Case Studies

Ransomware Response for a Singapore Property Firm: How Blackpanda Contained and Investigated a Rapidly Escalating Attack

LAST EDITED:
PUBLISHED:
August 7, 2025

A Singapore industrial space operator faced a severe ransomware attack impacting operations and internal systems. Learn how Blackpanda's IR-1 service deployed rapid containment, investigation, and forensics to support recovery and compliance.

Summary
On 04 February 2025, a Singapore-based industrial office space operator engaged Blackpanda to investigate a ransomware incident that had already disrupted business operations. The attack had begun days earlier, when a cybercriminal successfully breached the company’s network through compromised VPN credentials. The attacker exfiltrated sensitive company data before deploying ransomware, encrypting systems and demanding payment.

Blackpanda’s responders initiated immediate forensics to trace the full extent of the attack, contain the incident, and deliver recommendations to close critical security gaps.

This is a real case of Cyber First Response - how forensic investigation helped contain damage, recover stolen data, and uncover the root cause behind a high-impact cyberattack.

Date of Incident: 04 February, 2025

VPN Compromise, Credential Abuse, and Data Exfiltration

The incident began with a compromised employee account that used a weak and easily guessable password. The attacker exploited this vulnerability using an automated brute-force tool to guess credentials and gain remote access via the company’s Virtual Private Network (VPN).

Once inside the network, the attacker moved laterally using Remote Desktop Protocol (RDP), a remote access tool commonly used by IT teams. During this stage, they searched for and accessed confidential business data, including:

  • Financial records
  • Human Resources information
  • Tenant’s details and internal documents

They transferred these files to two separate cloud storage accounts—completing a full data exfiltration operation. Once the data was stolen, the attacker deployed ransomware, encrypting the company’s files and rendering key systems inaccessible. This encryption phase was completed before Blackpanda was engaged.

“Attackers got in through a single weak password and were able to steal sensitive data before we even knew they were there.”

ODIR in Action: Forensics That Reversed the Damage

The victim was not an IR-1 subscriber at the time. However, Blackpanda’s On-Demand Incident Response (ODIR) service was activated immediately to deliver full-spectrum forensic support:

  • Identified the initial access vector via compromised VPN login
  • Mapped the attacker’s lateral movement
  • Determined the full scope of exfiltrated data
  • Identified critical mistakes in the attacker’s execution that allowed Blackpanda to access and recover stolen data
  • Leveraged attacker infrastructure to access a cloud storage platform where stolen files were held allowing Blackpanda to confirm the breach scope and delete exposed data

Despite these efforts, a second cloud storage destination used by the attacker remained inaccessible. The attacker subsequently listed the company as a victim on the INC Ransomware website, publicly leaking screenshots of stolen files.

This public shaming tactic was intended to pressure the company into paying the ransom by damaging their reputation and creating stakeholder panic.

No Ransom Paid. Strategic Recovery Chosen.

The company chose not to pay the ransom

Blackpanda had already recovered a large portion of the stolen files, and internal operations were restorable through backups. Since the attacker’s leverage was significantly reduced, the company opted to focus on recovery and long-term resilience instead of rewarding criminal activity.

This hard-earned lesson led the company to subscribe to Blackpanda’s IR-1 recognizing that proactive coverage, faster activation, and built-in first responders’ expert capabilities were essential to protecting their business moving forward.

Protect my organization today


Post-Incident Remediation

Blackpanda provided the Victim with a clear roadmap to strengthen defenses against similar attacks:

  • Critical Actions:
    • Enforce strong password policies across all accounts
    • Implement multi-factor authentication (MFA) for VPN and remote access
    • Restrict VPN and RDP access to trusted sources only
  • Medium/High Priority:
    • Improve real-time monitoring to detect suspicious logins
    • Conduct periodic password hygiene audits
    • Review cloud access logs and revoke unused credentials
  • Long-Term Risk Reduction:
    • Strengthen network segmentation to limit lateral movement
    • Perform regular cybersecurity assessments
    • Review the business needs and simplify the IT infrastructure to eliminate cyber security risks
    • Train employees on credential security and phishing resilience

For IR-1 Customers 

As a reminder, you enjoy the peace of mind of being a Blackpanda IR-1 customer as well. Rest well knowing that the best cyber incident responders in Asia are standing by 24/7 to respond at a moment’s notice when the worst occurs and the attackers are able to make it past even the most well-prepared cyber and IT defenses. 

As a Lloyd’s of London-backed insurance underwriting entity, Blackpanda uniquely has productized digital forensics and incident response services into an assurance product delivered via SaaS subscription, complimentary Attack Surface Management technology, and discounted and optimized Blackpanda comprehensive cyber insurance offerings to provide the most cost-effective solution in the event of cyber emergencies. 

Reach out via your IR-1 platform access to view your ASM results. To gain an automated price quote on cyber insurance from us, email us at customercare@blackpanda.com and we will promptly get back to you.

Thank you for your continued trust in having Blackpanda ensure you have prompt access to cyber emergency response when the worst happens.

Need help? You're already covered.

As an IR-1 subscriber, you're just a few clicks away from activating Asia’s top cyber emergency response team.

Other case studies

Case Studies

Inside the Bixi Ransomware Attack at a Hong Kong Civil Engineering Equipment Company

A brute-force attack. Remote access from abroad. Thousands of encrypted files.

View case study
Case Studies

Inside the Data Leak Investigation at a Philippine Entertainment Resort

A tip. A dark web leak. High-stakes customer data at risk.

View case study
View all

Related articles

React & Respond

What Is Incident Response?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

React & Respond

How to create an incident response plan

Six steps for effective Incident Response planning.

News

Blackpanda and Cyber Security Agency of Singapore Ink Strategic Partnership to Enhance Cybersecurity Emergency Response and Insurance in Singapore

Blackpanda and CSA will exchange intelligence to enhance their capabilities against cyber threats CSA joins Blackpanda’s network of esteemed partners in Singapore, including Singtel and the Singapore Police Force

View all
Protect & Defend

Karma ransomware rapid evolution

Initially discovered at the end of June 2021, Karma ransomware is a relatively new malware. Researchers from SentinelOne found that the individual developer, known by the name ‘Eugene’, is rapidly updating Karma and continuously adapting it to cutting edge ransomware techniques. There is a strong possibility that affected companies have paid the requested ransoms, based on the lack of comment activity from Karma Site_admin on dark web forums.

Prepare

Singapore’s Cybersecurity Laws, Regulations and Real-World Incident Response: What Every Business Needs to Know

From regulatory confusion to decisive action — how Singaporean businesses can survive breaches, comply fast, and avoid penalties with lean, practical cyber incident response.

React & Respond

What are the goals of incident response?

Incident response (IR) is the systematic approach to managing a cyber security incident. The primary objective of IR is to minimize the impact of a cyber attack, offer rapid recovery, and limit business interruption loss for organizations.

View all