Blog

Comparing SecOps Models in the Face of a Ransomware Attack

This story is based on true events and dives into what happens when initial contact is made with some of the most pervasive strains of ransomware precursor malware. This series of events highlights the difference between the continuous compromise assessment cybersecurity model that empower analysts to detect and respond to network threats using their existing cybersecurity stack vs. the traditional SecOps model typically based on SIEMs, which don’t have visibility into the initial stages of an attack.

In this case it all started with Qakbot, a precursor malware notorious for launching some of the most devastating ransomware attacks. This particular incident took place late on a Friday before a long holiday weekend. 

For the purpose of this narrative and to keep the story anonymous we are using fictional names to distinguish two banks involved and we are using Bank 1 and Bank 2.

DAY 1

Qakbot was first detected on the network of two companies.

Bank 1

Using Lumu, Bank 1 detected the Qakbot infection in its earliest stage (after first contact with the adversary). The cyber team was alerted to the threat immediately and it was automatically contained through their response integration.

The blue team then used information from Lumu’s portal and took action to further contain the affected endpoints and began the investigation.

Bank 2

Bank 2’s cybersecurity manager relied on classic cybersecurity solutions that could not detect the first steps of the infection, allowing the malware to progress and stay completely undetected.

Bank 2 had been infected but they had no idea.

DAY 2

Bank 1 was way ahead and Bank 2 was just getting started.

Bank 1

Bank 1’s blue team detected how Qakbot executed through .wsf files PowerShell commands to try to contact their C2 servers, fortunately, now the machines were totally isolated and sanitized, 

They continued to monitor the network to ensure that no other machines were infected.

The Bank 1 CEO praised the cyber administrator for his quick thinking acknowledging that Lumu’s abilities were instrumental in detecting the threat early on.

Bank 2

The Qakbot infection in the Bank’s network had spread extensively by the time it was finally detected late on day 2. 

The cyber administrator initially dismissed the infection as a small risk and did not take immediate action to contain it. As a result, the infection had spread far and wide throughout the network. 

The administrator’s confidence in traditional security tools proved insufficient to effectively contain the infection.

DAY 3

The benefit of a continuous model for threat detection was evident to Bank 1 while Bank 2 was trying to keep their head above water

Bank 1

The Bank 1 network had returned to normal, and the cyber manager implemented additional security measures to prevent future attacks. 

The forensic team finished their incident report. 

The CEO recognized the importance of investing in modern cybersecurity solutions that have saved the company from a potentially devastating attack.

Bank 2

Bank 2’s blue team tried everything to remove the Qakbot infection, but it was too late.  

The PowerShell code embedded and coded into the .wsf and was executed, the Malware contacted C2 infrastructure, and the attackers deployed Lockbit ransomware.

They exploited a security breach in the domain server identified by Qakbot and company data was now being encrypted. 

The Bank 2 cybersecurity manager informed the CEO.

DAY 4

Bank 1’s executive team shared the importance of cybersecurity with the company while Bank 2 was in a state of panic.

Bank 1

The CEO of Bank 1 reinforced the company’s security education programs, focusing on phishing campaigns (the most common vector of malware) to identify and avoid potential threats.

Bank 2

The CEO of Bank 2 panicked as the ransomware attack continued. Company data was held hostage and the cyber administrator was struggling to negotiate with the attackers.

DAY 5

Bank 1 was all good Bank 2 was facing serious consequences

Bank 1

Bank 1 was thriving, with no security incidents in sight.

Bank 2

Bank 2’s Cyber Manager faced legal troubles after attempting to negotiate with the attackers. They were unable to fully recover data using old backups.

This story emphasizes the importance of operating cybersecurity and how contact with adversarial infrastructure must be taken seriously from the beginning. Attacks are often launched when we least expect it. 

Stay ahead of cyber attacks, employ a continuous model to detect and automatically mitigate these threats, and ensure you have the context needed to remediate it. To learn more about how Lumu enables SecOps teams, and to see this in action, we invite you to attend our live training session > register here.

 

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

1 week ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

1 week ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

2 weeks ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

1 month ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago