Key facts
- Organisation
- A Malaysian manufacturer
- Threat
- Two ransomware families deployed in a single intrusion — White Rabbit (Windows) and Mario (hypervisors)
- Initial access
- Two-week brute-force attack against an internet-exposed firewall management interface; eventual login as a vendor account with no MFA
- Impact
- Approximately 30 systems encrypted across workstations and virtual machines; backup infrastructure destroyed; over 100 GB of corporate data exfiltrated to external cloud storage
- Core issue
- A privileged third-party account was reachable from the open internet without MFA, and the firewall configuration itself stored domain administrator credentials that the attacker recovered after one successful login
What this case shows
- A single exposed administrative interface, given enough time, will eventually fall to brute force; the only question is whether MFA stops it at the door, or the attacker walks straight in.
- Vendor accounts often inherit the same trust as internal admin accounts, with none of the same scrutiny. Geographic, time-of-day, and source-IP restrictions on vendor logins are not optional controls; they are the only thing standing between routine support access and a domain compromise.
- Network appliances are not just gatekeepers, but also credential stores. A firewall configuration containing a domain administrator password means that compromising the firewall compromises the entire Active Directory environment in one step.
- Modern ransomware campaigns no longer pick one operating system. Attackers now arrive with parallel payloads — one for Windows endpoints, one for the virtualisation layer — and detonate them in concert to maximise downtime and disable recovery.
Most organisations only learn the cost of a flat network and an exposed admin interface after a ransomware payload has already detonated. Identify the gaps before they're exploited with Compromise Assessment and ensure you have responders on call when the worst happens with Blackpanda IR-1.
SummaryA two-week brute-force attack against an exposed firewall ended with one successful login. By the time the Malaysian manufacturer noticed, attackers had spent nearly three weeks inside the network, exfiltrated more than 100 GB of data, and detonated two different ransomware strains the same night.
The compromised account belonged to the organisation's ERP vendor — a routine support login with no multi-factor authentication and no source-country restrictions. With it, attackers downloaded the firewall configuration, which contained the password to a domain administrator account, granting them domain-wide control without having to break another credential.
The manufacturer engaged Blackpanda the following week. Digital forensic investigations found that the attackers had spent days quietly mapping the network, established backdoor access, and identified the backup infrastructure before doing anything destructive. When the time came, they exfiltrated over 100 GB of contracts, agreements, and bank statements before launching a coordinated double-payload attack — White Rabbit ransomware against the Windows estate and Mario ransomware against the virtualisation hypervisors. Backups were destroyed first, then everything else.
Blackpanda led ransomware negotiation alongside the investigation, reconstructed the full attack chain from the first brute-force packet in early February to the final ransomware detonation in mid-March, and produced a hardening roadmap covering MFA enforcement, credential rotation, network segmentation, and immutable backup architecture.
CHALLENGE
In mid-March 2026, a Malaysian manufacturer woke up to ransom notes on nearly 30 machines. Workstations across the office were locked. Virtual machines hosting business-critical applications had been encrypted. The backup server, the one component that should have made recovery a matter of hours, had been targeted first and destroyed. Production systems were down, file servers were inaccessible, and across the affected infrastructure two different ransom notes were appearing in parallel: one branded White Rabbit on the Windows endpoints, another branded Mario on the virtualisation layer.
What the organisation could not yet see was that the attack had not started that morning. It had started six weeks earlier, with a brute-force campaign against the firewall's internet-facing management interface, the kind of low-and-slow password-guessing that tends not to trigger alarms because no individual login attempt looks dramatic. The administrative interface lacked both multi-factor authentication and source-IP filtering, leaving it completely exposed to the public internet.
The account that eventually fell was a vendor support login provisioned for the organisation's ERP partner. It was meant to be used from Malaysia, Singapore, India, or Thailand. The successful login came from a European IP address, in the early hours of the morning, with no second factor required to challenge it. From the firewall's perspective, it was a legitimate session.
The deeper problem was not the brute force, and not even the missing MFA. It was what the attackers found inside the firewall once they were in. The configuration file they downloaded contained stored credentials for an LDAP bind account, a service account used to authenticate VPN users against Active Directory. The account configured for that purpose was a domain administrator. From that moment on, the attackers held the keys to the entire Windows environment without having to break another password.
SOLUTION
1. Containment of active threat actor access
Blackpanda's first priority was severing the attacker's foothold before any additional damage could occur. Forensic investigators identified the malicious VPN portal that had been created on the firewall, the backdoor local account mapped to it, and the firewall policy that allowed the account broad access into the internal network with traffic logging disabled. These were removed in coordination with the organisation's IT team within days of engagement. The compromised vendor account and the privileged domain account abused for lateral movement were both isolated and credentials rotated.
