IT fault. Critical systems were down. Files across multiple servers and endpoints had been encrypted and renamed beyond recognition. Ransom notes addressed to the organisation by name had been placed in affected directories and circulated internally via a compromised employee’s account. The backup application had been uninstalled. Its data had been deleted.
Seven assets were confirmed affected: one domain controller, three servers, and three laptops. Operations across the organisation had effectively stopped.
What the organisation did not yet know was that the attackers had been inside the network for nearly six days before triggering the ransomware. The intrusion had not begun with a loud entry. It began with a password.
Blackpanda’s investigation established that the threat actor gained initial access through the organisation’s VPN using a compromised administrator account, authenticating from foreign IP addresses across multiple countries — a pattern entirely inconsistent with normal user behaviour. Forensic evidence suggested the attacker had been active on an internal server even before those VPN sessions, running brute-force authentication attempts against local accounts until credentials gave way.
Once inside, the attacker did not rush. They installed remote management tools disguised as legitimate Windows services, establishing persistent command-and-control channels that would survive reboots and credential resets. They modified registry settings to force plaintext password storage in memory and disabled protections around the process responsible for holding authentication data — weakening the system’s own defences from the inside. Then, armed with harvested credentials, they moved laterally across the network via remote desktop protocol, connecting to dozens of internal systems and browsing file servers through administrative shares, including directories containing security software — suggesting a deliberate assessment of the organisation’s defensive posture before the final move.
By the time the ransomware ran, the attacker had already staged what appeared to be sensitive organisational data and transferred more than a gigabyte outbound through an active remote desktop session. The encryption was not the attack. It was the conclusion.
SOLUTION
1. Establishing scope and timeline
Blackpanda deployed endpoint detection and response tooling and collected forensic evidence across all seven affected assets — disk images, volatile data, and firewall logs. The attacker had deliberately cleared event logs and deleted artefacts across multiple hosts, which meant reconstruction required cross-referencing surviving registry hives, browser history artefacts, application trace files, and network telemetry. This work produced a granular timeline of attacker activity spanning nearly six days, from the earliest brute-force authentication attempts through to ransomware execution and log clearance — a reconstruction methodology consistent with Blackpanda’s approach to engagements where evidence has been partially destroyed.
2. Containing the immediate threat
Blackpanda supported the isolation of affected machines from the internal network. The VPN was disabled as an emergency containment measure, and the firewall support partner implemented a two-tier firewall structure to close the entry path and prevent re-access using the same compromised credentials.
3. Tracing the initial access vector
Firewall logs confirmed that the administrator account had authenticated from multiple foreign IP addresses — Germany, the Netherlands, Romania, and Australia — within a concentrated window. Combined with evidence of brute-force activity on an internal server in the hours preceding those VPN sessions, this allowed Blackpanda to establish with high confidence that the VPN was the primary entry point and that the administrator account had been compromised before the intrusion formally began. This is a pattern Blackpanda has traced repeatedly: in one recent case, a Singapore-based organisation lost sensitive data to an attacker who entered through compromised VPN credentials and exfiltrated files before deploying ransomware; in another, credential compromise against an exposed remote access service placed a Hong Kong organisation at imminent risk of encryption before Blackpanda intervened.
4. Mapping credential access and lateral movement
Forensic analysis of registry artefacts, application logs, and network telemetry documented the attacker’s movement across the environment. The threat actor used a combination of credential dumping tools — including a legitimate password recovery utility repurposed for extraction — alongside registry modifications that forced plaintext password caching, harvesting account credentials then used for remote desktop connections to dozens of internal systems. Credential dumping against a domain controller is a consistent feature of advanced ransomware intrusions; here, it gave the attacker administrator-level access across the estate well before the payload ran. SMB administrative shares were browsed across multiple hosts, with evidence that security product directories were specifically accessed — consistent with an attacker mapping defensive coverage before deploying.
5. Analysing the ransomware and assessing exfiltration
Blackpanda obtained and analysed the ransomware binary, attributed to BlackNevas — a group active since late 2024, assessed to derive from the Trigona codebase, and known to operate a double-extortion model combining data theft with encryption. The payload was customised for this specific victim: the ransom note included the organisation’s name, consistent with human-operated, targeted ransomware rather than an opportunistic mass campaign. The encryption routine used a multi-stage, size-dependent approach — encrypting file headers partially or intermittently depending on file size, then renaming encrypted files with randomised extensions.
