Extensive telemetry and intelligence for accelerated investigation and remediation.
Search
Government Eradicates Ransomware Threat and Reinstates Critical Services
Unit 42® helped the client swiftly contain the threat actor, restore critical government systems, and briefed heads of state.
Results
3days
To fully contain and eradicate the threat
7days
To restore critical government services
3briefings
To heads of state and cabinet, establishing trust and collaboration
The Client
Government
The Challenge
Following a ransomware attack that significantly impacted government operations, the client engaged Unit 42 for assistance. The team quickly mobilized to assess, investigate, secure and recover the affected systems. Unit 42 helped:
- Assess the scope of damage.
- Investigate and identify the threat actor.
- Implement a recovery plan to get government services back up and running.
Unit 42’s Rigorous Incident Response Approach for Superior Outcomes
Assess
80% of systems were encrypted and inoperable, so Unit 42 used Cortex Xpanse® to map the enterprise environment to determine the entirety of the estate to assess the impact.
Investigate
Forensic analysis determined that initial access was gained using compromised credentials on a legacy remote access application.
Secure
Established a clean, new environment and restored core network services.
Recover
Restored critical systems including border control, phone systems and payroll to get the government operational.
Transform
Performed security strategy review and upleveled the government’s endpoint defense with Cortex XDR® to protect against known and unknown threats.
"We had a wonderful engagement with Unit 42. Their experience and familiarity with the threat actor was essential in resolving our ransomware incident quickly."
CIO
Assess
Investigate
Secure
Recover
Transform
Scroll right
Resolution Timeline
Assess
Investigate
Secure
Recover
Transform
Days 0 - 4
Crisis Intervention
Crisis Intervention
Identified 80% of systems were encrypted, used Cortex Xpanse to map attack surface.
Deployed Cortex XDR for forensic collection and expanded visibility.
Contained the threat actor, isolated impacted systems and began restoring operations.
Reinstated nonimpacted web and email services after establishing containment.
Days 5 - 7
Decryption
Decryption
Full scope, severity and nature of the incident uncovered through Cortex XDR forensic analysis.
Identified that initial entry in the government network used compromised credentials to access a legacy remote access system.
Established greenfield environment for restoration and restored core network services.
Began decryption and restoration of critical systems including border control, phone systems, payroll and driver’s license services.
Days 8 - 14
Restoration
Restoration
Full extent of exfiltrated data identified.
Expanded deployment of Cortex XDR to 90%+ of the environment.
Continued decryption of systems and restored access to noncritical services.
Performed Unit 42 Attack Surface Assessment and closed identified security gaps.
Days 15 - 30
Fortification
Fortification
Maintained threat-free environment with Cortex XDR and Unit 42 Managed Threat Hunting.
Finalized restoration activities ensuring high availability of critical systems.
Replaced legacy remote access system with Prisma Access® ZTNA.
Threat-informed Incident Response
With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.
Backed by the Industry’s Best
![Threat Intel logo icon]()
Threat Intel![Technology icon]()
TechnologyPalo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.
![Experience symbol]()
ExperienceTrusted experts who mobilize quickly and act decisively in over 1K incidents per year.
Get the latest news, invites to events, and threat alerts
Products and Services
- AI-Powered Network Security Platform
- Secure AI by Design
- Prisma AIRS
- AI Access Security
- Cloud Delivered Security Services
- Advanced Threat Prevention
- Advanced URL Filtering
- Advanced WildFire
- Advanced DNS Security
- Enterprise Data Loss Prevention
- Enterprise IoT Security
- Medical IoT Security
- Industrial OT Security
- SaaS Security
- Next-Generation Firewalls
- Hardware Firewalls
- Software Firewalls
- Strata Cloud Manager
- SD-WAN for NGFW
- PAN-OS
- Panorama
- Secure Access Service Edge
- Prisma SASE
- Application Acceleration
- Autonomous Digital Experience Management
- Enterprise DLP
- Prisma Access
- Prisma Access Browser
- Prisma SD-WAN
- Remote Browser Isolation
- SaaS Security