Telecom Provider Contains Black Basta Attack and Restores Operations

The client called Unit 42® to determine the extent of unauthorized access, negotiate the ransom payment and eradicate the threat.


To determine attack vector in 50K endpoint environment


In ransom with expert negotiation


To contain threat and ensure continuity of business operations

The Client

Telecommunications company servicing millions of customers

The Challenge

Over the course of 13 hours, the client was hit with a severe ransomware attack that encrypted files on tens of thousands of systems, exfiltrated sensitive data and brought 50% of their business operations to a halt. The client asked Unit 42 to help:

  • Contain the threat and prevent further data exfiltration.
  • Eradicate the threat actor.
  • Investigate root cause and assist with restoring business operations.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes


Client realized it was impacted by ransomware when it identified encrypted files and ransom notes within its enterprise environment. Unit 42 began assessing the attack within two hours.


Forensics and threat hunting quickly revealed Black Basta ransomware, initial phishing email and the extent of unauthorized access.


Deployed Cortex XDR® across the impacted environment within 96 hours to ensure that attack was contained, enabling the Unit 42 MDR team to begin 24/7 monitoring and threat hunting.


Negotiated 80% reduction from initial ransom demand and obtained, tested and implemented decryption keys.


Identified gaps in network segmentation, credential control, endpoint security and security visibility and deployed additional firewall and access control technologies.

First trigger point






Scroll right

Resolution Timeline






Days 0 - 4
Crisis Intervention

Deployed Cortex XDR and Xpanse® for visibility across the enterprise for indicator and forensics collection.

Leveraged Unit 42 Threat Intelligence to identify Black Basta TTPs and IOCs to quickly close in on attacker.

Established contact with threat actor and negotiated 80% reduction from initial ransom demand.

Established secure connectivity for non-impacted sites.

Days 5 - 7

Scope, severity and nature of incident uncovered via Cortex XDR forensic analysis.

Root cause identified as a QBot phishing email, determined the extent of the data exfiltrated.

Implemented network segmentation and containment at client HQ using NGFW firewalls with SSL decryption/inspection enabled.

Began decryption using third-party decryption utility, completed network-wide credential reset.

Days 8 - 14

Identified the full breadth of threat actor activity across the impacted environment.

Fully contained and evicted threat actor from the environment.

Restored critical business operations, decryption efforts shifted to lower-priority support systems.

Established secure connection to remote sites with Prisma Access.

Days 15 - 30

IR and MDR remain in place for 24/7 monitoring. Started to remediate vulnerabilities identified in Xpanse mapping.

Continued rebuilding and restoring impacted servers and workstations.

Ensured full visibility, alerting, and protection through enterprise wide Cortex XDR deployment across 30K+ endpoints.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

Backed by Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.