Improving detection and response after advanced cyber attack
Problem
A computing solutions provider fell victim to a ransomware attack, resulting in the theft of customer data, staff personal information, business-sensitive data, and classified/protectively marked material.
The threat actor remained undetected within the network for ten days, using VPNs to obscure activity and exfiltrate data. At the time of the incident, the malware variant was extremely new, with only six anti-malware vendors capable of detecting it. The breach raised critical concerns over data security, detection capabilities, and network resilience.
Response
Toro delivered a comprehensive incident response and technical investigation, beginning with containment of the ransomware and tracing the threat actor’s dwell time, methods of persistence, and data exfiltration paths. Toro identified the limited initial detection of the malware and took the proactive step of submitting the unknown executable to VirusTotal and the broader security community, rapidly expanding detection across the industry. Following threat eradication, Toro supported a full network rebuild, working closely with the internal IT team to re-architect the infrastructure with secure-by-design principles.
Outcome
The threat actor was successfully removed, and the compromised network was rebuilt from the ground up to enhance long-term security and resilience. Toro’s early identification and submission of the malware executable led to a global increase in detection capability, with over 40 anti-malware vendors updating their signatures within 12 hours. The provider now operates on a secure, redesigned network infrastructure, with improved threat visibility, incident detection, and a proactive security posture grounded in industry best practices.