Quorum Cyber Employs Microsoft Security Stack to Eradicate Two Threat Actors, whilst Thwarting a Ransomware Attack on an International Business
When a company is hit with ransomware, it needs a specialised cyber security partner with the experience and capabilities to support it through one of the worst challenges in business. When two threat actors breach a business simultaneously, only the best can contain the damage, protect critical data, and help it quickly and safely resume operations.
That was the case when an international professional services company, with highly sensitive customer information and offices worldwide, was attacked in early 2025.
The initial call for support
The company’s insurance carrier contacted Quorum Cyber to lead the forensic investigation begun by the incumbent managed security services company (MSSP), who had been fighting to regain control of the IT network for several weeks.
The international company had previously received emails from two threat actors – Cactus and RansomHub – which are both known to use Ransomware-as-a-Service (RaaS), claiming to have successfully penetrated the IT network and stolen data.
While the incumbent MSSP has defended the company for many years using SentinelOne, it hadn’t evolved with its customer to continue providing adequate security against a backdrop of ever-evolving cybercrime. The international company had outgrown its MSSP and lacked sufficient security, both on-premises and across the multi-cloud environment, around the clock.
Investigating two breaches – and eradicating two adversaries
Following a preliminary assessment, Quorum Cyber found evidence of a full IT domain compromise by an active ‘hands-on’ adversary lurking inside the network, which had full access to it. Furthermore, the team was certain that the threat actor was ready to encrypt data and therefore advised the victim company to take decisive action of temporarily disabling internet access to two sites, preventing an escalation encryption event, whilst the team worked on a remediation strategy to ensure damage limitation of business interruptions.
When dealing with incidents where a threat actor is active in the environment, it is imperative to rapidly gain and maintain operational visibility across the technology estate to identify actions taken by the adversary as quickly as possible. Containment is critical in minimizing the threat actor’s impact and acts as the last line of defense against long-term financial and reputational impact.
Digital Forensics and Incident Response (DFIR) teams worldwide take a similar approach to containment but often focus their monitoring on endpoint telemetry alone via Endpoint Detection and Response (EDR) tools. While EDR is critically important, we believe that in order to effectively contain an active sophisticated cybercriminal or nation-state, visibility into other telemetry is imperative, including cloud estate and – most critically – the identity and access management platforms which often contain rich evidence related to privilege escalation, lateral movement, and other middle-kill-chain steps present in nearly all serious incidents.
To orchestrate this, Quorum Cyber’s team also deployed additional security tooling and detection capabilities to the on-premise infrastructure and cloud-based estate, and provided robust 24/7 proactive security monitoring via Quorum Cyber’s Emergency Managed Detection and Response (MDR) service, which goes above and beyond the limitations of an EDR-only approach.
Over several weeks, Quorum Cyber collaborated with the customer’s US and UK counsels, its legal and IT teams, and the incumbent MSSP to remediate the threat safely.
A thorough root cause analysis revealed the Fortinet FortiGate firewall appliances, which control ingress/egress network traffic and VPN connectivity for the IT network, were found to be susceptible to two zero-day vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These were made public for the cyber security community to act upon on 14th January 2025.
Quorum Cyber took several remediation steps to mitigate the incident, including:
- Decommissioning compromised IT systems
- Creating new IT systems for critical business services
- Providing guidance regarding credential resets
- Identifying and removing malicious backdoors
- Patching vulnerable network appliances
- Addressing configuration gaps to address and improve overall security posture
- Conducting a comprehensive forensic investigation to support regulatory obligations.
Within six weeks of the engagement's start, Quorum Cyber successfully neutralised all threats and ceased negotiations with both cybercriminal groups. No further unauthorised activity has been detected within the customer’s IT environments since the initial call. The engagement gained a considerable amount of trust from the customer, which is now safe from harm from the two adversaries and, thanks to the Emergency MDR service, also safe from other potential cyber-attacks.
Quorum Cyber’s unique range of skillsets, including incident response and ransom negotiations, coupled with its advanced containment monitoring expertise, ensured that the situation was contained quickly. The two threat actors were eradicated from the systems and security was reinforced so that the same types of attacks won’t be successful again.
