Case study banner: Assumed Hardware Fault Revealed as Ransomware Blocking 40 Servers at Malaysian Logistics Firm. Type: On-Demand Incident Response
Case StudY

Hardware Fault at a Malaysian Logistics Firm Turns Out to be Ransomware

LAST EDITED:
PUBLISHED:
April 30, 2026

The first sign of trouble was an inaccessible server, flagged as a possible hardware failure. By the time the diagnosis was corrected, 40 servers across two sites had been encrypted.

Key facts

Organisation
Malaysian Logistics Firm — a regional logistics and supply chain operation running infrastructure across two locations
Threat
A Ransomware-as-a-Service variant based on a LockBit 3.0 builder; double extortion model
Initial access
Brute force attack against a remote access service on the backup infrastructure server
Impact
Approximately 40 servers encrypted across two sites; backup infrastructure compromised; approximately 500 user endpoints unaffected
Core issue
No multi-factor authentication on remote access; backup server exposed to the public internet; 7-day firewall log retention left no logs from the attack period

What this case shows

  • Backup infrastructure is among the highest-value targets in a ransomware attack. Attackers who reach the backup server first can harvest credentials for connected systems, disable recovery capability, and map the production environment before encryption begins — all using legitimate administrative tools.
  • Ransomware-as-a-Service affiliates execute manually and selectively, targeting the highest-impact systems while deliberately avoiding others with active endpoint protection. Server environments are disproportionately targeted for this reason.
  • A 7-day firewall log retention policy left no logs from the attack period. Log retention is not a technical nicety; it is a direct constraint on what an investigation can establish, and what questions about exfiltration can ever be answered.
  • Double extortion — encrypting data while threatening to publish it — means the absence of a data leak post is contingent, not conclusive. Monitoring must continue well after the ransomware is contained.

Learn how Blackpanda's emergency incident response and response assurance subscriptions help organisations contain ransomware quickly and recover with confidence.

SummaryOne morning in April 2024, employees at a Malaysian logistics firm found that network resources had become unavailable. The organisation raised a support ticket with its infrastructure vendor, which initially assessed the problem as a possible hardware issue. It took two more days for engineers to confirm what had actually happened: the virtual server disks across both sites had been encrypted by ransomware.

Blackpanda was engaged shortly after the ransomware was confirmed and immediately began deploying endpoint detection and response tooling across surviving machines. The investigation examined server logs, virtualisation platform artefacts, backup infrastructure forensics, firewall logs and configurations, endpoint agent telemetry, and dark web data. One early constraint was significant: the organisation's firewall was configured to retain logs for only seven days, which meant no logs from the attack period remained.

The investigation traced the attacker's entry to a brute force assault on the organisation's backup infrastructure server: over 20 failed authentication attempts recorded in under a minute, followed by a successful login. From this single foothold, the attacker created a privileged account, harvested credentials from the backup software, scanned the internal network, moved laterally between both sites via the private network interconnect, and manually executed ransomware against the virtualisation platform's server storage disks. Approximately 40 servers were encrypted, but the organisation's approximately 500 user endpoints were left untouched.

Blackpanda found no direct evidence of data exfiltration from the investigated systems. Dark web monitoring throughout the engagement found no mention of the organisation on the ransomware attacker's leak site. Because the firewall logs from the attack period were gone, these findings carry an important caveat: outbound transfer during those days cannot be established or excluded. Monitoring was recommended to continue.

CHALLENGE

The organisation is a Malaysian logistics firm — an SME operating across two regional sites connected by a private network interconnect. Its server infrastructure, approximately 40 servers, was virtualised. The virtual machines distribute compute and storage across shared physical hardware, making this architecture operationally efficient, but carrying a specific consequence for incident response: when virtual server disks are encrypted at the storage layer, the guest operating systems running on those disks become inaccessible. Forensic investigation of a compromised server typically involves reading the files on its disk. When those files are encrypted and the disk itself is unavailable, that process is blocked.

The organisation's IT and security infrastructure was managed in part by a local IT vendor and supported by a regional technology partner. Like many logistics SMEs, the firm balanced operational IT demands against the cost and resourcing constraints common to the sector — maintaining the systems it needed to run the business without the dedicated security operations capability that would detect a methodical intrusion over several hours.

