Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

CASE STUDy

Thwarting a Global Ransomware Campaign Through Identity Intelligence

Executive Summary: The Identity Gap in Modern Defense ​

In the current threat landscape, traditional perimeter defenses are no longer sufficient. As organizations migrate to cloud-first environments, the “Identity” has become the new perimeter. However, as this Global Top-50 MSSP discovered, even robust Multi-Factor Authentication (MFA) has a critical vulnerability:  Session Hijacking. 

This case study examines how a leading MSSP utilized Constella Intelligence’s  Infostealer Historical Search  to identify and neutralize a sophisticated ransomware campaign in its early stages. By shifting from a reactive “Security Tool” mindset to a proactive “Data Intelligence” strategy, the MSSP successfully closed the identity gap, protecting a high-value enterprise client from a potentially catastrophic breach.

Over 54% of ransomware victims (2024–2025) had domain credentials appear in infostealer log markets prior to the attack.

The Challenge: The Invisible MFA Bypass 

The MSSP’s Security Operations Center (SOC) began noticing a disturbing trend across one of their largest multinational clients. Despite a 100% MFA adoption rate for VPN and SaaS access, there was a measurable uptick in “impossible travel” alerts and unauthorized access from suspicious IP addresses. 

Traditional investigative techniques failed to provide a clear answer. The logins were technically “valid”, they used correct credentials and, crucially, did not trigger an MFA prompt. The SOC team realized they were facing a sophisticated  Session Hijacking  attack, where threat actors were not stealing passwords, but rather the active session cookies (also known as “hot credentials”) generated after a successful MFA challenge. 

The Problem with Traditional Telemetry 

Most MDR and XDR platforms rely on internal telemetry, logs from the Endpoint (EDR) or the Network (NDR). In this case, the telemetry showed a successful login from a known user. Because the session cookie was stolen from the user’s browser via malware, the attacker was able to inject that cookie into their own browser and “resume” the session, completely bypassing the need for a password or an MFA token. 

The MSSP needed a way to see outside the client’s network. They needed to know if their users’ digital identities had been compromised on the “Surface, Deep, and Dark Web” before the attackers ever attempted a login. 

The Solution: Constella’s Infostealer Historical Search 

To combat this, the MSSP integrated Constella Intelligence’s  Identity Protection API  into their SOC workflow. Specifically, they utilized the  Infostealer Historical Search and  Infostealer Historical Password Pivot Search. 

Why Infostealer Intelligence? 

Infostealers, such as RedLine, Vidar, and Raccoon, are specialized malware designed to exfiltrate browser data, including saved passwords, auto-fill information, and, most importantly, active session cookies. These “logs” are then sold on criminal marketplaces like Genesis Market or Russian Market. 

Constella Intelligence maintains the world’s most comprehensive library of verified identity data, with a specific focus on Verified Pedigree. Unlike “raw data brokers” that provide noisy, unverified dumps, Constella cleans, deduplicates, and authenticates infostealer logs, providing SOC analysts with a high-fidelity signal. 

The Tactical Methodology 

The MSSP’s analysts began a process of Cross-Data Correlation: 

  1. Export VPN Logs: The SOC extracted a list of all active VPN sessions and associated user identities. 
  1. Query Constella API: The MSSP programmatically queried Constella’s data lake for any recent infostealer infections associated with those corporate identities. 
  1. Identify “Hot” Cookies: The API returned specific metadata indicating which users had recently had their browser sessions harvested by malware. 

The Turning Point: Identifying the RedLine Infection 

Within minutes of running the correlation, the SOC hit “pay dirt.” The Constella API flagged 12 specific corporate accounts that had been compromised by the RedLine Stealer malware within the last 48 hours. 

The data returned by Constella was surgical. It didn’t just show that a breach had occurred; it provided the Identity Pedigree: 

  • Source of Infection: The specific malware strain (RedLine). 
  • Captured Data: Confirmation that session cookies for the company’s VPN and Office 365 environment were included in the stolen log. 
  • Machine Metadata: The hostname and IP address of the infected device (which, in several cases, was an employee’s personal laptop used for remote work). 

These 12 sessions were “hot.” The attackers had already purchased these logs from a dark web marketplace and were actively using the stolen cookies to maintain a persistent, invisible presence within the client’s network. This was the “Pre-Ransomware” phase: the attackers were currently conducting internal reconnaissance, looking for high-value targets and backup servers. 

The Result: Ransomware Thwarted in Minutes 

With high-confidence intelligence in hand, the MSSP moved from investigation to  Automated Remediation: 

  • Session Invalidation: The SOC immediately terminated all 12 active VPN sessions identified in the Constella report. 
  • Global MFA Reset: Even though MFA had been bypassed via the cookie, a full password reset and MFA re-enrollment were forced for the affected users to ensure the “hot” credentials were no longer valid. 
  • Endpoint Quarantine: Using their EDR tool, the MSSP identified and quarantined the infected machines (both corporate and personal) that had leaked the data. 
  • Threat Actor Attribution: Using the Hunter+ Investigative Platform, analysts were able to pivot from the stolen logs to identify the specific criminal forum where the data was being traded, providing the client’s executive team with a clear picture of the threat landscape. 

The Strategic Impact 

The entire process, from detection to full remediation, took less than  30 minutes. Forensic analysis later revealed that the attackers had already mapped the client’s primary domain controller and were preparing to deploy ransomware across the entire infrastructure within the next 12 hours. By identifying the 12 “hot” sessions, the MSSP prevented a multimillion-dollar ransomware event. 

Key Questions Answered

How do infostealers bypass MFA?

Infostealers bypass MFA by stealing session cookies from a user’s browser. Since these cookies are created after a user has already successfully authenticated with a password and MFA, an attacker can use the stolen cookie to “hijack” the session without ever needing to provide credentials.

What is the best way to prevent session hijacking?

The most effective prevention is a combination of EDR to stop the initial malware infection and Identity Intelligence (like Constella’s ID-MON-DSI) to monitor for stolen cookies on the dark web. Real-time alerting allows SOC teams to invalidate sessions the moment a leak is detected. 

Why is "Data Pedigree" important in cybersecurity?

Data Pedigree refers to the verification and cleaning of raw threat data. In a SOC environment, raw data dumps create too much noise. Verified pedigree ensures that analysts are only acting on high-confidence, authenticated signals, which reduces Mean Time to Remediation (MTTR). 

Conclusion: Identity Intelligence as a Competitive Advantage

For the MSSP, this success was a powerful validation of their shift toward Data Intelligence. By moving beyond internal logs and integrating Constella’s external identity signals, they transformed their service from a standard monitoring provider to an elite, proactive defense partner. 

The “Identity Lifecycle”, Collection, Intelligence, and Power, is now the cornerstone of their MDR offering. They no longer just “see” threats; they have the power to stop them at the source by mastering the data that threat actors rely on. 

Ready to close the Identity Gap in your SOC?

Schedule a Demo