Reacting Quickly to a Compromised Server Immediately Stopped Attackers


Industry: Tourism

Incident: Ransomware

After a weak test account left its servers open to infiltration, a leading tourist attraction developer hired Pragma to contain the breach and protect their data.



  • The Threat Actors (TA) conducted a brute force attack against the Fortigate Firewall.
  • Malware from the Phobos family of ransomware encrypted some files for ransom.
  • The criminals gained access and uninstalled Norton anti-malware.
  • At the point of first contact with Pragma, no data exfiltration had occurred.

A leading tourist attraction developer contacted Pragma after the IT Manager discovered unusual activity on one of their servers. This company, whom we’ll refer to as  LT. showcases high-quality tourist projects throughout Asia. LT creates unique cultural experiences at special sites throughout Asia. A data breach would have harmed their credibility and exposed them to many costs to repair the damage.

First Contact
The IT Manager first noted suspicious activity on the morning of February 24, 2020. The initial indicator was suspicious activity against their Fortigate firewall. Through analysing this activity, the IT Manager saw a breach had occurred. They found encrypted files on LT’s servers.

The IT Manager saw a clear pattern of suspicious behaviour. The attackers attempted port enumeration to enable lateral movement in the network.

Password dumping by the criminals opened possibilities for privilege escalation. The threat actors attempted to open and exploit weak ports to target the Symantec Endpoint Protection. This allowed them to successfully execute the malware.

Seeing this level of malicious activity caused the IT Manager to seek help. Pragma was engaged to contain the breach,analyse the threat, and restore LT’s security perimeter.



  • Investigations revealed the dates of the infiltration and the specific ports targeted.
  • The Cyber Incident Response Team (CIRT) compared the firewall configuration from before and after the attack to discover port forwarding and RDP vulnerabilities.
  • All attacks occurred through a test user account with a weak password.
  • Pragma determined no data, especially Personally Identifiable Information, was extracted during the attack period.

Very quickly, Pragma’s CIRT discovered the attackers used a brute force strategy. They targeted a public HR server using the Remote Desktop Protocol. Through this vulnerable spot,the threat actors tried to move laterally through the network.

In addition to the initial attack,a second attack was suspected. Another set of folders on a different server was encrypted through Server Message Block (SMB) file share. By analysing the timestamps and conducting a forensic investigation, the CIRT dismissed the existence of a second attack.

Containing a single breach and restoring operations were the next steps for Pragma and the client to take together.


Backup Scanning and Restoration

All affected servers were rebuilt from scratch to receive pre-scanned data from backups.

Anti-Malware Software

Sophos Intercept X Advanced with EDR was installed on every server and configured to run a deep malware scan at midnight of each day.

Updated Firewall Rules

Firewall rules were reviewed with the client to ensure all rules are known.

User Access Management

The principle of least privilege/access was implemented and has been adhered to by the client.

Vulnerable Port Scanning

Open ports were closed, and an external port scan protocol has been implemented to avoid a recurrence.

Password Strengthening

User password protocols and multi-factor authentication have been proposed to prevent unauthorised access.


With annual revenue in excess of 30 million SGD,a rapid resolution for LT was critical. LT could not function during the ransomware attack.The IT Manager’s quick identification of malicious activity enabled Pragma’s Cyber Incident Response Team to act rapidly.

The CIRT contained the breach within a few days and full control was given back to LT after approximately 1 week. This included the time taken to reconstruct a critical database for which there were no backups. After a short recovery window, the client was fully operational and more secure than before.

Introducing Zero Upfront Incident Response Retainer
This is default text for notification bar