2. Forensic reconstruction of the full attack chain
Across seventeen endpoints and virtual machines, Blackpanda performed forensic acquisition and analysis to reconstruct the attacker's activity from the first brute-force packet to the final ransomware detonation. This involved analysing firewall traffic logs, VPN logs, system logs, authentication logs, and forensic artefacts recovered from encrypted virtual machine disks through data carving — the latter being necessary because the ransomware had encrypted the disk images themselves, requiring investigators to extract recoverable data from the underlying file structures.
3. Identification of the credential exposure pathway
A central finding of the investigation was that the firewall configuration itself was the pivot point, not just the entry point. By analysing the configuration file the attackers had downloaded, Blackpanda confirmed that domain administrator credentials had been stored within it for Lightweight Directory Access Protocol (LDAP) authentication purposes, and that this single artefact had given the attackers domain-wide access in one step.
This finding reframed the response from “rotate the compromised account” to “rotate every credential reachable through the firewall configuration and redesign how privileged accounts are used by network appliances.”
4. Data exfiltration assessment
Blackpanda performed a full data exfiltration assessment using firewall network telemetry and confirmed that over 100 GB of data had been transferred from a file server to an external cloud storage bucket over a roughly three-hour window in the early hours of the attack.
Attackers employed extension-based filtering to optimise the value of their haul, specifically targeting roughly 90 different file types including internal documents, corporate databases, and password manager vaults, as revealed by an analysis of their configuration file.
The exfiltrated data was confirmed to include contracts, agreements, and bank statements, based on samples the attackers shared during ransomware negotiation.
5. Threat intelligence and ransomware family attribution
Blackpanda confirmed two distinct ransomware families were deployed in the same intrusion. White Rabbit, first observed in late 2021, is a highly evasive Windows-targeting payload that requires a command-line password to unpack, a deliberate design choice that defeats automated sandbox analysis. Mario is a Linux-based hypervisor encryptor derived from the leaked Babuk source code, used opportunistically by various operators because encrypting virtual machine datastores causes maximum operational disruption with minimal effort.
The combination — a Windows payload and a hypervisor payload deployed in parallel — was a deliberate choice to maximise downtime by hitting both the endpoint estate and the virtualisation layer the same night.
6. Ransomware negotiation
Alongside the technical investigation, Blackpanda's negotiation team engaged with the threat actors throughout the response, including verification of the exfiltrated data sample provided by the attackers as proof of access.
RESULTS
1. Full attack chain reconstructed across ~40 days
The complete intrusion timeline was established, from the first brute-force attempt in early February 2026 to the ransomware detonation in mid-March 2026. This timeline confirmed the attackers had been inside the network for nearly three weeks before any destructive action was taken.
2. Active attacker access severed within days of engagement
The malicious VPN portal, backdoor account, and permissive firewall policy were identified and removed during the first phase of the response, eliminating the persistent re-entry path the attackers had built for themselves.
3. Credential blast radius identified and remediated
The discovery that domain administrator credentials had been stored within the firewall configuration redefined the credential rotation scope. Every account with privileged access — including all service, domain, and local administrative accounts — was rotated, and a dedicated low-privilege service account was provisioned for the firewall's LDAP integration in place of the original domain administrator account.
4. Data exfiltration scope quantified
The volume (over 100 GB), the destination (an external cloud storage bucket), the mechanism (a renamed Rclone toolkit), the time window (a three-hour transfer in the early hours of the attack), and the categories of data taken (contracts, agreements, bank statements, and ~90 targeted file types) were all confirmed. This gave the organisation a defensible factual basis for legal and regulatory communications, rather than the worst-case assumption that everything had been taken.
5. Hardening roadmap delivered with prioritised actions
A short-term and long-term recommendation set was produced covering MFA enforcement, credential and account architecture redesign, network segmentation between virtualisation management and the general user network, brute-force resistance controls on exposed services, immutable backup architecture, comprehensive endpoint detection deployment, and centralised security monitoring with detection use cases modelled on this specific intrusion.
6. Threat intelligence enrichment for future detection
Blackpanda documented indicators of compromise — including command-and-control infrastructure, file hashes for exfiltration tools and ransomware payloads, and attacker IP addresses across multiple jurisdictions — as a reference for the organisation's future detection rules and for any entity encountering the same threat actor toolkit.
The pattern this investigation surfaces is one any organisation can act on in advance: an exposed administrative interface, a vendor account without MFA, a privileged service account stored in a network appliance configuration, and a flat network where compromising one machine means reaching every machine. Each of those four conditions is fixable before an attacker arrives; after they arrive, each becomes a multiplier of the damage.
FAQ
1. Why did a two-week brute-force attack succeed?
Two reasons, and they compound each other. The firewall's management interface was exposed to the entire internet with no source-IP restrictions, meaning anyone, anywhere could attempt logins continuously. And the account being attacked had no multi-factor authentication, meaning a correct password was the only thing required for access. Brute-force attacks against exposed admin interfaces succeed eventually as a matter of arithmetic — the only variables are how long it takes and whether MFA stops it at the door.