In addition to the technical expertise provided, Quorum Cyber’s team also delivered an executive briefing of the whole incident and advised on crisis communications to key stakeholders within the business and externally.
Uncovering historical security lapses
During the investigation using the Microsoft Security stack, Quorum Cyber flagged a number of serious issues which amounted to a lack of security across the IT estate:
- EDR was not implemented on every system
- IT networks had not been segmented
- Multi-factor authentication (MFA) had not been adopted
- Identity and Access management controls needed improvement to limit privileges to just those required
- Cloud estates, on-premise assets, endpoint and network security infrastructure lacked hardening through secure architectures and inconsistent vulnerability management practices
- Dearth of security controls
- Security tools were improperly configured, making them ineffective.
While these errors meant that the company wasn’t safe from cyber-attacks, the plethora of tools that were in place wouldn’t actually have given any cyber security company the complete visibility of the IT estate that Microsoft 365 Defender, Microsoft Defender for Identity, and Microsoft Defender for Cloud would have given.
Why Quorum Cyber?
Equipped with market-leading incident response and ransom negotiation teams, Quorum Cyber is perfectly positioned to handle any kind of cyber incident at any time of the day or night. It’s threat-led approach is backed up by threat intelligence and threat hunting teams, a suite of professional services, and a comprehensive range of managed security services delivered by a Security Operations Centre spanning the US, the UK, and Canada. In 2025, Quorum Cyber was recognised as the Microsoft Security Excellence Awards Winner for Security MSSP of the Year.
Safeguarding Retail Supply Chains and Data in the Face of Ransomware
Situation overview
Imagine a business at the heart of the UK’s retail ecosystem, providing the systems that underpin food safety and employee wellbeing across thousands of sites. This multinational, trusted to process and protect sensitive medical and personal information, suddenly faces a high-stakes ransomware attack: all servers and endpoints down and the integrity of the entire supply chain, including industrial refrigeration, lighting, and critical systems now at risk. Compounding the crisis, the possibility of leaked confidential health data threatened the company’s reputation and compliance standing.
Strategic response: partnership in action
Recognising the critical business implications, from regulatory repercussions to brand trust and operational continuity, the company immediately engaged Quorum Cyber and legal breach counsel. The mission: to contain the threat, discover what had happened and enable secure, rapid recovery.
Key business objectives
- Rapidly identify and close the entry point to contain financial and reputational damage
- Confirm whether customer and medical data was accessed or exfiltrated, limiting legal and regulatory exposure
- Verify that industrial control systems, essential to every supermarket’s operations, remained uncompromised
- Restore business operations with minimal downtime
Execution and assurance
Fast-tracked digital forensics & monitoring
Quorum Cyber deployed advanced remote forensic tools to swiftly gather time-critical evidence from operational systems, while working offline with preserved disk images from affected devices. Within hours, the organisation was onboarded into Quorum Cyber’s Security Operations Centre (SOC). Industry-leading protections; Microsoft Defender and Sentinel, were rapidly deployed, enabling round-the-clock vigilance.
Uncovering the attacker’s playbook
Our experienced team of cyber investigators traced the blueprint of the attack and discovered:
- Initial Access: The attackers gained entry by exploiting leaked credentials and abusing VPN access, bypassing perimeter security with legitimate-looking logins.
- Lateral Movement & Privilege Escalation: Once inside, they methodically navigated the environment, escalating privileges and probing connected systems to maximise their reach.
- Domain Trust Exploitation: Leveraging established trust relationships between global business units, the threat actors moved seamlessly from one region to another, demonstrating a deep understanding of the organisation’s infrastructure.
- Stealth and Persistence: For nearly two months, the attackers operated undetected, carefully gathering intelligence, exfiltrating sensitive data, and setting the stage for their ransomware deployment.
- Orchestrated Ransomware Detonation: Only after ensuring maximum impact did they trigger the ransomware, effectively disrupting operations at the most vulnerable moment.
