Chinese APT Abuses VSCode to Target Government in Asia
Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
TLD Tracker: Exploring Newly Released Top-Level Domains

Government Eradicates Ransomware Threat and Reinstates Critical Services

Unit 42® helped the client swiftly contain the threat actor, restore critical government systems, and briefed heads of state.

Results
Challenge
Outcomes
Get in Touch
Results
3days

To fully contain and eradicate the threat

7days

To restore critical government services

3briefings

To heads of state and cabinet, establishing trust and collaboration

The Client

Government

The Challenge

Following a ransomware attack that significantly impacted government operations, the client engaged Unit 42 for assistance. The team quickly mobilized to assess, investigate, secure and recover the affected systems. Unit 42 helped:

  • Assess the scope of damage.
  • Investigate and identify the threat actor.
  • Implement a recovery plan to get government services back up and running.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

80% of systems were encrypted and inoperable, so Unit 42 used Cortex Xpanse® to map the enterprise environment to determine the entirety of the estate to assess the impact.

Investigate

Forensic analysis determined that initial access was gained using compromised credentials on a legacy remote access application.

Secure

Established a clean, new environment and restored core network services.

Recover

Restored critical systems including border control, phone systems and payroll to get the government operational.

Transform

Performed security strategy review and upleveled the government’s endpoint defense with Cortex XDR® to protect against known and unknown threats.

"We had a wonderful engagement with Unit 42. Their experience and familiarity with the threat actor was essential in resolving our ransomware incident quickly."

CIO

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

Days 0 - 4
Crisis Intervention

Identified 80% of systems were encrypted, used Cortex Xpanse to map attack surface.

Deployed Cortex XDR for forensic collection and expanded visibility.

Contained the threat actor, isolated impacted systems and began restoring operations.

Reinstated nonimpacted web and email services after establishing containment.

Days 5 - 7
Decryption

Full scope, severity and nature of the incident uncovered through Cortex XDR forensic analysis.

Identified that initial entry in the government network used compromised credentials to access a legacy remote access system.

Established greenfield environment for restoration and restored core network services.

Began decryption and restoration of critical systems including border control, phone systems, payroll and driver’s license services.

Days 8 - 14
Restoration

Full extent of exfiltrated data identified.

Expanded deployment of Cortex XDR to 90%+ of the environment.

Continued decryption of systems and restored access to noncritical services.

Performed Unit 42 Attack Surface Assessment and closed identified security gaps.

Days 15 - 30
Fortification

Maintained threat-free environment with Cortex XDR and Unit 42 Managed Threat Hunting.

Finalized restoration activities ensuring high availability of critical systems.

Replaced legacy remote access system with Prisma Access® ZTNA.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

SPEAK TO AN EXPERT TODAY

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.

Get the latest news, invites to events, and threat alerts