An engineering company that provides services to the aviation industry was impacted by LockBit ransomware, which restricted the ability of their engineers to work on active projects and prevented them from developing plans for new or upcoming engagements. The company hired FTI Cybersecurity to immediately provide initial containment guidance, while emphasizing the criticality of system and log preservation to support a forensic investigation following the incident.
FTI Cybersecurity worked with the company using two concurrent workstreams – one for incident response and forensic investigation, and one for remediation support and recommendations. While conducting the forensic investigation, FTI Cybersecurity utilized intelligence gathered from log preservation and from open-source research to inform the remediation process for the company.
Working with the company and their outsourced information technology vendor, FTI Cybersecurity obtained several physical devices (endpoints and servers) and log artifacts for forensic review. The team conducted triage and deep-dive forensic analysis of all evidence and developed a thorough investigative report. To further support this investigation, FTI Cybersecurity conducted extensive open-source and dark web research to identify evidence of company references.
FTI Cybersecurity used log evidence to identify the earliest indicators of compromise across the company’s network and demonstrated the threat actors’ ability to traverse the network after obtaining domain-administrative credentials. This information provided the company with valuable insight to help secure their network and audit accounts within the environment. FTI Cybersecurity’s analysis of endpoints and servers provided critical evidence of the malware execution, and allowed the team to determine that data was not exfiltrated from the organization.
FTI Cybersecurity provided clear and ongoing guidance to the company as they restored systems from pre-compromise backups, and assisted in reconfiguring systems with complicated global interdependencies. FTI Cybersecurity’s streamlined investigative process allowed the company to focus on remediation and left them feeling confident that the identified areas for improvement in their cybersecurity controls will protect them from future network compromises.