Case Studies

Ransomware Attackers Halt Regional Operations of Hong Kong Shipping Firm After Weeks Inside Company Network

By then, the attackers knew the network environment better than the IT team did.

Attackers spent nearly a month inside the network before the ransomware detonated. By then, they knew the environment better than the IT team did.

Attackers Quietly Mined Crypto for Two Months Using Hong Kong Tech Firm's Servers

An attacker spent two months inside a Hong Kong tech provider's servers before anyone noticed.

Firewall alerts had been firing for weeks. By the time Blackpanda arrived, the attacker had already spread across the network — and covered their tracks.

With One Stolen Password, Attackers Take Off with Two Million Files from Singapore Investment Firm

A stolen login. Thirty days inside. Nearly two million files encrypted.

Before encrypting nearly two million files, the attackers spent a month inside with full administrative access — staging data, installing back doors, and leaving no obvious trace.

Fake CEO Phishing Message Unravels Hong Kong Charity's Hidden Cyber Risks

A gift card scam that hid malware, leaked credentials, and a subdomain open to hijacking.

A convincing CEO impersonation led to gift card fraud at a Hong Kong charity. Blackpanda's investigation confirmed the scam — and uncovered malware on an abandoned website, a subdomain vulnerable to hijacking, leaked staff credentials on criminal marketplaces, and a suspicious foreign login that no one at the organisation knew about.

The Phantom Ledger: A Central Hong Kong Business Association Hijacked Internationally Through a Senior Executive's Inbox

One compromised account, three countries, zero exfiltration — a forensics race against time in Central HK.

When a Business Association based in Central, Hong Kong, discovered a senior finance account was being accessed from international hubs, the risk to its reputation was immediate. Blackpanda's incident responders moved with operational force to contain the threat and verify the safety of sensitive records.

Akira Ransomware Locks Up a Hong Kong Maritime Investment Group After Criminals Walk In Through a VPN Account With No MFA

One stolen VPN login led to Akira encrypting core servers — see how Blackpanda traced the Veeam pivot and contained it.

One “valid login” was enough. Blackpanda traced the attacker’s route from SSL VPN access to Veeam credential theft and ransomware execution across core servers.

Email Phishers Impersonate Hong Kong Precision Manufacturing Firm, Tricking Customer Into Making Fraudulent Payments

Lookalike domain. Forged bank-letter PDFs. Evidence-led validation pulled no tenant compromise.

A Hong Kong precision manufacturing firm was impersonated via a lookalike email domain. Blackpanda traced Zoho-sent spoofing emails and fraud PDFs, including bank letters.

UNC5174 Hackers Whitelisted Wallets and Drained an estimated USD 3.3M in Crypto From a Hong Kong Securities Firm Through a Hijacked AWS API

Wallets quietly whitelisted. An AWS API facilitated stealing. Blackpanda cut off the keys and blocked re-entry.

A Hong Kong securities firm spotted unauthorised crypto withdrawals via an AWS API. Blackpanda traced Vshell backdoors, contained keys, and blocked re-entry.

Email Phishers Offer Fake Bonuses to Employees of Sustainability Company to Steal Login Credentials and Issue Fraudulent Invoices

Bonus QR-code phish. Mailboxes breached. Invoice fraud blocked.

A “bonus” email led staff to a QR-code login trap and criminals into Microsoft 365 mailboxes. Blackpanda traced the intrusion despite missing audit logs and removed hidden mailbox manipulation. A practical hardening plan followed — spanning MFA, Conditional Access, and finance-grade payment verification.

Deleted Shared Drive Cripples Singapore Print Firm as It Suffers Second Ransomware Attack in Two Months

Encrypted once, sabotaged again. Blackpanda traced the VPN break‑in and mapped controls, keeping attackers from coming back.

LockBit 5.0 broke into a Singapore print services firm via weak VPN credentials, encrypted a file server, then wiped NAS volumes. Blackpanda traced the path.

Australian Insurance Company Ransacked by LockBit Ransomware that Blocked Several Business-Critical Systems

Unattended AnyDesk password. Staged archive upload. LockBit 3.0 encrypting business-critical systems.

LockBit 3.0 struck an Australian reinsurer after unattended AnyDesk access. Blackpanda traced the break‑in, assessed data‑theft risk, and guided recovery.

ClickFix Hits North Asian Web Services Platform; Contained by Blackpanda

A WordPress admin takeover turned a trusted site into a malware delivery channel — Blackpanda confirmed scope and shut it down.

A North Asian web services platform discovered its South Korea WordPress site was compromised via leaked admin credentials. Blackpanda confirmed no data theft, removed malicious scripts, and hardened web controls.

Crytox Ransomware Hits Singapore Entertainment Equipment Distributor

Crytox ransomware struck virtual servers — Blackpanda contained the intrusion and rebuilt control of VPN access.

A Singapore‑based entertainment equipment distributor discovered Crytox ransomware encrypting virtual servers after FortiGate SSL‑VPN access was abused. Blackpanda contained the attacker, deployed EDR, and hardened VPN controls.

Akira Intrusion Hits Asia‑Pacific Manufacturer; Encryption Avoided

A SonicWall VPN intrusion signaled Akira ransomware — Blackpanda contained it to two domain controllers before encryption.

An Asia‑Pacific industrial manufacturing company spotted credential dumping on a domain controller after SonicWall SSL‑VPN access was abused. Blackpanda contained the attacker to two systems and prevented Akira deployment.

Phobos Ransomware Hits Design Firm; Blackpanda Responds

Brute‑force logins. Phobos ransomware. Multi‑site disruption contained.

