Issue:
A large public research Canadian university with over 10,000 students faced an imminent threat from the ransomware group Cl0p, as alerted by the Canadian Centre for Cyber Security. The university’s IT estate was at risk of compromise, threatening the continuity of university operations due to the risk of imminent ransomware and sensitive data exfiltration.
Action:
CRA’s Forensic Services team swiftly responded to the alert and deployed advanced security solutions to validate the completeness of the client’s asset inventory, active directory infrastructure monitoring for reviewing user account permissions, and live monitoring of potential threat actor activity across the corporate IT environment. Our team pushed proprietary forensic collection scripts to gather historical forensic artifacts and confirmed the presence of a threat actor toolkit across the IT estate. Our team disrupted the threat actor activity launched by the Initial Access Broker (IAB) before potentially selling the access to Cl0p Ransomware group. For the duration of the engagement, our intelligence team monitored various dark web forums and ransomware group extortion blogs. Additionally, the team captured actively registered typo-squat domains and third-party database breach credentials.
Impact:
Through meticulous investigation, we uncovered approximately 35% unmanaged systems, enhancing visibility for the incident response operations and uncovering unapproved applications, missing patches, remote control software, and critical vulnerabilities exploited by ransomware threat actors. Our forensic analysis and threat-hunting activities enabled us to proactively block external IP addresses associated with threat-actor controlled infrastructure and remove malware persistence, effectively eradicating the threat and preventing the execution of ransomware. Our team discovered three additional successful attempts by unknown threat actors (activity attributed to multiple Initial Access Brokers) on the client’s internet-facing systems, which could have led to enterprise-wide privilege escalation and theft of sensitive data.
Outcome:
Our incident response efforts not only safeguarded the university’s IT infrastructure but also averted substantial financial losses. By leveraging our deep skills and proven methodologies, we not only resolved the immediate threat but also facilitated lasting improvements in the client’s overall security hygiene, ensuring resilience against future cyber threats.
The team was led by Aniket Bhardwaj, Vice President of Global Incident Response and Cyber Threat Operations, with invaluable assistance from colleagues including Carlo Lakay, Frank Visser, Bharad Subramanian, Umair Khan, David Lee, Jake Nemiroff, Hami Santacruz, Ronan Joshua Roque, Jacob Feldman, Leo Jones, and Elizabeth McPherson.
