Containing a LockBit Ransomware Intrusion at a Singapore-Based Print Services Provider from September to October 2025
At a glance
- Customer: Singapore-based commercial print services provider (anonymised)
- Incident type: Ransomware intrusion followed by destructive network attached storage (NAS) volume recreation
- Ransomware observed: LockBit 5.0 (confirmed by artefacts and sample analysis)
- Extortion signal: A separate leak site later published several images from the environment, suggesting selective leakage rather than large-scale dumps
- Environment: Windows servers, Active Directory, SSL VPN / firewall access, RDP, Synology NAS
- Impact confirmed: File server encryption; later NAS shared-folder access and NAS volume deletion/recreation
- Blackpanda services: digital forensics and incident response, log analysis, scope validation, data-theft risk assessment, containment guidance, endpoint monitoring rollout support
CHALLENGE
A ransomware “incident” that didn’t end when systems came back
The first event was a classic ransomware outcome: an internal file server was encrypted, disrupting business-critical access. But the deeper risk wasn’t only the encryption — it was whether the attacker still had working access after the organisation restored operations.
That risk materialised. Over a month later, the attacker reappeared and a NAS volume was deleted and recreated — an act that can destroy data organisation and continuity even when individual files may exist elsewhere. This wasn’t just disruption; it was sabotage.
Leadership needed answers that were both fast and defensible:
- How did the attacker break in — and was that route still open?
- Did compromise extend beyond the initial server(s)?
- Was data accessed or stolen before or after encryption?
- Why did the attacker return weeks later, and what did they do on the NAS?
“Valid credentials” is the hardest kind of break-in to spot quickly
The investigation determined initial access came via valid credentials for an Active Directory account with an extremely weak password and MFA was not enabled — exactly the scenario that makes attacks blend into “normal” remote access activity.
Compounding this, VPN-to-internal access rules were overly permissive: a firewall policy allowed broad access from the SSL VPN interface into a server VLAN, and that access extended beyond tightly controlled admin groups to a wider user group. That widened the blast radius of any single compromised identity.
A real-world constraint: visibility gaps when you need proof
The client’s ability to be definitive about attacker activity — especially data exfiltration — was limited by two critical evidence gaps:
- Windows audit logs on a key server were cleared during the intrusion window.
- Firewall traffic logs were missing for a period overlapping the intrusion and suspected exfiltration activity.
This is a common incident reality: executives want certainty, but responders must separate what’s provable from what’s merely plausible — and document both.
SOLUTION
1) Rapid triage and evidence-led scoping across two related incidents
Blackpanda’s incident responders were engaged to investigate two incidents as a single narrative: (1) the ransomware event and (2) the later NAS destruction. The approach prioritised what would most directly reduce reinfection risk and enable informed decisions: scope first, then root cause, then hardening.
Initial actions included:
- Reviewing evidence collected by the IT vendor (server artefacts, event logs, firewall configuration context, NAS logs).
- Reconstructing authentication and lateral movement patterns to identify how the intruder navigated the environment.
- Supporting deployment of endpoint monitoring coverage using managed detection and response to improve visibility and reduce the chance of silent re-entry.
2) Rebuilding the attacker’s route: VPN entry, lateral movement, and ransomware execution
Blackpanda reconstructed a path consistent with a credential-driven intrusion:
- Initial entry: Access using valid credentials over VPN/remote access pathways.
- Lateral movement: Multiple RDP sessions into internal servers were identified, including movement that positioned the attacker to reach business-critical systems.
- Ransomware execution: The ransomware binary was executed on the file server during the incident window.
Blackpanda also highlighted the enabling control weakness that made this easier: VPN access rules allowed too much reach into the server VLAN for too many authenticated users, increasing the chance that a single compromised account could reach high-value assets.
3) Data-theft assessment: separating ransomware mechanics from leakage signals
Blackpanda assessed data-theft likelihood from multiple angles:
- Ransomware capability: Analysis of the ransomware sample found no built-in exfiltration module — an important detail, because many ransomware operations steal data using separate tooling rather than “inside” the encryptor.
- Leak-site signal: During monitoring, a leak site published several images (e.g., operational documents) sourced from the environment. The contents of the images had suggested partial, selective leakage rather than a bulk archive dump — but it is still a meaningful business risk.
