LevelBlue Response to Ransomware Attack on Municipality

This case study details the response of LevelBlue to a ransomware attack affecting a large local government entity. The attack was attributed to the Royal ransomware group, which disrupted critical communications and IT systems. LevelBlue's Managed Threat Detection and Response (MTDR) team was alerted to the incident and initiated an investigation using their USM Anywhere platform. Analysts identified the use of the PsExec utility tool by the attackers and conducted a thorough review of log data and open-source intelligence. They determined that the attackers compromised an external-facing Microsoft Exchange server. The incident response team provided extensive support, including a detailed report on the findings and recommendations for future protection against ransomware. Recommendations included replacing end-of-life assets, securing configurations, and monitoring for future threats. The case study emphasizes the importance of prompt incident response and the collaboration between LevelBlue's SOC and threat intelligence teams.