- Project : Qilin Ransomware Response
- Company : Merabytes
- Sector : Industrial
- Date : 19 August, 2025
- Duration : Immediate response
info@merabytes.com
Real case: Industrial sector company in Spain victim of Qilin Ransomware (client name omitted for confidentiality)
🔑 Key points
| Time (CET) | Event |
|---|---|
| 02:17 | Exploitation of vulnerability CVE-2024-21762 (FortiOS SSL-VPN – out-of-bounds write). The attacker gains remote command execution on Fortinet firewall exposed to the Internet. |
| 02:21 | Escalation via CVE-2024-55591 (auth bypass). Administrator-privileged accounts are created on the device. |
| 02:40 | Use of captured credentials to pivot to the internal network. Attackers establish persistence via TeamViewer and AnyDesk hidden on critical systems. |
| 03:10 | Lateral movement using PsExec and RDP. Logs are disabled and vssadmin delete shadows is executed on multiple endpoints. |
| 03:45 | Encryption begins with Qilin. Files receive custom extensions and the ransom note appears. |
| 04:00 | Attackers begin exfiltrating sensitive data to external servers. |
| 04:20 | Qilin RaaS panel shows “status: encrypted”. The client receives instructions along with the “Call Lawyer” option (ironic Qilin service to pressure victims in legal negotiation). |
🧩 Observed tactics
- Initial Access (T1190) – Exploitation of vulnerabilities in Fortinet FortiOS/FortiProxy (CVE-2024-21762, CVE-2024-55591).
- Persistence (T1136 / T1547) – Creation of new accounts on devices and deployment of backdoors (TeamViewer, AnyDesk).
- Privilege Escalation (T1068) – Escalation to admin via FortiOS auth bypass.
- Defense Evasion (T1070.004) – Deletion of logs and shadow copies.
- Lateral Movement (T1021) – Use of RDP and PsExec.
- Exfiltration (T1041) – Data theft for double extortion.
- Impact (T1486) – Encryption of critical systems with AES-256 / RSA-2048.
💥 Impact on the victim
- Encryption of most production servers in less than 2 hours.
- Loss of internal backups (shadow copies deleted).
- Exfiltration of production patents and industrial customer data.
- Partial shutdown of critical lines with daily losses > €30K.
- Added psychological pressure from Qilin’s “Call Lawyer” module, where they explained possible legal sanctions if not paid (double extortion).
🛡️ How it would have changed with Merabytes?
| Merabytes Defense Area | How it would have acted | Expected result |
|---|---|---|
| Identity protection (Cisco Duo 2FA on devices and accounts) | Immediate blocking of unvalidated RDP and VPN access, even with stolen credentials. | Initial vector is cut off. |
| Endpoint Protection with anti-ransomware rules | Stopping mass encryption processes, execution of vssadmin delete shadows and killing suspicious payloads. |
Encryption stops at initial hosts. |
| Continuous Active Directory analysis | Alerts of privileged account creation and anomalous logins from foreign IPs. | Rapid containment before lateral movement. |
| Backdoor hunting (TeamViewer, AnyDesk, etc.) | Identification and removal of hidden remote access tools. | Removal of attacker persistence. |
| Continuous vulnerability analysis | Prior detection of CVE-2024-21762 and CVE-2024-55591 in Fortinet, with early warning and recommended patching. | Attack prevented before exploitation. |
📚 Lessons learned
- Exposing unpatched Fortinet is playing Russian roulette. Qilin is automating exploits and mass attacking Spanish-speaking countries.
- An annual pentest doesn’t detect newly published critical vulnerabilities. The only way is continuous analysis.
- Attackers no longer limit themselves to encryption. They now include “legal” services to increase pressure.
- Persistence with common backdoors (AnyDesk, TeamViewer) remains trendy. If you don’t actively look for them, you won’t find them.
Conclusion
The attack was successful because there was no adaptive defense or continuous monitoring. With Merabytes, the story would have ended differently:
- Fortinet exploits would have been patched earlier.
- Remote access would have been blocked with Cisco Duo.
- Ransomware would not have passed the first host thanks to anti-ransomware rules.
If you’re interested in accessing other private reports or specific rules for EDR/XDR, visit merabytes.com and request access to our advanced endpoint protection services + continuous vulnerability analysis.
How an Adversary-Aware SOC prevents these scenarios
Discover how our Adversary-Aware Security Operations Center proactively identifies and neutralizes threats before they impact your business.
An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.
Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.
Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.
We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.
Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.