One morning in April 2024, employees at both sites reported that network resources had become inaccessible. The organisation raised a support ticket with its infrastructure vendor, which began remote troubleshooting and initially attributed the problem to a possible hardware fault. Two days later, the vendor's engineers confirmed that the virtual server disks had been encrypted by ransomware. Servers were taken offline shortly after. Blackpanda was engaged shortly after this.

A couple of days' gap between the outage and the ransomware confirmation is not unusual in heavily virtualised environments, where encryption at the storage layer can closely resemble hardware degradation. But the delay had consequences. Password resets and server isolation had been initiated, but no forensic evidence collection had begun, and no endpoint detection capability had been deployed. The window in which the attacker's tools, commands, and connections were most recoverable was already narrowing.

What the organisation did not yet know was that the attack had been deliberate and sequential — that a single breach point had been used to move across the entire infrastructure before a single file was encrypted.

→ PROTECT MY ORGANISATION TODAY

SOLUTION

1. Immediate Containment and Forensic Collection

On engagement, Blackpanda worked with the organisation's local IT team to deploy SentinelOne endpoint detection and response agents across all machines that remained online. This served two purposes: establishing active monitoring from that moment forward, and beginning the collection of forensic artefacts from endpoints that were still intact. Evidence collection tools were distributed, and analysis of the collected evidence started two days later.

2. Tracing the Entry Point

The investigation focused initial attention on the organisation's backup infrastructure server — the only server running a Windows operating system that was accessible for forensic analysis. Windows event log data from this machine showed over 20 failed Server Message Block (SMB) authentication attempts within a single minute, followed immediately by a successful Remote Desktop Services authentication for a privileged account. The traffic originated from an internal IP address confirmed by the organisation to be routed directly through the primary site's firewall — placing the external origin of the initial connection outside the network and beyond the forensic reach of the available firewall logs.

Within approximately an hour of that first login, the attacker had created a new privileged account on the backup server and executed a PowerShell script designed to extract stored credentials from the backup software. The attacker's browser history on the server — recovered from a separate browser cache — showed repeated access to documentation and support resources related to the backup platform, confirming that the backup infrastructure was a deliberate target, not an opportunistic foothold.

The attacker knew what they were looking for before they arrived.

3. Network Discovery

Blackpanda found forensic evidence of two commercial tools deployed on the backup server for network reconnaissance purposes. A widely used network scanning tool — regularly observed in post-compromise toolkits across ransomware investigations — was executed from two separate directories on the server, scanning the internal network for connected hosts, open ports, and shared folders. A remote access utility was also found executed on the same machine, indicating attempts to establish connections to other hosts on the network, though the destinations and outcomes of those attempts could not be confirmed from available evidence.

SMB enumeration attempts from the backup server to other hosts were identified in the Windows event logs — activity consistent with the attacker mapping which network shares and servers were accessible before proceeding with lateral movement.

4. Lateral Movement Between Sites

Lateral movement between the two sites was confirmed through authentication records on the virtualisation platform's cluster management nodes. Successful logins to cluster management nodes at the secondary site were traced to an IP address originating from the primary site — consistent with the attacker using the backup server as a staging point to access and ultimately compromise both sites. This cross-site movement was possible because the two locations were interconnected by a private network link with no enforced access controls between them.

5. Ransomware Execution: Manual, Selective, Dual-Platform

The ransomware was executed manually. Two distinct binaries were deployed: one for Windows, targeting the backup server, and one for Linux, targeting the virtualisation platform's cluster management nodes. On the Linux machines, the attacker executed the ransomware from terminal sessions, running commands against individual virtual server storage disks in sequence. The execution was selective: both the Windows and Linux ransomware variants targeted specific file types while excluding system-critical files, ensuring that the affected machines remained bootable after encryption — a deliberate design choice by the ransomware operators.

Approximately 40 servers were encrypted. The organisation's approximately 500 user endpoints, which ran a separate endpoint protection tool, were not targeted. The manual and selective nature of the attack is a documented characteristic of ransomware-as-a-service affiliates, who prioritise high-impact, low-risk targets — like server infrastructure over endpoint devices — to maximise disruption while minimising the likelihood of triggering automated detection on protected machines.