By dissecting each stage, we not only restored business functionality but also provided actionable insights to harden defences against future threats
Business continuity for the supply chain
Recognising that industrial refrigeration and logistics directly affect food security, Quorum Cyber undertook forensic analysis of over 700 industrial control systems (ICS) endpoints. After exhaustive examination, we were able to certify, in a formal attestation, the safety of these critical environments, allowing our client to assure partners and regulators that food supplies were never at risk.
Protecting customer confidence
Intensive analysis of servers containing sensitive data assured leadership that, while attempted, there was no evidence of large-scale exfiltration from key databases. This enabled fast, transparent communication with stakeholders and regulatory bodies, preserving trust and mitigating legal exposure.
Lessons in leadership and resilience
Throughout the crisis, Quorum Cyber operated as a proactive advisor, delivering real-time tactical guidance and sharing up-to-the-minute attacker Indicators of Compromise. With our recommendations, the company not only remediated the breach, but emerged with enhanced security posture and renewed confidence from its leadership, partners, and customers.
The takeaways
- Preparation and Partnership Matter: Rapid engagement with trusted cyber security and legal experts can fundamentally change outcomes in a crisis.
- Business-Critical Infrastructure is a Prime Target: Safeguarding industrial systems must be an executive priority, as the downstream impact extends to supply chains and public wellbeing.
- Resilience is a Competitive Advantage: The ability to respond decisively, communicate transparently and recover securely turns a crisis into an opportunity to demonstrate leadership.
Safeguarding an American Oil & Gas Retailer’s Future
Identifying threats from inside the business
A mid-sized oil and gas retailer in the US faced a significant internal security threat that jeopardised its operational integrity and financial standing. The company identified two employees who were engaged in illicit activities, including the trade of gift cards on the dark web and conducting fraudulent online transactions. Additionally, these internal threat actors submitted false expense receipts, one of whom held a critical leadership position within the IT Department, increasing the complexity and risk of the situation.
Containing the threats
Quorum Cyber was brought in to collect and preserve critical forensic evidence to enable the company to pursue legal action against the threat actors.
To address these challenges, onsite IT resources tasked with eliminating all access points utilised by the threat actors. A comprehensive inventory and security overhaul of the company's entire IT infrastructure was conducted to ensure no vulnerabilities remained. To maintain operational stability, Quorum Cyber provided 30 days of continuous IT services to assist end users during the transition.
Three positive outcomes
The strategic interventions led to several positive results for the company:
- Prevention of Future Threats: By implementing rigorous access control measures, the company effectively thwarted potential reattacks, securing its operations against internal threats.
- Comprehensive Forensic Investigation: The oil & gas firm delivered an in-depth forensic analysis of the threat actors' activities, providing valuable insights and evidence to support legal proceedings.
- Operational Continuity: Throughout the remediation process, the company ensured the continuous and smooth operation of its day-to-day activities, minimising disruptions and maintaining business as usual.
By addressing the internal security threats with decisive action and robust solutions, the oil & gas retailer protected its assets and reputation from harm and also reinforced its commitment to maintaining a secure and trustworthy business environment.
Contact us if you need help to strengthen your company's cyber security.
Strengthening Security for a National Food Retailer
Services provided
To assess and enhance the security posture of a national food retailer in the US, Quorum Cyber conducted a comprehensive security evaluation, including:
- Internal Penetration Testing: Evaluating internal network vulnerabilities to identify potential exploitation paths
- External Penetration Testing: Assessing external-facing systems to uncover vulnerabilities that could be targeted by external attackers
- Web Application Assessment: Reviewing web applications for security flaws that could compromise data integrity and user privacy.
Assessing vulnerabilities
The security assessment revealed several critical and high-risk vulnerabilities:
- Critical Vulnerabilities:
- The penetration testers identified and exploited a vulnerability that allowed for remote code execution, posing a severe threat to system integrity
- Another vulnerability was identified that permitted direct access to iSCSI-enabled systems, which could lead to unauthorised data access and manipulation.
- Medium- and High-Risk Findings:
- Unsecured protocols, such as Telnet, allowed unauthorised login attempts, exposing the network to potential breaches
- Access to configuration backups was possible, risking the exposure of sensitive configuration details and system settings
- The ability to view and manipulate internal cameras was uncovered, highlighting the risk of unauthorised surveillance and privacy breaches.
