The Alarm Was Going Off, Nobody Picked Up.

Overview

A mid-sized organization. A misconfigured firewall. And 97 days of unnoticed activity that ended with ransomware encrypting everything in sight domain controllers, file servers, and virtual infrastructure, all in a single night.

When our DFIR team was called in, the damage was done. Within a couple of days we had the full picture. What we found was less about the attacker and more about the organization and the quiet, invisible gap between having security tools and actually being protected by them.

The Challenge

The organization wasn't ignoring security. They had invested in tools, had a perimeter firewall in place, and were running endpoint protection across parts of their environment. On paper, the foundations were there.

But several small, individual oversights had quietly stacked on top of each other:

• A perimeter firewall running unpatched critical vulnerabilities, exposed to the internet
• Endpoint protection partially deployed covering some systems, leaving others completely blind
• Domain administrator credentials embedded into the firewall's LDAP integration with Active Directory
• No defined process for what should happen when a security alert fires
• No one reviewing coverage gaps or validating that the tools in place were actually working

None of these issues were catastrophic on their own. Together, they created an environment where an attacker could walk in, look around, and take their time and that is exactly what happened.

The Response

Our team was engaged after the ransomware had already executed. Within days, we had reconstructed the full attack timeline through forensic analysis of logs, artifacts, and endpoint telemetry piecing together 97 days of attacker activity from the first foothold to the final encryption.

What the investigation revealed was uncomfortable but clear:

• Microsoft Defender flagged a known ransomware binary on day one nobody responded
• Multiple high and critical severity alerts fired over the following weeks none were acted on
• Over 5,000 files were exfiltrated to an external server while the alerts sat unacknowledged
• The attacker disabled security products across domain controllers before deploying ransomware
• By the time anyone noticed, domain controllers, file servers, and ESXi virtual infrastructure had all been encrypted

The attacker was not sophisticated. They were simply patient. And in an environment where nobody was watching, patience was all they needed.

Outcome

The investigation gave the organization something they didn't have before the incident complete visibility into exactly what happened and a clear understanding of why.

The forensic timeline showed the breach was preventable at multiple points through:

• Consistent patch management on perimeter devices
• Full endpoint protection coverage across every system
• Least privilege principles applied to service accounts and integrations
• A defined alert triage and escalation process with clear ownership
• Regular configuration reviews before an attacker finds the gaps for you

The full findings, forensic evidence, and recommendations are documented in the report.