Case Studies

Ransomware Incident Response for Higher Education Institution


A higher education institution approached FTI Cybersecurity through their insurance provider after experiencing a ransomware attack. Analysis of the client’s server environment indicated that they had fallen victim to Akira ransomware, a new family of ransomware first seen in March 2023.


The FTI Cybersecurity team began by deploying an Endpoint Detection and Response (EDR) tool with ransomware protection, used to ensure the client’s server environment was secure during the rebuilding process. FTI Cybersecurity also conducted targeted threat hunting to help identify additional Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) that were relevant to the ransomware variant. This investigation helped determine if additional systems or networks were impacted.

Per the client’s request for a light touch investigation, FTI Cybersecurity used a remote evidence collection tool to identify threat actor actions and the toolsets used during the compromise.


Immediately after FTI Cybersecurity completed its remote collections, the client’s IT staff began remediation operations, and the client successfully recovered from the ransomware attack. In addition to the investigation and collection work, FTI Cybersecurity produced a final report that included all findings, which contained actionable insight for the client.