Resolution and collaboration
To address these findings, Quorum Cyber worked closely with the retailer to develop tailored solutions that effectively mitigated the identified risks:
- Solution Development: Collaborated with the client to identify and implement right-sized solutions, ensuring each vulnerability was addressed appropriately based on its risk level and impact
- Security Enhancement: Provided strategic recommendations to improve protocols, secure data access points, and enhance overall network security measures.
Through a thorough assessment and collaborative resolution process, the national food retailer was able to significantly strengthen its security posture, safeguarding its operations and customer data against potential threats. This engagement underscored the importance of proactive security measures and ongoing risk management in the retail industry.
Get in touch if you need help to strengthen your company's cyber resilience.
US University Negotiates Multiple Cyber Security Challenges
Facing a daunting challenge
A leading university in the US faced multiple cyber security challenges that threatened its operations and data integrity. Limited evidence was available due to encryption, complicating efforts to trace and resolve security incidents. The university also had to manage the expectations of various stakeholders while dealing with an aggressive threat actor responsible for two distributed denial-of-service (DDoS) attacks. Additionally, the absence of firewall logs and file server records for data exfiltration posed significant challenges.
Bringing in a cyber security specialist
Needing to act swiftly, the university adopted a pragmatic approach, working with all available resources. The institution brought in Quorum Cyber to manage its cyber security. Quorum Cyber was engaged to enhance system management, and areas such as Microsoft Office365 review and triage were prioritised for rapid action. To manage expectations, daily updates and written reports were provided to stakeholders. Negotiations were leveraged to gather evidence of data exfiltration, ensuring transparency and accountability. Notably, the university decided not to make any ransom payment.
Safeguarding the university
Despite the complexities, the university achieved several key outcomes:
- Comprehensive Analysis: Examination of logs confirmed several security incidents, including compromised accounts, lateral movement, and the presence of a ransomware payload
- Partial Restoration: Some devices were restored before complete data collection, showcasing progress in system recovery
- Data Handling: The university received samples of files and downloaded leaked data, providing insights into the breach's impact
- Stakeholder Satisfaction: The university’s board approved the decision not to pay a ransom to the cybercriminals.
The university's proactive measures and commitment to transparency allowed it to navigate the cyber security incident while minimising financial loss. Although some data was compromised, the university's ability to restore operations and provide detailed analyses underscored its resilience and dedication to safeguarding its students, researchers, staff, and its reputation.
Contact us if you would like to discuss any aspects of your organisation's cyber security.
US University Navigates Data Recovery Challenges
Data encryption at exam finals time
A leading university faced a critical situation when its ESXi servers and virtual machines were encrypted by a cyber-attack. This incident coincided with a particularly challenging period, as it occurred during exam finals and the holiday season. Many students were using loaned devices and were off-campus, complicating communication and coordination efforts. The university decided against purchasing a ransomware decryptor, necessitating an alternative recovery strategy. Additional challenges included the university staff's unfamiliarity with their IT environment and a lack of trust between domain controllers, further complicating recovery efforts.
Planning and implementing recovery strategy
To address these challenges, the university implemented a comprehensive recovery strategy which involved the support of Quorum Cyber. The university’s strategy comprised:
- Infrastructure Rebuild: The university rebuilt its ESX hosts using backups stored on Amazon Web Service (AWS), ensuring that critical infrastructure components were restored
- Expert Recovery Teams: Quorum Cyber’s team restored the university's environment to enhance recovery efforts and ensure a thorough and efficient process
- Security Software Deployment: Enhanced endpoint security and monitoring capabilities were deployed across the university's network.
An outstanding recovery
Through these targeted efforts, the university was able to achieve significant recovery milestones:
- Infrastructure Restoration: The rebuilding of ESX hosts from AWS backups allowed the university to regain control over its IT infrastructure, restoring essential services and systems.
- Collaborative Recovery Effort: The involvement of expert recovery teams facilitated a coordinated and effective response, demonstrating the importance of collaboration in crisis situations.
- Enhanced Security Posture: Improved the university's security posture, providing greater protection against future threats.
