Extensive telemetry and intelligence for accelerated investigation and remediation.
Search
Telecom Provider Contains Black Basta Attack and Restores Operations
The client called Unit 42® to determine the extent of unauthorized access, negotiate the ransom payment and eradicate the threat.
Results
3days
To determine attack vector in 50K endpoint environment
80%reduction
In ransom with expert negotiation
2days
To contain threat and ensure continuity of business operations
The Client
Telecommunications company servicing millions of customers
The Challenge
Over the course of 13 hours, the client was hit with a severe ransomware attack that encrypted files on tens of thousands of systems, exfiltrated sensitive data and brought 50% of their business operations to a halt. The client asked Unit 42 to help:
- Contain the threat and prevent further data exfiltration.
- Eradicate the threat actor.
- Investigate root cause and assist with restoring business operations.
Unit 42’s Rigorous Incident Response Approach for Superior Outcomes
Assess
Client realized it was impacted by ransomware when it identified encrypted files and ransom notes within its enterprise environment. Unit 42 began assessing the attack within two hours.
Investigate
Forensics and threat hunting quickly revealed Black Basta ransomware, initial phishing email and the extent of unauthorized access.
Secure
Deployed Cortex XDR® across the impacted environment within 96 hours to ensure that attack was contained, enabling the Unit 42 MDR team to begin 24/7 monitoring and threat hunting.
Recover
Negotiated 80% reduction from initial ransom demand and obtained, tested and implemented decryption keys.
Transform
Identified gaps in network segmentation, credential control, endpoint security and security visibility and deployed additional firewall and access control technologies.
Assess
Investigate
Secure
Recover
Transform
Scroll right
Resolution Timeline
Assess
Investigate
Secure
Recover
Transform
Days 0 - 4
Crisis Intervention
Crisis Intervention
Deployed Cortex XDR and Xpanse® for visibility across the enterprise for indicator and forensics collection.
Leveraged Unit 42 Threat Intelligence to identify Black Basta TTPs and IOCs to quickly close in on attacker.
Established contact with threat actor and negotiated 80% reduction from initial ransom demand.
Established secure connectivity for non-impacted sites.
Days 5 - 7
Decryption
Decryption
Scope, severity and nature of incident uncovered via Cortex XDR forensic analysis.
Root cause identified as a QBot phishing email, determined the extent of the data exfiltrated.
Implemented network segmentation and containment at client HQ using NGFW firewalls with SSL decryption/inspection enabled.
Began decryption using third-party decryption utility, completed network-wide credential reset.
Days 8 - 14
Restoration
Restoration
Identified the full breadth of threat actor activity across the impacted environment.
Fully contained and evicted threat actor from the environment.
Restored critical business operations, decryption efforts shifted to lower-priority support systems.
Established secure connection to remote sites with Prisma Access.
Days 15 - 30
Fortification
Fortification
IR and MDR remain in place for 24/7 monitoring. Started to remediate vulnerabilities identified in Xpanse mapping.
Continued rebuilding and restoring impacted servers and workstations.
Ensured full visibility, alerting, and protection through enterprise wide Cortex XDR deployment across 30K+ endpoints.
Threat-informed Incident Response
With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.
Backed by Industry’s Best
![Threat Intel logo icon]()
Threat Intel![Technology icon]()
TechnologyPalo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.
![Experience symbol]()
ExperienceTrusted experts who mobilize quickly and act decisively in over 1K incidents per year.
Get the latest news, invites to events, and threat alerts
Products and Services
- AI-Powered Network Security Platform
- Secure AI by Design
- Prisma AIRS
- AI Access Security
- Cloud Delivered Security Services
- Advanced Threat Prevention
- Advanced URL Filtering
- Advanced WildFire
- Advanced DNS Security
- Enterprise Data Loss Prevention
- Enterprise IoT Security
- Medical IoT Security
- Industrial OT Security
- SaaS Security
- Next-Generation Firewalls
- Hardware Firewalls
- Software Firewalls
- Strata Cloud Manager
- SD-WAN for NGFW
- PAN-OS
- Panorama
- Secure Access Service Edge
- Prisma SASE
- Application Acceleration
- Autonomous Digital Experience Management
- Enterprise DLP
- Prisma Access
- Prisma Browser
- Prisma SD-WAN
- Remote Browser Isolation
- SaaS Security