A regional design firm faced a multi‑site Phobos ransomware outbreak that hit critical servers and disabled endpoint protection. Blackpanda incident responders were activated through the customer’s IR‑1 subscription to contain spread and drive a hardening roadmap.

Regional Services Platform’s Google Workspace Hijacked; Blackpanda IR-1 Shuts It Down

Foreign logins. A hijacked Android device. Google Workspace ads and emails under attacker control.

A regional services platform’s Google Workspace account was hijacked to run rogue ads and delete emails. See how Blackpanda’s incident responders, activated through an IR-1 subscription, traced the intrusion, cut off access, and strengthened account security.

Qilin Ransomware Cripples ESXi; Blackpanda DFIR Fights Back

Containing a hypervisor-level Qilin ransomware attack on VMware ESXi.

See how Blackpanda contained a hypervisor-level Qilin ransomware attack on VMware ESXi, clarified data-theft risk, and guided a safer, faster recovery.

MFA Bypass Attack at Singapore IT Services Firm — Blackpanda IR-1 Containment of AiTM Credential Theft

Credentials stolen. MFA bypassed. And an attacker hiding behind a Cloudflare-masked phishing flow.

A Singapore IT services firm was compromised through an adversary-in-the-middle phishing attack that harvested credentials and bypassed MFA. The attacker accessed a corporate mailbox, registered a malicious Azure AD application, and launched a phishing campaign to over 500 recipients. Blackpanda IR-1 responders contained the incident and guided remediation.

Server Weaknesses Exposed at Regional Entertainment Firm — Blackpanda Containment in 48 Hours

A missing server. Suspicious administrator logins. Unauthorized virtual machines in the shadows.

A regional entertainment company discovered unauthorized virtual machines, lateral movement, and suspicious RDP activity across its servers. Blackpanda IR-1 responders contained the threat, reconstructed attacker activity, and guided recovery despite missing evidence and reformatted systems.

Exchange Server Exploited: Hackers Breach Hong Kong Investment Firm — Blackpanda Containment in 24 Hours

A vulnerable Exchange server. Persistent webshells. Full Active Directory compromise in motion.

A Hong Kong investment firm suffered a full Active Directory compromise through unpatched Microsoft Exchange ProxyShell vulnerabilities. Blackpanda IR-1 responders contained the attack, traced the threat actor, and restored control within 24 hours—proving the value of always-on cyber first response.

Hackers Hijack Hong Kong Law Firm’s Website — Blackpanda Responds Within Hours

Search results altered. Webshells deployed. And an attacker hiding behind layers of PHPscripts.

A Hong Kong law firm’s website was hijacked through a WordPress plugin exploit, defacing search results and planting backdoors. Blackpanda’s IR-1 responders traced and removed the threat within hours, preventing deeper compromise.

Singapore Retail Cyber Fraud Stopped by Blackpanda IR-1

Compromised credentials. Fraudulent accounts. Unauthorized redemptions.

See how a Singapore Retail Group stopped a gift card fraud attack with Blackpanda’s IR-1. Rapid incident response contained losses, uncovered vulnerabilities, and delivered long-term resilience.

Threat Signals Identified & Contained at a Hong Kong IoT Service Provider

RDP abuse. PowerShell misuse. No breach — but warning signs everywhere.

Hong Kong IoT provider faced RDP abuse & PowerShell misuse. Blackpanda ODIR contained risk. Learn how IR-1 cuts costs 12x and speeds response.

Inside the Ransomware Containment at a Singapore Commodity Trading Firm

Encrypted workstation. Ransom note found. Threat neutralized in time.

How Blackpanda contained a Phobos ransomware attack at a Singapore firm — and how IR-1 would have saved 9x in costs.

Inside the Credential Compromise and Lateral Movement Incident at a Hong Kong EV Solutions Provider

External forwarding rules. Unauthorized inbox access. Credential compromise.

In Feb 2025, a Hong Kong EV charging provider faced credential compromise through exposed RDP. Blackpanda contained the threat before ransomware could strike.

Ransomware Response for a Singapore Property Firm: How Blackpanda Contained and Investigated a Rapidly Escalating Attack

A Singapore industrial space operator faced a severe ransomware attack impacting operations and internal systems. Learn how Blackpanda's IR-1 service deployed rapid containment, investigation, and forensics to support recovery and compliance.

Inside the Bixi Ransomware Attack at a Hong Kong Civil Engineering Equipment Company

A brute-force attack. Remote access from abroad. Thousands of encrypted files.

Inside the Data Leak Investigation at a Philippine Entertainment Resort

A tip. A dark web leak. High-stakes customer data at risk.

Small clinic affected by business email compromise

In March 2023, a small clinic in Southeast Asia fell victim to a Business Email Compromise (BEC) attack, which had severe repercussions on the clinic’s operations and finances.

Data breach at retail company

In November 2022, a well-established local retail company based in Southeast Asia, experienced a significant data breach that resulted in the compromise of customer information.

Boutique hotel suffers ransomware attack

In January 2023, a boutique hotel in Southeast Asia suffered a ransomware attack, resulting in the loss of sensitive information of international guests.

Ransomware attack on a private school

A private school, which caters to students ranging from kindergarten to high school, suffered a ransomware attack in early January 2023. The school is known for its high-quality education and attracts international and local students. The attack–attributed to the Maze ransomware group–was sophisticated, and the cybercriminals responsible demanded a ransom payment of around USD 51 thousand to restore access to the school’s systems.

Broker hit by ransomware faces over USD 5 million in losses

A medium-sized securities broker based in East Asia with a large client base was hit with a ransomware attack in February 2023. The attackers were able to gain access to the broker’s internal network and encrypt important files and data, rendering them unusable.