CHALLENGE
In early 2025, someone with a valid VPN credential logged into the firm's network. The VPN — the encrypted tunnel businesses use to allow remote access — accepted the login without a second challenge, because no multi-factor authentication was in place. A password alone was enough.
Within the first hour, the attacker had created a new user account, escalated it to full administrator status, and enabled remote desktop access to the firm's primary server. Using the domain administrator credential — the highest-privilege account in the network — they connected directly and had unrestricted access to every system. They then installed AnyDesk, a legitimate remote access tool, as a secondary means of re-entry, and added their own files to the endpoint security software's exclusion list, instructing it to ignore them.
The network went quiet for nearly three weeks. The attacker returned, accessed and archived files consistent with data staging, and used a file-transfer tool to move the archives off the network. They then deployed ransomware. Over the following sixteen hours, approximately two million files were encrypted across the firm's server and connected storage devices — rendered completely inaccessible. The group subsequently posted the firm's name on their dark web blog, claimed a substantial volume of stolen data, and published a partial file listing as proof.
SOLUTION
1. Evidence Collection
Investigators worked from three sources: the primary server (partially accessible despite the encryption), network security appliance logs, and storage device records. Scope was defined as the ransomware incident specifically. Limitations were documented upfront: some forensic artifacts had been destroyed by the encryption, and the firewall logs only covered the latter portion of the attacker's active period.
2. Entry Vector and Timeline Reconstruction
The earliest server records confirmed the attacker had VPN access in early 2025, as evidenced by their immediate account-creation activity upon connecting. Using command execution artifacts, authentication logs, and the available firewall records, Blackpanda mapped every significant action in sequence — from the first account created through to the final ransomware execution — establishing a continuous timeline across the full month.
3. Exfiltration Assessment
Forensic evidence identified large archive files staged prior to the encryption event, file-transfer tool execution, and significant outbound data volumes recorded in the firewall logs during the same window. The ransomware group's published file listing corresponded directly with the forensic artifacts, partially corroborating their exfiltration claim.
4. Root Cause Identification
Blackpanda identified three compounding failures: no multi-factor authentication on VPN, leaving a stolen password sufficient for full access; an unpatched internet-facing firewall appliance with a documented vulnerability this group was known to exploit; and log retention insufficient to support real-time anomaly detection or early retrospective investigation.
RESULTS
1. Entry confirmed.
The attacker entered via VPN using stolen credentials. No MFA was in place. All observed activity originated from the VPN's internal network range.
2. Full attack timeline reconstructed.
A continuous timeline was established across the full month of attacker activity — every significant action documented in sequence, from account creation through ransomware execution.
3. Encryption scope established.
Approximately two million files were confirmed encrypted across the primary server and connected storage devices. The encryption also destroyed some forensic artifacts, an investigative constraint documented in full.
4. Data exfiltration assessed.
Network logs, file-staging artifacts, and the ransomware group's published file listing collectively supported the likelihood of significant exfiltration, partially corroborating their claim.
5. Root causes identified and remediation delivered.
Three gaps were confirmed: no MFA on VPN; delayed patching on an internet-facing firewall appliance with a known exploitable vulnerability; and log retention too shallow for early detection. Remediation recommendations were delivered against each.
The attacker reached domain administrator level within the first hour of connecting. From that point, containment was no longer a matter of access controls — the breach was already in progress. Organisations that detect intrusions early, before that first privilege escalation, can limit the damage before it becomes operational. The most effective intervention points in this case were all upstream of the ransomware: MFA on remote access, faster patch cycles on internet-facing devices, and log retention sufficient to surface authentication anomalies in real time.
Frequently Asked Questions
How did the attackers get in without exploiting a technical vulnerability?
They used a valid VPN credential — a real username and password the network accepted as legitimate. How those credentials were obtained could not be confirmed; the relevant logs had not been retained long enough. Credentials are routinely acquired through prior phishing, purchased from criminal marketplaces where breached login data is sold, or harvested via automated attacks against known data breaches. The practical implication: a valid password is not proof of a legitimate user. Unusual login times, unfamiliar source geographies, and connections from anonymisation services are all signals that warrant automated alerting — and MFA removes the problem at source.
Why did it take nearly a month for anyone to notice?
Several factors compounded each other. The attacker used VPN credentials that, from the network's perspective, were indistinguishable from a legitimate remote login. Once inside, they used tools — remote desktop access, AnyDesk — with entirely routine corporate uses. No automated alert was configured for new administrator account creation, and the firewall logs were not retained long enough to support retrospective investigation. Detection depends on monitoring what attackers routinely do in the first minutes of access: creating accounts, escalating privileges, modifying firewall rules. All three happened here without triggering a single alert.
What is double extortion, and why does it matter even if files can be restored from backup?
Traditional ransomware encrypts files and demands payment for the decryption key. Double extortion adds a second threat: before encrypting, the attackers steal data and threaten to publish it publicly if the ransom is not paid. Organisations with reliable backups can restore operations without paying — but the stolen data is already gone. In this case, the group published the firm's name on their dark web platform and provided a partial file listing as evidence. The reputational, legal, and regulatory exposure that creates is entirely independent of whether files were recovered.
Could this have been prevented?
Yes — by any one of three controls. MFA on VPN access means a stolen password alone is not sufficient to log in. Timely patching of the internet-facing firewall appliance would have removed a documented exploitation vector for this type of ransomware group. And adequate log retention — a minimum of 90 days for network appliances — would have provided the anomaly signals needed to detect an unfamiliar login before the attacker reached domain administrator status. None require significant capital investment. All three, absent, made this breach straightforward to execute.
How do double-extortion ransomware groups typically operate?
Double-extortion groups combine file encryption with data theft, targeting organisations with unpatched internet-facing appliances as a common point of entry. Once inside, they use legitimate tools to move data before deploying ransomware, making their activity difficult to distinguish from normal operations during the dwell period. They operate dark web platforms where they publish victim names and file listings to intensify pressure to pay. Their targeting tends to be opportunistic rather than sector-specific — the common thread is exploitable exposure, not industry.
What should an organisation do in the first hours of discovering a ransomware attack?
Two priorities: isolate affected systems immediately to prevent spread to other machines or storage devices, and engage a specialist incident response team as fast as possible. The earlier the investigation begins, the more forensic evidence survives and the faster containment can be confirmed. Blackpanda's IR-1 subscription provides a guaranteed four-hour triage call with senior incident responders — a team already under contract and ready to activate, not a vendor relationship being negotiated during an active breach.
What This Means for Your Organisation
The pattern here — one stolen credential, a month of undetected access, full administrative control, nearly two million files encrypted — is not exceptional. It is how the majority of significant ransomware incidents unfold, and it is representative of what Blackpanda encounters across Asia. The attacker required no sophisticated technique: a valid password, an unpatched appliance, and a network with no alerting on authentication anomalies.
For any organisation using VPN for remote access, the specific takeaways are direct: enforce multi-factor authentication on all remote connections, patch internet-facing devices on a schedule that does not allow weeks-long gaps, and retain network logs long enough to support both real-time detection and retrospective investigation. If you want a fast read on your current exposure, Blackpanda's IR-1 includes Attack Surface Readiness scanning as standard — and a response team under contract before you need one.
About Blackpanda
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
