Key facts
- Organisation
- Malaysian manufacturer, operations across two sites
- Threat
- LeakNet ransomware, double extortion (steal, then encrypt)
- Initial access
- Two internet-facing remote-access paths, neither with multi-factor authentication
- Impact
- Over 280,000 files encrypted; more than 250GB stolen; both sites down
- Core issue
- The main “backup” NAS share was live production data with no separate copy
What this case shows
- A NAS share named “backup” is not a backup unless it (a) sits off the network, and (b) gets restored on a schedule to prove it works.
- Multi-factor authentication on every remote-access path would have closed doors that allowed the attackers to walk through.
- Cyber theft usually runs silent. Data left the systems for weeks before a single file was locked.
See how Blackpanda’s Emergency Incident Response and IR-1 response assurance shorten the path from breach to recovery.
What this would have cost without Blackpanda IR-1 in place
| ODIR | IR-1 | |
|---|---|---|
| Type of engagement | On-demand incident response | Yearly subscription |
| Hours covered | 80 hours | Unlimited* |
| Pricing1 | USD $40,000 | USD $4,000 |
* Unlimited for one incident per year
1 Ad-hoc incident response pricing based on average market rates, from USD 500 per hour. Blackpanda IR-1 subscription pricing based on no. of endpoints, costing approx. 10x less than ad-hoc and retainer-based incident response. All figures are illustrative only, for guidance and marketing purposes and not to be relied upon by the reader. Actual incident response costs vary by scope, complexity, and provider.
CHALLENGE
A manufacturer with operations split across two sites ran its business off a single shared file store. Accounting, payroll, project files, HR records — all of it lived on one network-attached storage (NAS) share, which carried a reassuring name, “Server Backup”.
But that naming was problematic, because that NAS held no back up; instead, it was the only live, primary copy.
In April 2026, the practical consequences of that underlying problem became clear. A ransomware crew encrypted the company’s servers at both sites inside roughly the same 75-minute window, locking more than 280,000 files on the misnamed share alone. Staff who reached for the “backup” to recover found it scrambled with everything else.
Additionally, the attackers had not arrived that morning. They had held quiet control of the company’s domain controller — the server that manages every network login — for more than six weeks. That was long enough to map the network, open critical folders, and move more than 250GB of data out before locking a single file. The ransom note, true to the LeakNet group’s double-extortion playbook, threatened to publish what they had taken.
What the company could not see was the true shape of its own exposure. The organisation maintained two internet-facing paths for remote access, with one at each location. Both systems permitted logins using only a password, lacking the multi-factor authentication required to block the use of compromised credentials. A domain administrator password unchanged in years, shared with a second standing admin account, meant one cracked login opened that site’s entire network.
The attackers did not break in so much as walk in.
SOLUTION
1. Pin down when the attackers really arrived
Blackpanda worked backward from the encrypted files, drawing evidence from endpoint records, the virtualisation host, and little that the firewalls retained. The cleanest logs were gone — wiped from both compromised servers after encryption — so the team rebuilt the sequence from endpoint-protection journals and system artefacts instead. That reconstruction put the intruders inside the network more than six weeks before deploying ransomware.
2. Prove what left the building
The team recovered the configuration of a data-transfer toolkit staged on the domain controller and matched it to a sustained six-hour outbound transfer. The volume lined up with the 250GB the ransom note claimed. The limited retention of firewall logs prevented a precise measurement of the exfiltration. However, the available indicators provided sufficient proof to conclude the data theft was an actual event rather than an empty threat. This determination was critical, providing the clarity needed to make the right call when a group threatens to release stolen information.
3. Shut the doors the attackers used
Blackpanda moved to enforce multi-factor authentication on every remote-access path, reset all exposed domain and local credentials, and reset the Kerberos ticket-signing account twice to evict any forged access. The shared, never-expiring admin account that mirrored the domain administrator’s password was disabled outright.
4. Rebuild clean, restore safe
Rather than reuse compromised systems, the team rebuilt the affected hosts from known-clean media and restored data only from copies confirmed to pre-date the intrusion. The environment went under 24-hour managed detection so that the next anomaly would surface in real time, not six weeks late.
RESULTS
1. A full timeline, despite the cover-up
Even with the native logs cleared, Blackpanda reconstructed the intrusion end to end and established a six-week dwell time the organisation had no idea existed.
2. The theft confirmed, not assumed
The investigation established that sensitive data had almost certainly been taken before encryption, giving leadership a fact-based basis for its disclosure and legal decisions instead of guesswork.
3. Both entry points found and closed
Two unprotected remote-access paths were identified as the way in and secured, removing the standing risk that would have allowed a repeat.
4. A clean recovery, no reinfection
Rebuilding from clean media and pre-compromise data returned both sites to service without carrying the attacker back in.
The thread running through all of it is timing. The damage was set in motion six weeks before anyone noticed, by access that looked ordinary and data movement no one was watching. The controls that would have changed the outcome — multi-factor authentication, rotated credentials, a real and tested backup, continuous monitoring — are all things an organisation puts in place before an incident, not during one.
FREQUENTLY ASKED QUESTIONS
1. Wasn’t the data backed up?
The share holding the company’s working files was named “Server Backup”, but the name was the trap — it was the live store, not a copy, and no separate backup sat off the network. When the ransomware ran, the only copy went with it. A backup only counts if it is isolated and restored on a schedule to prove it works, the practice CISA’s ransomware guidance sets out. The same misplaced trust in a network share undid a print-services firm whose NAS was wiped in a separate case.
2. How did attackers get in without breaking anything?
They used valid logins on remote-access paths that asked only for a password. Without multi-factor authentication, a single stolen or guessed credential is a key to the front door — which is why unprotected VPNs keep turning up as the way in, as in a ransomware intrusion at an industrial manufacturer through an exposed VPN.
3. If they encrypt everything, why also steal the data?
Because theft gives them leverage even if you recover. The threat to publish stolen files survives a clean restore, and it has become the norm rather than the exception. Google’s threat-intelligence team found data theft in roughly 77% of ransomware intrusions in 2025, up from about 57% the year before. Encryption locks you out; exfiltration keeps the pressure on.
4. How were they inside for weeks without anyone noticing?
The early activity looked like normal administrator behaviour, and the company had no continuous monitoring to flag it. Long dwell times are common when no one is watching the right signals — attackers also increasingly go after the virtualisation layer directly, as in this ESXi hypervisor ransomware case. Managed detection exists to close that blind spot.
5. Should we have paid?
That call belongs to leadership with legal counsel, and Blackpanda does not pressure either way. What it does is establish the facts that make the decision rational — what was taken, whether a clean restore is possible, and what regulatory duties apply. A compromise assessment answers the first question before an incident forces it.
WHAT THIS MEANS FOR YOUR ORGANISATION
This was not a sophisticated break-in. It was an ordinary one that worked because a few basics were missing: a remote-access path without a second factor, an admin password left untouched for years, and a “backup” that was nothing of the kind. The pattern is industry-wide. The same threat-intelligence reporting found attackers targeting virtualisation infrastructure in roughly 43% of intrusions in 2025, up from 29% — the layer this company lost at one of its sites.
The lesson is that recovery is decided long before the ransom note. Tested off-network backups, multi-factor authentication everywhere, rotated credentials, and monitoring that catches a six-week intrusion in week one are the difference between a bad week and a closed business. Blackpanda’s incident response preparation work exists to put those controls in place while there is still time to choose them.
ABOUT BLACKPANDA
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
