Real case: Industrial sector company in Spain victim of Qilin Ransomware (name omitted for confidentiality)
🔑 Key points
| Time (CET) | Event |
|---|---|
| 02:17 | Exploitation of vulnerability CVE-2024-21762 (FortiOS SSL-VPN – out-of-bounds write). The attacker gains remote command execution on Fortinet firewall exposed to the Internet. |
| 02:21 | Escalation via CVE-2024-55591 (auth bypass). Administrator-privileged accounts are created on the device. |
| 02:40 | Use of captured credentials to pivot to the internal network. Attackers establish persistence via TeamViewer and AnyDesk hidden on critical systems. |
| 03:10 | Lateral movement using PsExec and RDP. Logs are disabled and vssadmin delete shadows is executed on multiple endpoints. |
| 03:45 | Encryption begins with Qilin. Files receive custom extensions and the ransom note appears. |
| 04:00 | Attackers begin exfiltrating sensitive data to external servers. |
| 04:20 | Qilin RaaS panel shows “status: encrypted”. The client receives instructions along with the “Call Lawyer” option (ironic Qilin service to pressure victims in legal negotiation). |
🧩 Observed tactics
- Initial Access (T1190) – Exploitation of vulnerabilities in Fortinet FortiOS/FortiProxy (CVE-2024-21762, CVE-2024-55591).
- Persistence (T1136 / T1547) – Creation of new accounts on devices and deployment of backdoors (TeamViewer, AnyDesk).
- Privilege Escalation (T1068) – Escalation to admin via FortiOS auth bypass.
- Defense Evasion (T1070.004) – Deletion of logs and shadow copies.
- Lateral Movement (T1021) – Use of RDP and PsExec.
- Exfiltration (T1041) – Data theft for double extortion.
- Impact (T1486) – Encryption of critical systems with AES-256 / RSA-2048.
💥 Impact on the victim
- Encryption of most production servers in less than 2 hours.
- Loss of internal backups (shadow copies deleted).
- Exfiltration of production patents and industrial customer data.
- Partial shutdown of critical lines with daily losses > €30K.
- Added psychological pressure from Qilin’s “Call Lawyer” module, where they explained possible legal sanctions if not paid (double extortion).
🛡️ How it would have changed with Merabytes?
| Merabytes Defense Area | How it would have acted | Expected result |
|---|---|---|
| Identity protection (Cisco Duo 2FA on devices and accounts) | Immediate blocking of unvalidated RDP and VPN access, even with stolen credentials. | Initial vector is cut off. |
| Endpoint Protection with anti-ransomware rules | Stopping mass encryption processes, execution of vssadmin delete shadows and killing suspicious payloads. |
Encryption stops at initial hosts. |
| Continuous Active Directory analysis | Alerts of privileged account creation and anomalous logins from foreign IPs. | Rapid containment before lateral movement. |
| Backdoor hunting (TeamViewer, AnyDesk, etc.) | Identification and removal of hidden remote access tools. | Removal of attacker persistence. |
| Continuous vulnerability analysis | Prior detection of CVE-2024-21762 and CVE-2024-55591 in Fortinet, with early warning and recommended patching. | Attack prevented before exploitation. |
📚 Lessons learned
- Exposing unpatched Fortinet is playing Russian roulette. Qilin is automating exploits and mass attacking Spanish-speaking countries.
- An annual pentest doesn’t detect newly published critical vulnerabilities. The only way is continuous analysis.
- Attackers no longer limit themselves to encryption. They now include “legal” services to increase pressure.
- Persistence with common backdoors (AnyDesk, TeamViewer) remains trendy. If you don’t actively look for them, you won’t find them.
Conclusion
The attack was successful because there was no adaptive defense or continuous monitoring. With Merabytes, the story would have ended differently:
- Fortinet exploits would have been patched earlier.
- Remote access would have been blocked with Cisco Duo.
- Ransomware would not have passed the first host thanks to anti-ransomware rules.
If you’re interested in accessing other private reports or specific rules for EDR/XDR, visit merabytes.com and request access to our advanced endpoint protection services + continuous vulnerability analysis.