Respond

The breach with too many suspects

Determining the source of a ransomware attack across multiple contractors and providers

Breach cause identified
1
File exfiltration verified
Confirmed
Notification obligations satisfied
Met

The situation

A professional services firm was hit by a ransomware attack targeting its cloud-hosted virtual servers. The investigation was complicated by the number of parties with access to the environment: multiple contractors, a previous managed service provider, and the current MSP. Determining who or what was responsible for the breach required untangling overlapping access and responsibilities.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Using advanced forensic techniques, NDF confirmed that files had been exfiltrated from the environment prior to the ransomware deployment. This meant the firm was facing not just an encryption event but a data breach with potential notification obligations. The investigation identified the specific cause of the breach, determining whether it originated from a contractor, the previous MSP, or unimplemented security protocols.

How we responded

NDF conducted a forensic investigation of the cloud virtual server environment:

  • Ransomware analysis to understand the attack vector and deployment method
  • Exfiltration confirmation using advanced forensic techniques to verify that data had left the environment
  • Access timeline reconstruction across all parties with system access, including contractors, the previous MSP, and the current MSP
  • Root cause identification to pinpoint the specific vulnerability or failure that enabled the breach
  • Notification support, helping the firm understand and meet its obligations under applicable data breach notification requirements

The outcome

NDF provided the firm with a clear answer to the critical question: how did the attackers get in? By establishing the root cause across a complex, multi-party environment, the firm could address the vulnerability, assign appropriate responsibility, and meet its legal notification obligations with confidence in the accuracy of its disclosures.

Lessons for similar organisations

  • Shared access means shared risk. When multiple contractors and providers have access to an environment, clear access controls and logging are essential. Without them, incident investigation becomes significantly more complex.
  • Ransomware often means data theft too. Modern ransomware operations frequently exfiltrate data before encrypting it. Organisations must assume data theft until forensic evidence confirms otherwise.
  • Know your notification obligations before a breach occurs. Having a clear understanding of when and how to notify reduces response time and legal risk when a breach is confirmed.