Delaying security updates and neglecting regular reviews created vulnerabilities that were exploited by attackers, resulting in severe ransomware consequences.

• Initial access via FortiGate Firewall SSL VPN using a dormant account
• Deployed persistent backdoor (“svchost.exe”) on the failover server, and conducted lateral movement via RDP.
• Exploitation attempts of CVE-2023-27532 was followed by activation of xp_cmdshell and rogue user account creation.
• Threat actors made use of NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting.
• Windows Defender was permanently disabled using DC.exe, followed by ransomware deployment and execution with PsExec.exe.