Deploy Bravely — Secure your AI transformation with Prisma AIRS

Unit 42 Stops Silent Attack on Tech Leader and Reduces Ransom by 70%

A complex cyberattack leading to 42 days of silent compromise prompted the client to bring in Unit 42® to investigate, contain, and rebuild the compromised network.

Results
Challenge
Outcomes
Get in Touch
Results
70%reduction

In ransom demand.

1minute

To identify the threat actor upon seeing the ransom note.

3days

To resume critical operations.

The Client

A Fortune Global 500 manufacturing technology company headquartered in Asia with subsidiary companies around the world.

The Challenge

The client was facing a multifaceted cyberattack involving Akira ransomware, a cloud breach, data theft, and extortion. Compounding the incident was the failure of its deployed EDR solution to alert on malicious activity — despite logging the events — and the lack of response by its existing IR firm. It was also dealing with lateral movement across its manufacturing and corporate domains, and the deletion of critical cloud assets. Unit 42 came in to help:

  • Perform forensic investigation and contain the incident.
  • Eradicate the threat actor from the environment.
  • Negotiate terms with the threat actor and understand the data at risk.
  • Get the client’s network back up and running in a secure manner, rebuild systems to a clean state, and reduce the attack surface through onboarding Cortex XSIAM® and Prisma® Access.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

The initial assessment revealed that the client’s EDR tools recorded logs but did not generate any alerts.

Investigate

With Cortex XSIAM deployed, stitched data across various systems to completely understand attacker activity.

Secure

Cortex XDR rolled out across 18,000 endpoints, fortified systems, and enabled 24/7 monitoring with Unit 42 MDR services.

Recover

Implemented network segmentation and rebuilt environment to a clean state.

Transform

Reduced attack surface, enhanced visibility, and provided strategic guidance to address specific weaknesses.

"The Unit 42 team works in a highly professional manner. They are efficient, fast, and absolute subject matter experts."

CISO, Manufacturing Tech Company

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

0–5 Days
Crisis Intervention

The initial assessment revealed that the client’s tools recorded the malicious activity in its data logs but they generated zero alerts.

Analyzed logs from ESXi servers, firewalls, SIEM, VPN access, and workstation and server images.

Gained insights into 80% of the environment across 18,000 endpoints through XSIAM and deployed MDR.

Began rebuilding domain controllers, resetting credentials, patching ESXi servers, and upgrading firewall firmware.

6–14 Days
Decryption

Prioritized business-critical servers to restore operations.

Continued forensics investigation by stitching data across various systems.

Rebuilt server OSes, reset credentials, migrated data, and installed Cortex® on network-accessible devices.

Recovered systems with a decryption key.

15–30 Days
Continued Restoration

Rebuilt operating systems and installed Cortex XSIAM.

Rebuilt business critical servers after decryption.

Introduced a security blueprint and network segmentation to isolate critical infrastructure.

30+ Days
Fortification

Reduced the attack surface through hardening measures, eliminated end-of-life systems, and maintained current patch levels.

Restored network and business to be fully operational and strengthened AWS security posture.

Enhanced visibility with Cortex XSIAM, provided strategic guidance to the C-suite, and onboarded MDR services for 24/7 monitoring.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

SPEAK TO AN EXPERT TODAY

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform offers in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts mobilize quickly and act decisively in over 1K incidents per year.

Get the latest news, invites to events, and threat alerts