- Honest uncertainty: Missing firewall logs and cleared audit logs limited the ability to conclusively validate the full extent of any outbound transfers. The outcome was evidence-led, with uncertainty clearly documented rather than masked.
4) Explaining the second act: dormancy, persistence, and destructive NAS activity
The second incident was not random. Evidence showed the attacker remained dormant and later resumed activity using compromised credentials, then accessed the NAS and enumerated multiple shared folders before the volume recreation event.
This matters because it changes how organisations should respond: encryption may be “the loud moment,” but persistent credential access is the real threat — especially when the attacker returns for sabotage or leverage.
5) Containment and hardening actions aligned to what was actually abused
Based on the attacker’s proven playbook, recommendations focused on identity control, segmentation, and monitoring:
- Enforce MFA for VPN and privileged access (including service/admin accounts).
- Eliminate weak-password exposure, rotate compromised credentials, and reduce credential reuse risk.
- Tighten VPN-to-internal firewall policy to least privilege (restrict reachable subnets/services; limit access groups).
- Reduce RDP exposure and enforce admin segmentation (jump hosts, restricted admin workstations, tiered admin).
- Harden NAS admin access, logging, and protection against destructive operations (including volume-level safeguards).
- Improve log retention and centralised logging (so future investigations are not forced to operate with blind spots).
For context on ransomware tactics and response fundamentals, see the MITRE ATT&CK Enterprise Matrix
RESULTS
1) A clear narrative: one intrusion, two impacts
The client received a defensible storyline that connected two events into a single intrusion pattern: initial credential-based access led to ransomware encryption, and persistent access later enabled destructive NAS activity. That clarity matters for leadership decisions, insurers, and incident reporting.
2) Evidence-based view of data-leak exposure
The investigation surfaced a concrete external exposure signal — several images showing data posted online — without overstating what could not be proven due to missing logs. This enabled realistic risk management: respond to the leak signal, while avoiding unfounded claims about “everything was stolen.”
3) A practical hardening roadmap tied to attacker behaviour
Rather than generic security advice, the recommendations mapped directly to the routes the attacker used: weak credentials, no MFA, and insufficient telemetry. The result: a prioritised plan to reduce repeatability and shrink blast radius.
4) Improved monitoring posture during and after recovery
The engagement also supported expansion of endpoint visibility via EDR rollout, improving the organisation’s ability to detect suspicious behaviour earlier and respond with fewer unknowns.
FAQ: LockBit intrusions, VPN credential abuse, and NAS sabotage
Q1. How did the attacker get in?
The first confirmed access was achieved using valid credentials for an account with an extremely weak password that had no MFA enabled, facilitating a VPN-based entry without needing a loud exploit chain.
Q2. Why did the attacker come back weeks later?
This pattern is consistent with persistent credential access: once a threat actor has working credentials (and remote access paths remain permissive), they can re-enter later for additional leverage — including sabotage of storage and backups.
Q3. Was data stolen?
A leak site published several images sourced from the environment, indicating at least limited, selective data leakage. However, missing firewall logs and cleared audit logs limited the ability to conclusively validate the full extent of any outbound transfers.
Q4. Why is an overly permissive VPN policy so risky?
If VPN users can reach broad internal subnets and services, a single compromised user credential can become a pathway to high-value servers. Least-privilege access rules and tighter group scoping reduce blast radius.
Q5. What are the fastest controls that reduce repeat risk after ransomware?
Prioritise MFA for remote access, privileged credential resets, least-privilege VPN segmentation, tighter RDP pathways, and centralised logging with longer retention so future investigations don’t start with blind spots.
What this means for you
Ransomware isn’t always “one night of chaos.” Sometimes it’s a burglar who keeps the keys — and returns after you’ve cleaned up. If your organisation relies on VPN access without MFA, broad firewall policies, or short log retention, the next incident can escalate from disruption to irreversible destruction.
Blackpanda’s incident responders help teams contain quickly, validate scope with evidence, and harden the exact routes criminals abused — so recovery actually sticks.
If you need help now, explore our ransomware response and incident response readiness options.
