A leading tourist attraction developer contacted Pragma after the IT Manager discovered unusual activity on one of their servers.

This company, whom we'll refer to as LT, showcases high-quality tourist projects throughout Asia. The IT Manager first noted suspicious activity on the morning of February 24, 2020. The initial indicator was suspicious activity against their Fortigate firewall. Through analysing this activity, the IT Manager saw a breach had occurred. They found encrypted files on LT's servers. Pragma was engaged to contain the breach, analyse the threat, and restore LT's security perimeter.

Very quickly, Pragma's CIRT discovered the attackers used a brute force strategy. They targeted a public HR server using the Remote Desktop Protocol. Through this vulnerable spot, the threat actors tried to move laterally through the network. Another set of folders on a different server was encrypted through Server Message Block (SMB) file share. By analysing the timestamps and conducting a forensic investigation, the CIRT dismissed the existence of a second attack. Containing a single breach and restoring operations were the next steps for Pragma and the client to take together.