Government Eradicates Ransomware Threat and Reinstates Critical Services

Unit 42® helped the client swiftly contain the threat actor, restore critical government systems, and briefed heads of state.


To fully contain and eradicate the threat


To restore critical government services


To heads of state and cabinet, establishing trust and collaboration

The Client


The Challenge

Following a ransomware attack that significantly impacted government operations, the client engaged Unit 42 for assistance. The team quickly mobilized to assess, investigate, secure and recover the affected systems. Unit 42 helped:

  • Assess the scope of damage.
  • Investigate and identify the threat actor.
  • Implement a recovery plan to get government services back up and running.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes


80% of systems were encrypted and inoperable, so Unit 42 used Cortex Xpanse® to map the enterprise environment to determine the entirety of the estate to assess the impact.


Forensic analysis determined that initial access was gained using compromised credentials on a legacy remote access application.


Established a clean, new environment and restored core network services.


Restored critical systems including border control, phone systems and payroll to get the government operational.


Performed security strategy review and upleveled the government’s endpoint defense with Cortex XDR® to protect against known and unknown threats.

"We had a wonderful engagement with Unit 42. Their experience and familiarity with the threat actor was essential in resolving our ransomware incident quickly."


First trigger point






Scroll right

Resolution Timeline






Days 0 - 4
Crisis Intervention

Identified 80% of systems were encrypted, used Cortex Xpanse to map attack surface.

Deployed Cortex XDR for forensic collection and expanded visibility.

Contained the threat actor, isolated impacted systems and began restoring operations.

Reinstated nonimpacted web and email services after establishing containment.

Days 5 - 7

Full scope, severity and nature of the incident uncovered through Cortex XDR forensic analysis.

Identified that initial entry in the government network used compromised credentials to access a legacy remote access system.

Established greenfield environment for restoration and restored core network services.

Began decryption and restoration of critical systems including border control, phone systems, payroll and driver’s license services.

Days 8 - 14

Full extent of exfiltrated data identified.

Expanded deployment of Cortex XDR to 90%+ of the environment.

Continued decryption of systems and restored access to noncritical services.

Performed Unit 42 Attack Surface Assessment and closed identified security gaps.

Days 15 - 30

Maintained threat-free environment with Cortex XDR and Unit 42 Managed Threat Hunting.

Finalized restoration activities ensuring high availability of critical systems.

Replaced legacy remote access system with Prisma Access® ZTNA.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.