On exfiltration, firewall logs recorded outbound data transfers exceeding one gigabyte through a remote desktop application session during the intrusion window. Trace files from that session confirmed sustained clipboard relay and file transfer activity across several hours. Blackpanda assessed with high confidence that data had been exfiltrated, consistent with BlackNevas’s documented tradecraft. The specific contents could not be confirmed — the attacker had cleared the relevant logs and deleted file system artefacts before departing.
6. Dark web and external attack surface assessment
Blackpanda’s dark web monitoring identified multiple staff email accounts from the organisation’s domain in historical breach compilations, with exposed credentials dating as far back as 2012 — some in plaintext, others hashed. This is not unusual: dark web credential exposure frequently predates an intrusion by years, with threat actors sourcing valid account material from breach databases long before they target a specific organisation. An external attack surface scan of the organisation’s public-facing infrastructure additionally identified several high-risk vulnerabilities, including end-of-life web server software, actively exploited CVEs, and exposed services including FTP and an unencrypted administration interface. None were confirmed as contributing to the intrusion, but they represent residual risk that coexisted with the attack.
RESULTS
1. Full reconstruction of a six-day intrusion
Blackpanda established a detailed timeline of attacker activity across the entire intrusion window — from the earliest brute-force authentication attempts through to ransomware execution and log clearance, a span of nearly six days. This reconstruction, built from surviving artefacts despite deliberate evidence destruction, informed both the immediate containment response and the long-term remediation roadmap.
2. Ransomware attributed to BlackNevas
The payload was identified and attributed to BlackNevas, a financially motivated group active since late 2024. Its customisation for this specific victim — the ransom note addressed the organisation by name — confirmed a targeted, human-operated operation. Attribution shaped the threat model and the recommendations for post-incident hardening, including specific controls against the lateral movement and persistence techniques this group is known to favour.
3. High-confidence assessment of data exfiltration
Despite significant evidence destruction — cleared logs, deleted artefacts, encrypted files — Blackpanda correlated firewall telemetry, remote desktop application trace files, and BlackNevas’s documented double-extortion methodology to assess with high confidence that data had been exfiltrated prior to encryption. This finding was material to framing the organisation’s obligations under applicable data protection requirements and to shaping its notification posture.
4. Credential exposure mapped across historical breaches
Dark web monitoring identified more than a dozen staff accounts with exposed credentials in historical breach compilations, some dating back over a decade. These findings established a concrete starting point for the credential reset and password policy remediation that followed containment.
5. Network containment achieved
Through the isolation of affected endpoints, VPN disablement, and the implementation of an updated firewall architecture, the attacker’s access paths were closed. No further malicious activity was detected following containment.
Ransomware recovery is commonly framed as a restore-from-backup problem. This case illustrates why that framing falls short. Backups are now a primary target in their own right — disabled, deleted, or encrypted before the payload runs. Logs, the only means of understanding what an attacker actually did, are deliberately destroyed. Data has already left the building. The organisations best positioned to manage this reality are those with continuous credential monitoring, centralised log storage that survives host compromise, and a pre-established incident response capability that does not require procurement at 2 a.m. The Akira intrusion at an Asia-Pacific manufacturer reinforced the same point: the alert that matters is rarely encryption — it is the credential access that precedes it.
Frequently Asked Questions
1. What is BlackNevas ransomware and how does it operate?
BlackNevas is a ransomware group first observed in late 2024, assessed to derive technically from the Trigona codebase. The group targets organisations across multiple sectors and operates a double-extortion model: data is exfiltrated before files are encrypted, giving the attacker two levers — decryption and non-publication — to demand payment against. Attacks are conducted manually and operator-driven, with payloads typically customised per victim. This makes BlackNevas intrusions more deliberate and more targeted than opportunistic campaigns. For broader context on ransomware groups operating across Asia, CISA’s ransomware resources remain the clearest public reference.
