Finally, the attacker’s greediness and aggressive manual scavenging paid off in a massive way. While exploring the Domain Controller on Day 1, the attacker stumbled upon an internally generated Active Directory audit report
By simply opening this file, the threat actor was handed a comprehensive map of the network’s security posture, misconfigurations, and privilege escalation paths. They didn’t need to run loud AD enumeration tools themselves right away; the defenders had already done the hard work for them.
While the huge effort made by the threat actor on exfiltration of data clearly pointed to an extortion attempt, the attacker’s toolkit revealed their ultimate, destructive goal. Threat actors know that to successfully force a ransom payment, they must destroy an organization’s ability to recover.
To this end, the attacker dropped a PowerShell script named Veeam.ps1 onto the file server. While we were unable to recover the script itself for deep analysis, we have high confidence it was utilized to actively scan the environment and identify servers running Veeam backup software. Shortly after this reconnaissance script was executed, the attacker downloaded an exploit payload for CVE-2023-27532—a critical vulnerability in the Veeam Backup & Replication component that allows an attacker to extract encrypted credentials directly from the configuration database.
However, this is where routine IT maintenance saved the day. The threat actor attempted to fire the exploit, but the organization’s Veeam infrastructure had already been updated to a patched version. The exploit failed completely, resulting only in an application crash logged by the system. This serves as a textbook example of why timely patch management is a critical layer of defense: it directly breaks the ransomware kill chain before the encryption phase can even begin.
Conclusion
This 120-hour intrusion serves as a stark reminder of the realities of the modern threat landscape. The entire incident traces back to a single, critical vulnerability: an unpatched edge device. Today, vulnerable VPN appliances and firewalls remain the undisputed primary entry points for ransomware operators, emphasizing that perimeter hygiene is no longer optional.
Furthermore, this case highlights the double-edged sword of partial security deployments. Because Endpoint Detection and Response (EDR) agents were not deployed across all the environment, the attacker found the blind spots necessary to map the network and successfully exfiltrate sensitive data. However, the existing EDR coverage saved the organization from a complete exfiltration and encryption. The threat actor was too confident and dropped malware on system onboarded on the EDR solution allowing detection and response.
Finally, this investigation paints a clear picture of this specific Devman 2.0 operator’s profile: a low-to-medium technical proficiency heavily propped up by a reliance on classic, open-source toolkits. While they successfully weaponized standard utilities like NetScan, Mimikatz, and Rclone, their execution crumbled when attempting more complex operations. The severe misconfiguration of their not needed C2 implants (Sliver and Meterpreter), combined with glaring OpSec failures like leaving plaintext configuration on the disk, proves that even inexperienced and sloppy attackers can cause massive damage if given the opportunity.
In the end, it was a combination of the attacker’s impatience and the defender’s swift EDR response that prevented a catastrophic ransomware deployment.
Lesson learned for IR team
During the critical early hours of the incident, the organization’s system administrators were unavailable, forcing our incident response team to operate almost entirely through the existing EDR solution. While EDR platforms are invaluable for immediate containment, they inherently lack the deep forensic visibility required to pull certain granular artifacts.
To bridge this visibility gap, our team attempted to dynamically push and execute Velociraptor to gather comprehensive triage data. However, this introduced a significant operational bottleneck, the EDR solution was capped on the amount of data we can download. Forcing us to split the velociraptor archive in multiple parts. This resulted in a highly manual and time-consuming process, causing significant friction during a live Incident Response engagement. .
Incident response teams must pre-engineer offline collection tools (like Velociraptor) that are explicitly configured to upload directly to a controlled, external storage bucket. The incident response team can also build a specific configuration of their collection tool to collect only the most important artefacts not covered by EDR and generate an archive as small as possible. Crucially, defenders must thoroughly test these capabilities in advance to ensure forensic data can be successfully exfiltrated even while a host remains in strict network isolation by the EDR.
Timeline