Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

Global Manufacturing Enterprise Stops a Ransomware Deployment 4 Hours Before Execution

Executive Summary

Ransomware operators no longer break into enterprise networks — they log in. For a global manufacturing enterprise operating across 14 countries, that reality became acute when an infostealer infection on a remote employee’s personal laptop harvested active VPN and domain controller session cookies that bypassed Multi-Factor Authentication entirely. The security team had no visibility into the compromise — because the infected device was personal, not corporate-managed, it fell outside the coverage of their EDR platform. 

This case study examines how Constella Intelligence’s continuous infostealer monitoring detected the harvested session data within hours of its appearance on a criminal marketplace — giving the SOC the pre-attack window to invalidate the stolen sessions, re-enroll the compromised identity, and quarantine the infected device before a ransomware operator, who had already purchased the log and was staging for deployment, could execute. 

The Challenge: The Personal Device Blind Spot 

The enterprise’s security architecture was mature by conventional standards: enterprise-wide EDR coverage on corporate devices, phishing-resistant MFA on all remote access, SIEM-based anomaly detection, and a quarterly vulnerability management program. What it could not see was the personal device problem. 

As with most large organizations navigating post-pandemic hybrid work, a meaningful percentage of the workforce accessed corporate resources from personal laptops and mobile devices — particularly for VPN access outside business hours and for cloud-hosted applications. These devices were outside the EDR policy boundary. When a senior operations manager’s personal laptop was silently infected with an infostealer variant via a malicious PDF attachment disguised as a shipping manifest, the corporate security stack had no visibility into the event. 

The infostealer harvested the browser’s stored session data over a period of approximately 6 hours: active VPN session cookies, an authenticated Microsoft 365 session, and, critically, a cached session token for the enterprise’s remote management console. The malware package was compressed, exfiltrated, and listed for sale on a dark web marketplace within 24 hours of the initial infection. 

The Problem with Traditional Telemetry 

From the perspective of the enterprise’s security stack, nothing had happened. The EDR had not flagged any activity, because the infected device was not within its policy scope. The SIEM had not generated an alert, because no anomalous authentication had occurred yet, and the stolen sessions had not been replayed. The threat existed entirely outside the organization’s detection boundary, in the criminal marketplace where the harvested log was being traded. 

This is the fundamental gap in perimeter-centric and endpoint-centric security architectures: they are designed to detect threats that are interacting with managed infrastructure. An infostealer operating on a personal device, harvesting credentials for later use by a separate threat actor, generates no internal signal until the moment the stolen session is replayed — at which point, the attacker is already inside. 

The Solution: Continuous Infostealer Monitoring 

The enterprise’s security operations team had integrated Constella Intelligence’s continuous monitoring capability into their SIEM environment six months prior, primarily to address credential exposure across corporate domains. Constella’s monitoring watches the Surface, Deep, and Dark Web continuously — including newly ingested infostealer package feeds — for any corporate domain-associated identity data. 

Within hours of the harvested log appearing on the criminal marketplace, Constella’s infostealer monitoring generated an alert. The alert contained: 

  • Session Data Inventory: Specific URLs and applications for which active session cookies had been captured, including the VPN gateway, Microsoft 365, and the remote management console. 
  • Device Metadata: The hostname and IP address of the infected device, confirming it was a non-corporate-managed endpoint. 
  • Malware Attribution: Identification of the specific infostealer strain responsible for the collection. 
  • Recency Confirmation: Timestamp data indicating the infection had occurred within the past 48 hours, confirming the stolen sessions were likely still active. 

The SOC analyst receiving the alert had immediate, high-confidence context, not a low-fidelity credential exposure notice requiring hours of manual enrichment, but a complete, actionable intelligence package pointing to a specific, current, in-progress threat. 

The Result: Ransomware Thwarted Before Execution 

From alert receipt to full remediation took 28 minutes: 

  • Session Invalidation: The SOC immediately terminated all active sessions associated with the compromised identity across all platforms, including the VPN gateway, Microsoft 365, and the remote management console. 
  • MFA Re-Enrollment: Even though the MFA challenge had already been satisfied by the stolen cookie, forced MFA re-enrollment was triggered to ensure the threat actor could not re-authenticate with other harvested credentials. 
  • Identity Scope Review: The analyst used Constella’s Hunter platform to pivot from the single compromised identity to the broader threat actor cluster, confirming no other corporate identities had appeared in the same infostealer campaign. 
  • Device Notification: The operations manager was notified and guided through a personal device clean procedure, including a full wipe and OS reinstall.


Forensic analysis conducted in the 48 hours following the incident confirmed what had nearly occurred. The threat actor who purchased the log had already authenticated to the remote management console using the stolen session cookie and had spent approximately 90 minutes mapping the enterprise’s network, identifying domain controllers, backup server locations, and file share infrastructure. The estimated execution window for ransomware deployment was within 4 hours of when Constella’s alert was received. 

The enterprise’s cyber insurance carrier, notified as part of the incident response protocol, confirmed that the documented response, including the Constella alert timestamp, the session invalidation record, and the Hunter-generated threat actor attribution, satisfied the carrier’s incident reporting requirements and would not trigger a premium review. 

Key Outcomes: 

  • Ransomware deployment prevented 4 hours before estimated execution window 
  • Complete remediation, session invalidation, MFA re-enrollment, device quarantine, in 28 minutes from alert receipt 
  • Personal device blind spot surfaced and addressed without requiring EDR policy expansion 
  • Threat actor campaign attributed via Hunter, confirming no additional corporate identities were at risk 
  • Incident documentation satisfied cyber insurance carrier reporting requirements 
How did the infostealer bypass MFA?

The infostealer harvested active session cookies from the browsercookies that are created after a user has already successfully completed MFA. By replaying a stolen session cookie, the attacker presents a token that the target system interprets as a valid, authenticated session, bypassing the MFA challenge entirely. The authentication has already happened; the cookie is the proof. 

Why couldn't the existing EDR detect this threat?

The infected device was a personal laptop outside the organization’s EDR policy boundary. This is increasingly common as hybrid work has expanded the identity perimeter beyond managed infrastructure. Constella’s monitoring operates externallywatching criminal markets for signals of compromise regardless of whether the infected device is corporate-managedfilling precisely this gap. 

What made the Constella alert actionable vs. a standard credential exposure notice?

The alert included specific session data inventory (which applications had cookies captured), device metadata (confirming the personal device source), malware attribution (identifying the strain), and recency timestamps (confirming the sessions were likely still active). This context allowed the SOC to move immediately to targeted remediation rather than broad, disruptive countermeasures. 

Conclusion

This incident illustrates the fundamental asymmetry that defines modern ransomware risk: defenders must secure every identity, on every device, at all times. Attackers need only find one unmonitored device, one harvested session, one window of visibility the SOC doesn’t have. 

For this enterprise, Constella’s external identity intelligence closed that window, not by expanding the endpoint policy boundary, but by watching the criminal marketplace where the threat actor’s activity became visible before it could be weaponized. The ability to detect a compromise that generated zero internal signal, and to do so within hours of the stolen data appearing for sale, is what made the difference between a prevented incident and a ransomware deployment. 

Ready to close the identity gap in your ransomware prevention strategy? 

REQUEST A DEMO