2. How did the attacker get in without a phishing email?
No phishing was required. The organisation’s VPN — its remote access gateway — was protected by a username and password alone. The administrator account’s credentials appear to have been compromised through a combination of brute-force attempts on an internal system and, possibly, exposure in prior breach data. With valid credentials in hand, the VPN granted the attacker legitimate-looking access; from the network’s perspective, the login was indistinguishable from an authorised session. The FBI has consistently identified VPNs without multi-factor authentication as among the most exploited initial access vectors in ransomware intrusions. In a recent case involving a Singapore organisation, the same entry point — a compromised VPN account with a weak password — gave an attacker direct access to the internal network and sufficient time to exfiltrate data before encryption.
3. Why wasn’t the attacker detected during six days of activity?
Several factors converged. The attacker used commercially available remote management tools rather than custom malware — software that standard endpoint detection is not designed to flag. Authentication events looked legitimate because the attacker was using valid, harvested credentials. Critically, the organisation had no centralised log management: event logs were stored locally on individual hosts, which allowed the attacker to clear them selectively as they moved through the environment. Without aggregated, off-host log storage, there was no persistent audit trail to alert on. When logs live only on the machines an attacker already controls, they are not a reliable source of evidence — and not a reliable source of early warning.
4. What does double extortion mean in practice, and does paying the ransom resolve it?
Double extortion means the attacker steals data before encrypting it, creating two separate pressures: pay for the decryption key, and pay again — or additionally — for the promise not to publish what was taken. In practice, paying the ransom does not guarantee data deletion; there is no enforceable mechanism. It also does not address the fact that the data has already left the organisation and may have been copied multiple times. For organisations subject to data protection regulations, a confirmed exfiltration event may trigger mandatory notification obligations regardless of whether a ransom is paid or systems are restored. Encryption and exfiltration are two distinct problems requiring separate responses — a point that also arose in Blackpanda’s investigation of the Qilin ransomware intrusion at a regional manufacturer, where data exfiltration attempts were confirmed independently of the encryption event.
5. The backups were deleted. What recovery options exist?
When on-network backups have been deleted and no offline copy exists, file recovery options are limited. Depending on the ransomware variant, partial recovery may be possible through file carving, volume shadow copy remnants, or a publicly released decryptor — but none of these are reliable substitutes for a tested backup. Blackpanda analysed available recovery options as part of this investigation’s scope. The most resilient posture is maintaining offline or air-gapped backups that cannot be reached through a compromised network session, tested at regular intervals. CISA’s ransomware guide remains the clearest public guidance on backup architecture for ransomware resilience.
6. What should organisations do if their credentials appear in dark web breach data?
Any account found in a dark web compilation should be treated as compromised, regardless of the breach’s age. Passwords reused across systems — or unchanged since the original breach — remain exploitable. Immediate steps: force a password reset for the affected account, audit whether the same password was used elsewhere, and enforce multi-factor authentication wherever it is not already active. This case included credentials from breach datasets dating back to 2012; in a separate engagement, Blackpanda found that dark web credential exposure had enabled persistent cloud account access weeks before the victim was aware anything was wrong. Dark web monitoring, included in Blackpanda’s IR-1 subscription, surfaces these exposures continuously rather than reactively.
What This Means for Your Organisation
The most important detail in this case is not the ransomware. It is the six days that preceded it.
Modern ransomware groups do not break in and immediately encrypt. They move carefully, mapping the network, escalating privileges, identifying backup systems to disable, locating data worth stealing, and systematically clearing the evidence of their passage as they go. By the time the payload executes, an attacker like this has achieved every objective that matters. The encryption is a notification, not the attack itself.
For organisations still thinking about ransomware defence in terms of backup and restore, that model is outdated. Backups are now a primary target: deleted, encrypted, or rendered inaccessible before the ransomware runs. Logs — the only means of reconstructing what happened — are deliberately destroyed. Data is exfiltrated before encryption, creating a disclosure problem that persists regardless of whether systems are recovered. And the credentials that make all of this possible are often sitting in breach compilations years before an attacker ever decides to use them.
The organisations most exposed to this pattern share a recognisable profile: remote access systems without multi-factor authentication, log storage that does not survive host compromise, and no pre-established incident response capability. Addressing all three is not a complex security programme. It is the baseline. IR-1 combines readiness intelligence, guaranteed incident response, and continuous dark web monitoring into a single fixed-cost subscription — the architecture designed specifically for organisations that cannot afford to discover these gaps under pressure.
About Blackpanda
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
