Containing a LockBit Ransomware Intrusion at an Australian Reinsurance Firm in November 2025
At a glance
- Customer: Australian reinsurance firm
- Incident type: Ransomware intrusion with data staging and backup interference
- Ransomware: LockBit 3.0 (“LockBit Black”) confirmed by artefacts and ransom note references
- Environment: Windows server estate, Active Directory, firewall + VPN, remote access tooling (AnyDesk), backup tooling, RDP
- Impact confirmed: Less than 10 servers encrypted; backup operations interfered with
- Blackpanda services: Digital forensics, log analysis, scope validation, data‑theft assessment, containment guidance and hardening roadmap
CHALLENGE
A “down server” that turned into a crime scene
The incident surfaced when a vendor onsite reported they could no longer connect to one of the internal systems. Within hours, the organisation found multiple servers showing encrypted files and ransom notes — confirmation that this wasn’t an outage. It was a break‑in.
Leadership needed clear answers fast:
- How did the attacker get inside?
- How far did they move?
- Was data stolen — and what would we need to report?
The attacker didn’t “spray and pray” — they lived in the environment
Forensic evidence showed the threat actor operated over weeks, using a pattern that looks less like malware and more like burglary:
- Interactive remote access via AnyDesk using an unattended password
- Privilege escalation early in the intrusion
- Lateral movement via RDP across critical servers
- Preparation for theft, including tooling for archiving and transfer
- Impact, culminating in LockBit 3.0 deployment and encryption of seven servers
A real-world constraint: visibility gaps when you need proof
Two factors complicated the investigation and the organisation’s ability to be definitive about data theft:
- Firewall log retention was limited, leaving missing telemetry across a key portion of the intrusion window.
- Backup application logs were encrypted, reducing visibility into whether attackers changed backup settings or passphrases.
This is a common “incident reality”: executives want certainty, but responders must separate what’s provable from what’s merely plausible.
SOLUTION
1) Rapid triage and defensible scoping
Blackpanda’s incident responders focused immediately on:
- Collecting triage artefacts from key servers and validating the incident scope
- Reviewing available firewall and VPN logs
- Reconstructing the attacker’s sequence of actions using host artefacts and security telemetry
2) Rebuilding the attack narrative: from entry to impact
Blackpanda confirmed the first malicious access as a successful AnyDesk authentication into an internal server in early November 2025 — a pivotal finding because it indicates the attacker had valid unattended access credentials.
From there, the investigation mapped an end‑to‑end progression consistent with a structured ransomware operation:
- Covert access attempts (tunnelling behaviour was observed and disrupted by controls)
- Lateral movement via RDP across multiple servers beginning mid‑November
- Staging and attempted upload of at least one archive to attacker‑controlled infrastructure (see data‑theft assessment below)
- Ransomware deployment in late November, encrypting less than 10 servers
3) Data‑theft assessment: evidence-led, with honest uncertainty
Because LockBit affiliates frequently steal data before encryption, Blackpanda assessed exfiltration risk from multiple angles:
- AnyDesk file transfer behaviour: AnyDesk trace logs were reviewed for events indicating outbound file uploads. However, visibility was incomplete on one encrypted server, so exfiltration via AnyDesk could not be fully ruled out.
- Cloud storage upload activity: Forensic artefacts showed use of tooling consistent with uploading an archive to a cloud bucket. Blackpanda recovered credentials used by the actor and accessed the attacker-controlled bucket — the archive was no longer present, consistent with threat actor tradecraft (delete after retrieval).
- Firewall blind spot: Missing traffic logs across a critical window limited the ability to prove or disprove additional outbound transfers.
The outcome was a balanced conclusion suitable for leadership and legal: no definitive proof of broad exfiltration beyond observed staging indicators, but data theft could not be conclusively excluded due to telemetry gaps.
4) Containment support and hardening actions
Blackpanda supported containment and reduced reinfection risk by:
- Helping deploy EDR and enforcing detections / blocklists against identified malicious binaries
- Guiding credential resets and tightening remote access governance (especially around unattended access tools and RDP pathways)
Blackpanda also flagged an uncomfortable but valuable finding: evidence of historical security events (e.g., credential theft tools and scripts) that were not conclusively linked to this incident, but suggested the environment may have had long‑standing exposure that warranted follow‑up.
RESULTS
1) A clear, defensible timeline for decision-makers
Instead of “we think,” the reinsurer received a structured timeline:
- First known access: AnyDesk authenticationProgression: tunnelling attempts, privilege escalation, lateral movement, staging
- Impact: LockBit 3.0 detonation with less than 10 servers encrypted
This helped leadership align IT recovery, risk decisions, and external communications to what could be supported by evidence.
2) Containment and recovery guided by facts, not panic
The investigation focused the recovery effort:
- Which systems were confirmed encrypted
- Which attacker techniques mattered most to shut down immediately (remote access, credential misuse, RDP paths)
3) A practical hardening roadmap based on what attackers actually abused
The engagement ended with actionable priorities tied to the attacker’s playbook:
- MFA and tighter governance for remote access
- Privileged Access Management and elimination of long‑lived administrative exposure
- Improved backup architecture with stronger protections against tampering
- Centralised logging and longer retention to eliminate forensic blind spots
FAQ: LockBit, AnyDesk intrusions, and ransomware response
Q1. How did the attacker get in?
The first confirmed malicious access was a successful inbound AnyDesk authentication using unattended access credentials, indicating the attacker possessed a valid password or equivalent credential for remote access.
Q2. Why is unattended remote access so dangerous?
Tools like AnyDesk can provide interactive control similar to a physical intruder with keys. If unattended access passwords are obtained, attackers can persist, move laterally, and deploy tooling without exploiting a perimeter vulnerability.
Q3. Was data stolen before encryption?
The investigation found indicators consistent with data staging and upload activity, but could not fully confirm the contents or extent due to missing firewall telemetry and the absence of the staged archive in recovered artefacts.
Q4. Why do attackers target backups?
Disrupting backups increases pressure. In this case, the attacker interfered with backup operations, a common tactic intended to weaken recovery options ahead of ransomware execution.
Q5. What controls would have most reduced the blast radius?
The report’s recommendations emphasise MFA, PAM, stronger segmentation, improved log retention (e.g., SIEM), and stricter endpoint and BYOD governance to reduce credential exposure and improve detection.
What this means for you
Ransomware incidents often read like a crime report because they are one: an intruder gets in, steals leverage, sabotages recovery, and then locks the doors.
If your organisation relies on remote access tools, shared admin accounts, or short log retention windows, the story tends to end the same way — unless responders can validate scope quickly and remove the attacker’s routes back in.