The university's swift and strategic response to the cyber-attack enabled the institution to overcome significant challenges during a critical time. By leveraging expert resources and prioritising infrastructure restoration, the university successfully navigated the recovery process, underscoring its commitment to resilience and the protection of its academic community.
Contact us if you would like to strengthen your organisation's cyber security or cyber resilience.
Enhancing Security for a US Utilities Company
The looming threat of a ransomware attack
A utilities company in the US faced a significant cyber security threat and the looming risk of a LockBit ransomware attack. With over 350 hosts potentially at risk and compromised domain controllers, the company needed an urgent and effective response to secure its network and protect its operations.
Activating a defence strategy
To address these challenges, the company brought in Quorum Cyber and implemented a multi-faceted security strategy:
- Device Isolation: Impacted devices were immediately isolated to prevent further spread and minimise the impact on critical systems
- Proactive Threat Hunting: The company conducted proactive threat hunting to identify potential vulnerabilities and threats before they could escalate
- Falcon Platform Utilisation: Endpoint detection and response (EDR) was deployed to identify and prioritise vulnerable hosts, enabling targeted remediation and strengthening overall security posture.
Positive outcomes and a long-term manged services contract
The comprehensive security measures led to several positive outcomes:
- Network Security Enhancement: The company successfully secured its entire network, mitigating the immediate threat and bolstering defenses against future attacks.
- Collaborative Remediation: Quorum Cyber’s close collaboration with the business ensured that compromised systems were remediated efficiently and returned to full operational status.
- Long-Term Partnership: Impressed by the effective response and improved security, the utility firm signed up for a long-term engagement with Kivu, demonstrating confidence in the company's ability to provide ongoing protection and support.
Through strategic action and collaboration, the utility company overcame the immediate cyber security threat and also established a robust security framework that supports its long-term operational integrity.
Contact us if you need help to strengthen your company's cyber security.
Managing Multiple Stakeholders During Ransomware Response
Introduction
The network of a small, privately held provider of heating, ventilation and air conditioning (HVAC) services was infected with Ryuk ransomware, leaving the company unable to run backend sales processes such as quoting and billing. Quorum Cyber was called in to clear the malware from all affected devices and restore their systems.
The challenge
The customer’s entire IT environment was managed by a regional managed service provider (MSP), which was found to be running legacy systems on the customer’s servers, including Windows 2003. In addition, the only risk management measures in place were a firewall and basic anti-virus software. Ten months prior to the incident, two banking trojans, Emotet and Trickbot, had been installed on the system via a phishing email. These enabled the attackers to subsequently install the Ryuk ransomware variant in late January 2020.
The MSP detected the ransomware attack and notified the company, which then contacted their insurer. By the time Quorum Cyber became involved, 12 servers were encrypted and 58 workstations were infected with either banking trojans or ransomware. This represented about 75% of the customer’s total endpoints, and left them unable to perform crucial financial transactions. No customer data was accessed or stolen.
Quorum Cyber’s response and solution
The majority of Quorum Cyber’s work was conducted remotely, linking to the customer’s onsite data centre via secure online connections. Quorum Cyber coordinated communication between the customer and the MSP, which struggled to provide system information and backups due to insufficient technical expertise. During the engagement:
- Quorum Cyber sent two incident response (IR) analysts for the initial IR phase, followed by five PBR responders for the remediation phase
- The IR team ran forensic imaging, collected evidence, and deployed KECT and endpoint detection and response (EDR) software
- The PBR team reimaged and decrypted the servers and workstations, ultimately deploying the backups to restore the company’s systems.
Outcome
Despite the incurred costs, the overall business interruption was significantly reduced by Quorum Cyber’s quick IR and remediation work paired with EDR deployment. In summary:
- No ransom had to be paid, as Quorum Cyber restored systems from backups
- EDR was installed and ran for a month to prevent secondary attacks
- Fifty-eight workstations were restored within four days over the weekend and were back online and fully operational by close of business on Monday
- The period of loss caused by business interruption was reduced by three weeks.
