When a company is hit with ransomware, it needs a specialised cyber security partner with the experience and capabilities to support it through one of the worst challenges in business. When two threat actors breach a business simultaneously, only the best can contain the damage, protect critical data, and help it quickly and safely resume operations.

That was the case when an international professional services company, with highly sensitive customer information and offices worldwide, was attacked in early 2025.

The initial call for support

The company’s insurance carrier contacted Quorum Cyber to lead the forensic investigation begun by the incumbent managed security services company (MSSP), who had been fighting to regain control of the IT network for several weeks.

The international company had previously received emails from two threat actors – Cactus and RansomHub – which are both known to use Ransomware-as-a-Service (RaaS), claiming to have successfully penetrated the IT network and stolen data.

While the incumbent MSSP has defended the company for many years using SentinelOne, it hadn’t evolved with its customer to continue providing adequate security against a backdrop of ever-evolving cybercrime. The international company had outgrown its MSSP and lacked sufficient security, both on-premises and across the multi-cloud environment, around the clock.

Investigating two breaches – and eradicating two adversaries

Following a preliminary assessment, Quorum Cyber found evidence of a full IT domain compromise by an active ‘hands-on’ adversary lurking inside the network, which had full access to it. Furthermore, the team was certain that the threat actor was ready to encrypt data and therefore advised the victim company to take decisive action of temporarily disabling internet access to two sites, preventing an escalation encryption event, whilst the team worked on a remediation strategy to ensure damage limitation of business interruptions.

When dealing with incidents where a threat actor is active in the environment, it is imperative to rapidly gain and maintain operational visibility across the technology estate to identify actions taken by the adversary as quickly as possible. Containment is critical in minimizing the threat actor’s impact and acts as the last line of defense against long-term financial and reputational impact.

Digital Forensics and Incident Response (DFIR) teams worldwide take a similar approach to containment but often focus their monitoring on endpoint telemetry alone via Endpoint Detection and Response (EDR) tools. While EDR is critically important, we believe that in order to effectively contain an active sophisticated cybercriminal or nation-state, visibility into other telemetry is imperative, including cloud estate and – most critically – the identity and access management platforms which often contain rich evidence related to privilege escalation, lateral movement, and other middle-kill-chain steps present in nearly all serious incidents.

To orchestrate this, Quorum Cyber’s team also deployed additional security tooling and detection capabilities to the on-premise infrastructure and cloud-based estate, and provided robust 24/7 proactive security monitoring via Quorum Cyber’s Emergency Managed Detection and Response (MDR) service, which goes above and beyond the limitations of an EDR-only approach.

Over several weeks, Quorum Cyber collaborated with the customer’s US and UK counsels, its legal and IT teams, and the incumbent MSSP to remediate the threat safely.

A thorough root cause analysis revealed the Fortinet FortiGate firewall appliances, which control ingress/egress network traffic and VPN connectivity for the IT network, were found to be susceptible to two zero-day vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These were made public for the cyber security community to act upon on 14th January 2025.

Quorum Cyber took several remediation steps to mitigate the incident, including:

• Decommissioning compromised IT systems
• Creating new IT systems for critical business services
• Providing guidance regarding credential resets
• Identifying and removing malicious backdoors
• Patching vulnerable network appliances
• Addressing configuration gaps to address and improve overall security posture
• Conducting a comprehensive forensic investigation to support regulatory obligations.

Within six weeks of the engagement’s start, Quorum Cyber successfully neutralised all threats and ceased negotiations with both cybercriminal groups. No further unauthorised activity has been detected within the customer’s IT environments since the initial call. The engagement gained a considerable amount of trust from the customer, which is now safe from harm from the two adversaries and, thanks to the Emergency MDR service, also safe from other potential cyber-attacks.

Quorum Cyber’s unique range of skillsets, including incident response and ransom negotiations, coupled with its advanced containment monitoring expertise, ensured that the situation was contained quickly. The two threat actors were eradicated from the systems and security was reinforced so that the same types of attacks won’t be successful again.

In addition to the technical expertise provided, Quorum Cyber’s team also delivered an executive briefing of the whole incident and advised on crisis communications to key stakeholders within the business and externally.

Uncovering historical security lapses

During the investigation using the Microsoft Security stack, Quorum Cyber flagged a number of serious issues which amounted to a lack of security across the IT estate:

• EDR was not implemented on every system
• IT networks had not been segmented
• Multi-factor authentication (MFA) had not been adopted
• Identity and Access management controls needed improvement to limit privileges to just those required
• Cloud estates, on-premise assets, endpoint and network security infrastructure lacked hardening through secure architectures and inconsistent vulnerability management practices
• Dearth of security controls
• Security tools were improperly configured, making them ineffective.

While these errors meant that the company wasn’t safe from cyber-attacks, the plethora of tools that were in place wouldn’t actually have given any cyber security company the complete visibility of the IT estate that Microsoft 365 Defender, Microsoft Defender for Identity, and Microsoft Defender for Cloud would have given.

Why Quorum Cyber?

Equipped with market-leading incident response and ransom negotiation teams, Quorum Cyber is perfectly positioned to handle any kind of cyber incident at any time of the day or night. It’s threat-led approach is backed up by threat intelligence and threat hunting teams, a suite of professional services, and a comprehensive range of managed security services delivered by a Security Operations Centre spanning the US, the UK, and Canada. In 2025, Quorum Cyber was recognised as the Microsoft Security Excellence Awards Winner for Security MSSP of the Year.