6. Forensic Constraints, and What Was and Wasn't Recoverable

The investigation faced several significant constraints. The virtualisation platform's encrypted server disks could not be forensically analysed. The backup server's Windows Security and System event logs — the primary evidence source for remote connections from that machine — were found completely empty, a finding Blackpanda assessed as consistent with deliberate log clearing by the attacker rather than system failure. Firewall logs were unavailable for the attack period due to the 7-day retention policy.

Despite these constraints, Blackpanda conducted encrypted file analysis on the backup server. Larger files on the server showed partial encryption — a characteristic of the attacker's Linux ransomware variant, which encrypts intermittently across large files rather than end-to-end. This analysis enabled the recovery of a large backup volume as a full disk image, which was returned to the organisation for restoration.

→ PROTECT MY ORGANISATION TODAY

RESULTS

1. Entry Point Confirmed: Brute Force on Backup Infrastructure

Blackpanda confirmed the attacker's initial access through a brute force attack against a remote access service exposed on the backup infrastructure server. Over 20 failed authentication attempts within a single minute preceded a successful login. The backup server's role as the entry point is significant not merely as a forensic finding: it was the credential source for the rest of the attack, the platform from which the network was mapped, and ultimately a target of the encryption itself.

2. Attack Timeline and Scope Established

The investigation established that the attacker's first confirmed activity began on a specific day in April 2024, with ransomware execution occurring within 48 hours across both sites. Approximately 40 servers were encrypted across the two sites. User endpoints at both locations were unaffected. Post-encryption, the attacker appeared to have returned briefly to the backup server to encrypt files there before withdrawing.

3. Anti-Forensic Activity: Log Clearing

The backup server's Windows Security and System event logs were found completely empty — a finding assessed as deliberate log clearing by the attacker, not system failure. Security and System logs are the primary record of network logins, remote desktop connections, account creation, and process activity on a Windows server. Their absence removed the most direct evidence of the attacker's outbound lateral movement from that machine and limited the investigation's ability to confirm the full sequence of post-compromise actions. Clearing event logs before or after ransomware deployment is a documented technique used by ransomware operators to impede forensic reconstruction.

4. Partial Data Recovery Achieved

Encrypted file analysis on the backup server revealed that the attacker's encryption routine performs intermittent rather than complete encryption on large files, leaving portions of the original data intact throughout the file. This characteristic enabled the recovery of a large backup volume as a full disk image, returned to the organisation for restoration. Recovery of the virtualisation platform's virtual machine disks was not achievable, due to the way that platform segments its storage and the full encryption of its grouping-level files.

5. No Confirmed Exfiltration; Credential Exposure on Dark Web Identified

Blackpanda's investigation found no forensic evidence of data exfiltration from the analysed machines. No archival or staging tools were identified, no large-scale outbound data transfer was observed in the available logs, and dark web monitoring throughout the engagement period found no mention of the organisation on the attacker's data leak site. This is a qualified finding: firewall logs from the attack period were unavailable, and what cannot be observed cannot be excluded. Blackpanda recommended that monitoring of the threat actor's data leak infrastructure continue beyond the engagement.

Dark web monitoring did surface a separate risk: multiple staff email credentials associated with the organisation's domain were found in public breach databases, originating not from the organisation's own systems, but from third-party websites and applications where employees had registered using corporate email addresses. The credentials were assessed as posing a residual password-reuse risk, particularly in the absence of multi-factor authentication enforcement.

6. Recommendations Delivered

Blackpanda provided the organisation with short-term and long-term recommendations.

Immediate actions:

  • Multi-factor authentication enforcement across all remote access and cloud accounts
  • Password resets for all user accounts
  • Firewall geo-restriction enabling
  • Continued dark web monitoring for posts related to the specific attacker

Longer-term recommendations:

  • Dedicated security staffing or third-party managed detection and response
  • A formal incident response plan
  • Patch management cadence for internet-facing systems
  • Backup architecture redesign — including offsite, air-gapped copies — to prevent future ransomware from simultaneously encrypting production systems and their recovery paths
→ PROTECT MY ORGANISATION TODAY

FAQ

1. Why did the attacker go straight for the backup server?

Backup infrastructure is a high-priority target in ransomware attacks for a specific reason: it contains credentials for every system it backs up and has network connectivity to every system it needs to reach. An attacker who compromises the backup server gains a map of the organisation's infrastructure, the credentials to access it, and often a pathway to lateral movement across the entire environment — all without needing to compromise production systems directly.

