Blog

Unit 42 recently assisted a prominent manufacturer who experienced a severe ransomware attack orchestrated by Ignoble Scorpius, the group that distributes BlackSuit ransomware. This incident serves as a reminder of how a seemingly minor issue — in this case, a single set of compromised VPN credentials — can lead to a full-scale corporate crisis with tremendous impact to the bottom line.

The Attack: A Combination of Reconnaissance and Ransomware

The Ignoble Scorpius attack began with a voice phishing (vishing) call. The attacker impersonated the company’s IT help desk and tricked an employee into entering their legitimate VPN credentials on a phishing site.

With these credentials, the threat actor gained initial network access and immediately escalated their privileges. They executed a DCSync attack on a domain controller to steal highly privileged credentials, including a key service account. Using these compromised credentials, they moved laterally across the network using RDP and SMB, employing tools like Advanced IP Scanner and SMBExec to map the network and identify high-value targets.

The attackers established persistence by deploying AnyDesk and a custom RAT on a domain controller, configured as a scheduled task to survive reboots. (It is important to note that threat actors often abuse and take advantage of legitimate products like AnyDesk for malicious purposes. We are not implying that the legitimate product is flawed.)

The attackers then compromised a second domain controller, extracting the NTDS.dit database containing all user password hashes, and exfiltrated over 400 GB of data using a renamed rclone utility. To cover their tracks, the threat actors deployed CCleaner to erase forensic evidence before unleashing the final blow: BlackSuit ransomware, orchestrated through Ansible, simultaneously encrypted hundreds of virtual machines across approximately 60 VMware ESXi hosts, disrupting operations across the entire infrastructure.

How Unit 42 Helped

When Unit 42 was engaged, we helped the client expand their Cortex XDR deployment from 250 to over 17,000 endpoints, providing enterprise-wide visibility to track the attacker’s every move. We also leveraged Cortex XSOAR to automate containment actions, stopping the attack from spreading further.

Our investigation identified the full attack path and led to some critical recommendations including:

• Network Security: Replace end-of-life Cisco ASA firewalls with Next-Generation Firewalls (NGFW), implement network segmentation, and restrict administrative access to critical systems (like DCs and ESXi hosts) to dedicated management VLANs.
• Identity and Access Management: Enforce MFA for all remote access, disable NTLM or require EPA, rotate all credentials, and restrict service accounts from being used for interactive logons like RDP.
• Endpoint and Server Hardening: Block EFSRPC using RPC filters to prevent PetitPotam/DCSync attacks, deploy and maintain a fully patched XDR solution on all endpoints, and have a strict policy for removing EOL systems.
• Logging and Monitoring: Enhance log retention to 90-plus days for critical sources (ESXi, firewalls, Nasuni), ensure logs are properly parsed for effective analysis, and enable features like AWS CloudTrail log validation.

The Outcome

The client was able to achieve several key outcomes:

• Financial demand negated: We successfully negated the $20 million ransom demand, ensuring the client paid no ransom.
• Expanded visibility: The engagement expanded the client’s endpoint visibility from 250 to over 17,000, creating a robust foundation for future security operations.
• Strategic guidance: We provided bespoke, strategic after-incident guidance, helping the client fortify their defenses and prevent future attacks.
• Continuous monitoring: Following the incident, the client onboarded Unit 42 Managed Detection and Response (MDR) services for continuous monitoring, ensuring they are better prepared to handle future threats.

The Takeaway

This attack serves as a stark reminder that even a single compromised credential can create a domino effect, leading to a catastrophic security breach. The swift and sophisticated tactics of threat actors like Ignoble Scorpius and their use of BlackSuit ransomware demonstrate the critical need for a proactive and multi-layered defense strategy.

By implementing MFA on all remote access points, and integrating robust endpoint visibility, automated containment, and expert guidance, organizations can not only disrupt an attack in progress but also shore up their defenses to prevent future incidents. Most importantly, investments in proactive security assessments have shown to pay dividends that far outweigh the costs of operational and financial impact of a full-scale ransomware attack.

Interested in learning more about the latest attack trends? If so, take a look at our 2025 Unit 42 Global Incident Response Report, which distills the most critical findings based on our direct experience responding to real-world cyberattacks at over 500 organizations across 38 countries.

Additional Resources

About Unit 42

Unit 42 strengthens your team with the tools and expertise needed to stay ahead of threats like BlackSuit ransomware and protect your business. With our proven strategies and insights from thousands of engagements, we’ll help your team handle the toughest situations with confidence.

From clicks to clinical impact

Beyond point-of-care support, clinical decision support solutions also offer powerful analytics. “We’re not just tracking usage—we’re translating it into insights,” said Fulcher. “We can show hospitals what clinicians are searching for, how that aligns with prescribing patterns, and where there are gaps in knowledge or compliance.”

Integration and accessibility: Meeting clinicians where they are

To maximize impact, clinical decision support tools must be embedded into clinical workflows. “The ideal solution is one click away—within the EMR, mobile app, or even Microsoft Copilot,” said Fulcher. “We’re building a hub-and-spoke model where trusted content is accessible wherever clinicians need it.”

Dr. Ahmed Al-Dammas, Chief Data Officer at the Saudi Council of Health Insurance, stressed the importance of seamless access: “If it’s not integrated, it’s not used. Single sign-on, mobile optimization, and HL7 integration are no longer nice-to-haves — they’re must-haves.”

While the clinical benefits are clear, the financial case is equally compelling. “CDS tools reduce adverse drug events, shorten hospital stays, and improve formulary compliance,” said Dr. Abu-Gheida. “That’s real ROI—especially in value-based care models.”

Dr. Osama Hassan added, “If we want to move from fee-for-service to outcomes-based reimbursement, we need solutions that link decisions to results. Wolters Kluwer’s UpToDate® and Medi-Span® do exactly that.”

Looking ahead: A shared vision for safer, smarter care

As the Think Tank concluded, one message resonated: precision medicine is a team sport. It requires collaboration across clinicians, technologists, regulators, and solution providers.

“We’re not just building tools—we’re building trust,” said Fulcher. “And that trust is what turns insight into impact.”