The U.S. Cybersecurity and Infrastructure Security Agency explicitly identifies this combination — exposed services and weak or absent MFA — as one of the most commonly exploited initial access vectors in active intrusions.
2. How can a single login lead to full network compromise?
In this case, the compromised login gave the attackers access to download the firewall configuration file. That file contained stored credentials for a domain administrator account, used by the firewall to authenticate VPN users against Active Directory. Once the attackers had that credential, they had administrative access across the entire Windows environment without needing to compromise another account. The lesson is that network appliances don't just permit access — they often hold the credentials that grant access elsewhere. A configuration file in the wrong hands can be more valuable than the device itself.
3. Why were two different ransomware strains used in the same attack?
Because they target different things. White Rabbit is a Windows-focused payload designed to encrypt workstations and Windows servers. Mario is a Linux-based payload designed to encrypt the virtualisation layer — specifically, the hypervisor hosts that run multiple virtual machines on a single physical server. By deploying both in parallel, the attackers hit the endpoint estate and the virtualisation infrastructure simultaneously, making recovery dramatically harder than if either had been used alone. This dual-payload approach is increasingly common in advanced ransomware campaigns and reflects the operational reality that most modern enterprises run a mix of Windows endpoints and virtualised server infrastructure.
4. Why is targeting backups the first move in modern ransomware attacks?
Because backups are the recovery option that breaks the ransom demand. If an organisation can restore from clean backups, the encrypted production systems become a temporary inconvenience rather than a hostage situation. Attackers know this, and modern ransomware playbooks now explicitly prioritise destroying backup infrastructure before encrypting anything else. The defensive answer is immutable backups — backups stored in a way that cannot be modified or deleted from the primary network, even by an attacker with domain administrator access. NIST guidance on ransomware risk management treats immutable, offline backup as a foundational control for exactly this reason.
5. What does “double extortion” mean and why does it matter?
In this case, the attackers transferred over 100 GB of corporate data — contracts, agreements, and bank statements — to an external server in a three-hour window, then used samples of that data as leverage during ransom negotiations. That is double extortion: steal the data first, encrypt second, and use the threat of public exposure to pressure payment regardless of whether the victim has backups. It matters because clean backups no longer resolve the situation. Even an organisation that restores its systems within hours still faces the question of what the attackers are holding — and what they intend to do with it.
6. What should organisations do about vendor accounts that need remote access?
Treat vendor accounts with more scrutiny than internal admin accounts, not less. Vendor accounts should have MFA enforced as a hard requirement; should be restricted to specific source IP ranges or geographies aligned to the vendor's actual operating locations; should have time-of-day restrictions where applicable; should use dedicated accounts per vendor rather than shared accounts; and should be subject to login alerting that flags any access outside expected parameters. Vendor accounts often have administrative-level access by necessity but receive less monitoring attention than internal admin accounts — that asymmetry is exactly what attackers exploit.
Blackpanda's regional incident response data identifies third-party access pathways as a consistent initial compromise vector. For an alternative example of this vulnerability, refer to our case study on hidden cyber risks at a Hong Kong charity.
WHAT THIS MEANS FOR YOUR ORGANISATION
The intrusion detailed here does not involve a singular threat actor or a revolutionary method. Rather, it followed a standard playbook seen throughout the region every quarter: brute-forcing an open admin interface, exploiting a vendor account, extracting credentials from network hardware, lateral movement via stolen domain admin rights, backup destruction, and the simultaneous deployment of ransomware across Windows and virtualised environments. This incident reached a catastrophic scale not because of the complexity of the attack, but because the adversary encountered no significant barriers until the ransomware began to detonate.
For any organisation, the critical lesson is that the vulnerabilities exploited here are the result of specific, rectifiable choices made before an incident occurs. Maintaining an exposed admin interface, failing to enforce MFA on vendor accounts, storing domain admin credentials in firewall configurations, and operating a flat network are all policy and architectural decisions. Addressing these during peacetime is a manageable investment; attempting to fix them during an active crisis is exponentially more costly in terms of revenue, reputation, and operational stability.
The organisations that recover quickly from ransomware are the ones that have already done the unglamorous work: enforced MFA everywhere it matters, segmented their networks so that one compromised host doesn't equal the whole environment, kept immutable offline backups that an attacker with domain admin rights cannot reach, and have an incident response team on standby that can deploy in hours rather than days. That last point is what Blackpanda's IR-1 subscription is built for — a fixed-cost, 4-hour SLA on guaranteed activation, so that when an incident arrives, the response is already paid for, the team is already on standby, and the first call doesn't have to be a procurement conversation at 3 AM.
ABOUT BLACKPANDA
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