In this case, the attacker executed a credential-harvesting script against the backup software within approximately an hour of first entry, and used the harvested access to enumerate the network and move between sites. The backup server was not a secondary target; it was the point of deliberate entry into everything else.

NIST's Guide for Cybersecurity Event Recovery (SP 800-184) and CISA's ransomware guidance both recommend treating backup infrastructure as a critical security asset, not merely an operational one.

2. Why were only the servers encrypted and not the user computers?

The attacker chose not to target the user endpoints, which had an active endpoint protection tool installed. This selectivity is consistent with how sophisticated RaaS affiliates operate. They assess which systems cause the most operational disruption when encrypted, and target those specifically, while avoiding systems that carry active detection capability and would raise the risk of early discovery. Approximately 40 servers across two sites represent the operational core of a logistics business — file systems, applications, shared resources, and databases. Encrypting them halts operations. In contrast, encrypting user workstations adds marginal leverage while increasing the chance that an automated detection fires. The choice was calculated, not arbitrary.

3. What is double extortion, and does it mean data was definitely stolen?

Double extortion is a ransomware tactic in which attackers encrypt the victim's data and simultaneously claim to have exfiltrated a copy, threatening to publish it on a data leak site unless the ransom is paid. It does not mean data was definitely stolen. The threat of publication is sometimes made without actual exfiltration, as a pressure tactic.

In this case, Blackpanda's investigation found no forensic indicators of data exfiltration on the analysed systems. However, because firewall logs from the attack period were unavailable, outbound data transfer during those hours cannot be confirmed or excluded. The absence of a data leak post on the specific threat actor's site during the monitoring period is a positive indicator, but not a guarantee. Monitoring should continue until the threat actor can reasonably be assessed as having moved on.

4. Why did it take two days to realise this was ransomware and not a hardware fault?

In a heavily virtualised environment, encryption at the storage layer — affecting virtual disk files on shared infrastructure — can present identically to certain hardware failures. Servers become inaccessible, shared resources disappear, and the infrastructure vendor's diagnostic tools may initially flag storage anomalies rather than file-level encryption. Without dedicated security monitoring, the first responders are typically IT support staff and hardware vendors, whose instinct is to investigate the most common cause of the observed symptoms first.

The delay was not unreasonable given the technical presentation of the incident. Its consequence, however, was real: it compressed the forensic window, delayed containment, and left the organisation without a deployed detection and response capability for the first critical days. Organisations that have pre-arranged incident response retainers can begin response from the first moment of suspicion, rather than starting to look for an incident response firm when operations are already down.

5. How do firewall log retention policies affect a ransomware investigation?

A firewall processes all network traffic entering and leaving the organisation — inbound connections from external sources, outbound data transfers, inter-site communications, and remote access sessions. In a ransomware investigation, firewall logs can establish when the attacker first connected, from where, and whether data was transferred outbound before or after encryption. When those logs are gone — because the retention period expired before the investigation began — those questions cannot be answered.

In this case, a 7-day retention policy meant no firewall logs from the attack period were available, preventing Blackpanda from confirming the external source of the initial connection or assessing outbound transfer volumes. Firewall log retention is not a niche forensic concern; it is a direct determinant of how much an investigation can establish. NIST SP 800-92 provides guidance on log management, including recommended retention periods.

6. What should logistics firms do to protect against ransomware?

Logistics SMEs are a consistent ransomware target because they combine operational criticality — a halted warehouse or transit operation has immediate commercial consequences — with the resource constraints that often result in security gaps.

