The company suffered a prolonged 42-day ransomware attack initiated via a fake CAPTCHA on a compromised car dealership website, deploying SectopRAT for persistent access. Attackers (Howling Scorpius/Akira ransomware group) conducted reconnaissance, stole domain admin credentials, and moved laterally via RDP/SSH/SMB. They exfiltrated ~1 TB of confidential data using WinRAR/FileZillaPortable, deleted cloud backups, and encrypted networks, causing a complete operational shutdown (virtual machines offline). Despite having two EDR platforms, detection failed due to poor tuning, exposing gaps in threat visibility. Post-incident, the company rebuilt servers with hardened configurations, adopted Unit 42 MDR and Cortex XSIAM, and negotiated a 68% ransom reduction. The attack highlighted critical failures in detection, response, and cloud/identity security, with long-term reputational and financial damage.
Source: https://cyberpress.org/akira-ransomware-attack/
Pure Storage cybersecurity rating report: https://www.rankiteo.com/company/purestorage
"id": "PUR4402144112025",
"linkid": "purestorage",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'technology/data storage',
'location': 'global',
'type': 'data storage and infrastructure company'}],
'attack_vector': ['social engineering (fake CAPTCHA)',
'malicious script (ClickFix)',
'SectopRAT (NET-based RAT)',
'command-and-control backdoor',
'privilege escalation',
'lateral movement (RDP/SSH/SMB)',
'data exfiltration (FileZillaPortable)',
'ransomware deployment (Akira)'],
'data_breach': {'data_encryption': ['WinRAR (staging)',
'Akira ransomware (final encryption)'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes privileged credentials '
'and operational archives)',
'type_of_data_compromised': ['confidential archives',
'personally identifiable '
'information (PII)',
'operational data']},
'description': 'A global data storage and infrastructure company faced a '
'severe ransomware incident after an employee unknowingly '
'initiated an attack through a fake CAPTCHA challenge. The '
'breach, orchestrated by the financially motivated threat '
'group Howling Scorpius (operators of Akira ransomware), '
'unfolded over 42 days, exposing critical gaps in the '
'company’s detection and response mechanisms. The attackers '
'exfiltrated nearly 1 TB of data, deleted cloud backups, and '
'encrypted multiple networks, halting operations. Despite '
'deploying two enterprise-grade EDR platforms, the '
'organization failed to detect the intrusion due to a '
'visibility gap between log collection and active threat '
'detection. Post-incident remediation included network '
'segmentation, Kerberos ticket rotation, and adoption of Unit '
'42 MDR and Cortex XSIAM for unified visibility.',
'impact': {'brand_reputation_impact': 'significant (high-profile breach with '
'data exfiltration and ransomware)',
'data_compromised': '1 TB (confidential archives, PII, and '
'operational data)',
'downtime': 'complete operational standstill (duration '
'unspecified)',
'identity_theft_risk': 'high (due to PII exposure)',
'operational_impact': 'halted business operations due to encrypted '
'networks and offline VMs',
'systems_affected': ['virtual machines',
'domain controllers',
'cloud backup containers',
'internal networks']},
'initial_access_broker': {'backdoors_established': ['SectopRAT (NET-based '
'RAT)',
'command-and-control (C2) '
'backdoor'],
'entry_point': 'fake CAPTCHA challenge on a '
'compromised car dealership website '
'(ClickFix script)',
'high_value_targets': ['domain administrator '
'credentials',
'privileged accounts',
'confidential archives',
'cloud backup containers'],
'reconnaissance_period': '42 days'},
'investigation_status': 'completed (post-incident analysis and remediation '
'implemented)',
'lessons_learned': ['Advanced security tools (EDR/SIEM) are ineffective '
'without proper tuning and active monitoring.',
'Visibility gaps between log collection and threat '
'detection enable prolonged intrusions.',
'Social engineering (e.g., fake CAPTCHA) remains a potent '
'initial access vector.',
'Lateral movement via RDP/SSH/SMB and credential abuse '
'are common post-compromise tactics.',
'Cloud backups must be immutable to prevent attacker '
'deletion.',
'Post-incident remediation requires network segmentation, '
'credential hygiene, and unified visibility tools.'],
'motivation': 'financial gain',
'post_incident_analysis': {'corrective_actions': ['Deployed Cortex XSIAM for '
'unified visibility and '
'alert correlation.',
'Adopted Unit 42 MDR for '
'continuous threat '
'monitoring.',
'Implemented network '
'segmentation and Kerberos '
'ticket rotation.',
'Hardened cloud and '
'identity configurations '
'(e.g., immutable backups).',
'Removed outdated endpoints '
'and rebuilt systems with '
'secure baselines.',
'Negotiated ransom '
'reduction (68%) through '
'Unit 42 intervention.'],
'root_causes': ['Failure of EDR platforms to '
'generate alerts despite complete '
'intrusion logs.',
'Lack of active monitoring and '
'threat detection tuning.',
'Successful social engineering '
'(fake CAPTCHA) leading to initial '
'access.',
'Unrestricted lateral movement via '
'RDP/SSH/SMB due to poor '
'segmentation.',
'Abuse of privileged credentials '
'(domain admin) for persistence.',
'Deletion of cloud backups '
'enabling destructive ransomware '
'impact.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Akira'},
'recommendations': ['Implement and tune EDR/SIEM platforms for active threat '
'detection (not just log collection).',
'Deploy network segmentation to limit lateral movement.',
'Enforce Kerberos ticket rotation and privilege access '
'management (PAM).',
'Hardening cloud and identity configurations (e.g., '
'immutable backups, MFA).',
'Remove or update outdated endpoints to eliminate attack '
'surfaces.',
'Adopt managed detection and response (MDR) services for '
'24/7 monitoring.',
'Integrate unified visibility platforms (e.g., Cortex '
'XSIAM) to correlate logs across environments.',
'Conduct regular red team exercises to test detection '
'capabilities.',
'Train employees on social engineering tactics (e.g., '
'fake CAPTCHA, phishing).'],
'references': [{'source': 'Unit 42 (Palo Alto Networks) 2025 Global Incident '
'Response Report'},
{'source': 'Cyber Incident Description (provided text)'}],
'response': {'containment_measures': ['isolation of affected systems',
'deletion of attacker backdoors',
'revocation of compromised credentials'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'network_segmentation': True,
'recovery_measures': ['restoration from backups (partial, due to '
'deleted cloud containers)',
'reconstruction of encrypted networks'],
'remediation_measures': ['rebuilt servers and domain controllers '
'with hardened configurations',
'network segmentation',
'Kerberos ticket rotation',
'removal of outdated endpoints',
'hardening of cloud and identity '
'configurations',
'adoption of Unit 42 MDR for continuous '
'monitoring',
'integration of Cortex XSIAM for '
'unified visibility'],
'third_party_assistance': ['Unit 42 (Palo Alto Networks) for '
'investigation and remediation']},
'threat_actor': 'Howling Scorpius (Akira ransomware operators)',
'title': 'Global Data Storage Company Hit by Akira Ransomware via Fake '
'CAPTCHA Attack',
'type': ['ransomware', 'data breach', 'credential abuse', 'lateral movement'],
'vulnerability_exploited': ['lack of threat detection tuning',
'visibility gap in EDR/SIEM logs',
'unpatched or misconfigured endpoints',
'weak credential management (golden ticket risk)',
'inadequate network segmentation']}