Outmanoeuvring Persistent Threat Actors in the Chemical Industry
Introduction
A small US-based chemical manufacturer with a supply chain comprising 50+ household names in chemicals was hit with a creative new twist on the HAFNIUM threat targeting Microsoft Exchange Servers. This new threat, coined ProxyShell, opened companies’ on-premise email to a new present danger. Acquired by Quorum Cyber in 2024, Kivu’s 24x7 cyber security monitoring service flagged ProxyShell and dispatched it. Within 48 hours, Kivu and the chemical company worked to remediate and evolve the stance against this attack surface and future attacks.
The challenge
HAFNIUM is a Chinese state-sponsored threat intent on information theft and espionage. Following HAFNIUM techniques that utilised mutability and suitability ProxyShell, was discovered by security researcher Orange Tsai, who showed it in detail at a security conference in August 2021. The researcher found that by chaining together three different vulnerabilities, threat actors could establish a web-shell-based backdoor access into a company’s email server. The actor could then perform unauthenticated, remote-code execution – or potentially gain the “keys to the castle” – to release emails, exfiltrate data and then move on to owning the whole company network from the inside out.
Kivu’s response and solution
Alerted to the true nature of the threat (vs. known bad actors) by the monitoring service, Kivu’s team acted immediately. By conducting analysis of log and server files, the team identified the new indicators of compromise (IOCs) associated with ProxyShell activity. Kivu isolated the problem in a safe form separate from the company’s operational systems (but still connected to Kivu), preventing further spread.
Kivu then worked with the company’s two-person IT department, following Microsoft plus industry guidance to rebuild the mail server into a hardened, refined form. Kivu consultants consolidated techniques used in this ProxyShell attempt, as well as input from Microsoft and future recommendations, into a shared threat intel and reporting platform, ensuring the knowledge was shared quickly internally and then to other Kivu clients that may have been affected or about to be attacked. Much of this work was undertaken in 48 hours over the weekend.
Kivu used this threat profiling against all of its customers, identifying those with “on-premise” Exchange mail servers, alerting nine others at risk, stopping ProxyShell attempts from further exploit, and assisting Kivu’s digital forensics and incident response efforts at large.
Outcome
Because it had Kivu’s Cyber-as-a-Service 24x7 threat monitoring in place, the company:
- Rapidly identified a brand new risk (under two days old) and remedied the situation
- Prevented hijacking and man-in-the-middle attacks risks, which could have led to fraud
- Avoided business downtime and maintained its 99% service level agreement (SLA).
Strengthening Security for a Managed Cloud Service Provider
Hit by a ransomware attack
A Canadian managed cloud service provider faced a severe security breach when a ransomware attack infiltrated their systems. The attack was initiated through a vulnerability in a business partner’s customer system, leading to the encryption of all data managed by the provider. Having recently acquired new infrastructure, the provider was operating with limited tooling and lacked a log retention strategy, complicating its ability to respond effectively to the breach.
Identifying and mitigating the threats
To counter the ransomware attack, the provider worked with Kivu, a part of Quorum Cyber, to rapidly deploy endpoint detection and response (EDR) solutions to identify and mitigate the threat. Additionally, Kivu was engaged in negotiations and facilitated payment, enabling the successful decryption of the compromised data. Subsequently, Kivu, a Quorum Cyber company, conducted a thorough forensic analysis to identify the initial point of compromise, known as "patient zero."
Recovering with stronger security
The interventions led to several significant outcomes:
- Enhanced Security Monitoring: The provider established 24/7 Managed Detection & Response (MDR) coverage, ensuring continuous monitoring and rapid threat detection.
- Operational Restoration: All operations were successfully restored, allowing the provider to resume normal business activities without further disruptions.
- Legal Support: A critical forensic timeline was developed to aid the provider in its legal proceedings, offering detailed insights into the breach.
- Infrastructure Security Reinforcement: The Canadian company reconstructed its infrastructure with a strong emphasis on security defence principles, reducing vulnerabilities and strengthening its overall security posture.
By swiftly addressing the ransomware attack and implementing robust security measures, the managed cloud service provider restored its operations and also fortified its defences against future threats, ensuring the integrity and reliability of its cloud services.
Get in touch if you would like to talk through any of your cyber security needs.