Several practical measures substantially reduce exposure. Multi-factor authentication on all remote access services, particularly VPN and remote desktop, prevents brute force attacks from succeeding even when credentials are guessed. Firewall log retention extended to at least 90 days ensures that forensic investigations are not immediately constrained by expired logs. Backup architecture redesigned around the 3-2-1 rule — three copies of data, across two media types, with one offsite — prevents ransomware from simultaneously encrypting both the production environment and the recovery path. Account lockout policies on remote access services eliminate the practical viability of brute force attacks. And a pre-arranged incident response retainer with a specialist provider ensures that when something goes wrong, the first call reaches people who can act immediately.

WHAT THIS MEANS FOR YOUR ORGANISATION

Ransomware attackers who target logistics companies are not making a random choice. Logistics operations are time-critical. Every hour a warehouse management system is offline, every hour a shipment cannot be tracked, every hour a customs clearance system is inaccessible translates into a quantifiable commercial loss — and that urgency is leverage. It is why ransomware operators target operational technology environments and server infrastructure rather than user workstations: the disruption is immediate, visible, and expensive, and the pressure to pay is correspondingly high.

The pattern in this case — brute force entry through a backup server, credential harvesting within the hour, lateral movement between sites, selective encryption of server infrastructure — is not a sophisticated or unusual attack. It is a documented playbook, available to any affiliate willing to pay for access to a RaaS platform. What made it effective here was not its complexity but the absence of controls that would have stopped it at any one of several points: multi-factor authentication on remote access, network segmentation between sites, restrictions on which external addresses could reach the backup infrastructure, log retention long enough to support a meaningful investigation. Any one of these would have changed the outcome.

For SMEs in logistics and supply chain — organisations that run server-heavy, multi-site operations and carry significant operational continuity risk — the cost-benefit case for baseline security controls is not abstract. A week of encrypted operations costs more than a year of preventive investment. Blackpanda's emergency incident response exists for the moment when those controls are absent and the attack has already begun — a point at which the speed of the first call determines whether the recovery takes days or weeks.

→ PROTECT MY ORGANISATION TODAY

ABOUT BLACKPANDA

Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.

Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.

Other Case Studies

Case Studies

Internal Staff Strips Vietnamese Business Process Outsourcing Firm’s Security Monitoring System to Remove Evidence of Personal Job Hunting

When a company’s monitoring rules start disappearing without explanation, the instinct is to look outward. But the threat uncovered originated inside, deleting alert rules and operational data for weeks.

View case study
Case Studies

Attackers Pull Data on Tens of Thousands of Users Through Singapore Fintech Firm's Network Defence Gap

Internal APIs at a Singapore fintech firm were left exposed after removal of a network control. Malicious automated scripts extracted records across tens of thousands of user accounts, subjecting the firm to mandatory examination by the Monetary Authority of Singapore (MAS).

View case study
View all

Related articles

React & Respond

What Is Incident Response?

And why every business needs a cyber fire department.

News banner with the headline “Blackpanda Japan Partners with SoftBank to Strengthen Cyber Incident Response in Japan” on a light background with grainy blue gradients.
News

Blackpanda Japan Announces Strategic Partnership with SoftBank to Strengthen Cyber Incident Response in Japan

SoftBank will provide incident response services, including Blackpanda IR-1, against cyber attacks.

News

Blackpanda Adds ISO 27001 Certification to the Group’s List of Accreditations

Blackpanda achieves ISO 27001 certification, reinforcing its commitment to information security, operational resilience, and trust across Asia.

View all
News

Blackpanda Recognized with Frost & Sullivan’s Asia Pacific Company of the Year Award for Incident Response Excellence

Singapore, 23 January 2025 – Blackpanda, Asia’s leading digital emergency response firm, is thrilled to be named by Frost & Sullivan for Best Practices Company of the Year Award in the Asia Pacific Incident Response Industry.

React & Respond

Steps to digital forensics simplified

When cyber crime occurs in your digital environment, employing digital forensics to identify the extent of the compromise and investigating the root cause should be your top priority.

Protect & Defend

Can crypto be hacked?

In the world of technology, there is always some probability of a cyber incident taking place. Whether it is hacking, denial of service, insider threat, account compromise, or technical failure, all technology can be broken in some way, no matter how implausible it may seem. The likelihood of an event is what usually has a defining impact on how we approach different technologies.

View all