TL;DR

A mid-market Australian accounting firm suffered a ransomware attack after threat actors compromised their outsourced IT provider's remote monitoring and management (RMM) tool. This case study walks through the full incident response lifecycle — detection, triage, containment, eradication, recovery, and lessons learned — with the exact log artefacts an analyst would pull at each stage. Three preventive controls — MFA enforcement on all third-party access, application allowlisting on servers, and immutable off-site backups with tested restoration — would have blocked the attack at its earliest stages.​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌

The Scenario: A Composite Australian SMB Breach

Firm profile: A 75-staff accounting practice in Melbourne, handling sensitive financial data for approximately 600 SME clients. Microsoft 365 environment, hybrid Active Directory with Azure AD Connect, servers hosted on-premises, outsourced IT support through a managed services provider (MSP). The MSP uses ScreenConnect (ConnectWise Control) for remote support.

Attacker profile (composite): A financially motivated threat group — loosely modelled on observed tactics from KRYBIT ransomware operations and APT28 DNS hijacking campaigns — targeting Australian professional services firms via third-party access pathways [1].​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​

​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌

Initial access vector: The MSP's ScreenConnect instance was compromised through a credential-stuffing attack against an administrator account that lacked multi-factor authentication. The attacker used the RMM tool to push a PowerShell script to 14 endpoints across the accounting firm's network, deploying Cobalt Strike beacons for persistence and lateral movement.

Stage 1: Detection — The First 30 Minutes

Alert trigger: At 03:14 AEST, the firm's EDR platform (Microsoft Defender for Endpoint) generated a high-severity alert: "Suspicious PowerShell execution — encoded command detected on FINANCE-SRV-02."

Artefacts pulled by the analyst:

Artefact Source What It Showed
Alert timeline Defender XDR portal Encoded PowerShell spawning from ScreenConnect.Service.exe at 03:12 AEST
Process tree Defender Advanced Hunting (DeviceProcessEvents) Parent process chain: ScreenConnect.Service.exepowershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8...
Network connection logs Defender DeviceNetworkEvents Outbound HTTPS connection to known C2 infrastructure on port 443
Scheduled task creation Windows Event ID 4698 New scheduled task WindowsUpdateCheck created — persistence mechanism

The analyst immediately declared a Priority 1 incident and paged the incident response team. The 03:14 timestamp was critical — the attack launched at 3 AM, the classic "low-observation window" used by ransomware operators targeting Australian businesses [2].

Stage 2: Triage — Scoping the Blast Radius

Objective: Determine how far the attacker moved, what was accessed, and whether data exfiltration occurred before encryption.

Artefacts pulled:

Artefact Source Finding
Entra ID sign-in logs Azure AD / Entra admin center → Sign-in logs Anomalous login from IP 103.224.182[.]253 (Thailand) at 03:47 AEST using a Domain Admin account (svc_backup) — lateral movement to cloud
M365 Unified Audit Log Purview Compliance portal → Audit search MailItemsAccessed operation on the CFO's mailbox at 03:52 AEST — 847 items accessed in 90 seconds
DNS query logs Internal DNS server (Windows Event ID 3008 for DNS query logging) High volume of TXT queries to ns1.exfil-malik[.]xyz — DNS tunnelling for data exfiltration
NetFlow / firewall logs FortiGate traffic logs 2.3 GB outbound to TCP/443 to IP 185.244.25[.]187 between 03:30–04:10 AEST
RDP connection logs Windows Event ID 4624 (Type 10) RDP sessions from FINANCE-SRV-02 to 6 other servers between 03:25–04:00 AEST

Triage summary: The attacker moved laterally to 6 servers, accessed the CFO's mailbox, and exfiltrated approximately 2.3 GB of data — likely client tax files, BAS statements, and payroll records — before triggering encryption.

Stage 3: Containment — Stopping the Bleed

Actions taken (04:15–04:45 AEST):

  1. Network isolation: Disabled the VLAN for all affected servers at the switch level. The SOC analyst called the on-call network engineer and had them apply ACLs blocking all outbound traffic from the server subnet except to the EDR cloud console and the backup infrastructure.

  2. Identity containment: Disabled the compromised service accounts (svc_backup, svc_connectwise) in Active Directory. Revoked all active Entra ID refresh tokens via the Revoke-AzureADUserAllRefreshToken PowerShell cmdlet.

  3. MFA enforcement: The MSP was instructed to immediately enable MFA on all their technician accounts — this was done within 12 minutes via a conditional access policy pushed through their RMM platform.

  4. EDR host isolation: Applied network isolation via Defender for Endpoint to all 14 affected endpoints, blocking all inbound and outbound connections except to the Defender cloud service.

Key decision point: The IR team chose not to shut down the domain controllers. The attacker had Domain Admin, but the EDR telemetry showed no evidence of DC compromise (no NTDS.dit access, no DCSync replication events). Shutting down DCs would have crippled authentication for the containment effort. The risk was accepted and monitored.

Stage 4: Eradication — Removing the Attacker

Actions taken (04:45–08:00 AEST):

  1. Persistence removal: Deleted the WindowsUpdateCheck scheduled tasks across all 14 endpoints. Removed the Cobalt Strike service entries from registry (HKLM\SYSTEM\CurrentControlSet\Services\). Verified with a KQL query across all machines:

    DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "WindowsUpdateCheck"

  2. Credential rotation: Emergency password reset for all Domain Admin and service accounts. The MSP rotated their ScreenConnect API keys and revoked all existing session tokens.

  3. M365 tenant hardening: Blocked legacy authentication protocols (IMAP, POP3, ActiveSync) via authentication policies. Enabled mailbox auditing for all users (it was previously only enabled for a subset).

  4. MSP's environment: The MSP conducted their own investigation and found the ScreenConnect admin account was using Summer2024! — a credential present in the Have I Been Pwned database since November 2024 [3].

  5. Reimage decision: All 14 affected servers were reimaged from known-good base images rather than attempting manual clean-up. The decision was made at 05:30 AEST and executed in parallel by the IR team.

Stage 5: Recovery — Business Restoration

Actions taken (08:00–14:00 AEST):

  1. Restore from backup: The firm maintained Veeam backups with immutable storage on a Linux hardened repository. The encryption event occurred at 04:05 AEST — the last clean backup was at 01:00 AEST. Restore commenced at 08:30 AEST.

  2. Verification before reconnection: Each restored server was scanned with Defender for Endpoint and manually verified (no unauthorised scheduled tasks, no unexpected outbound connections) before being reconnected to the network.

  3. Client notification: The firm's managing partner briefed their professional indemnity insurer and the Australian Cyber Security Centre (ACSC) via ReportCyber. Client notifications were drafted with legal counsel — the OAIC Notifiable Data Breach scheme applied because tax file numbers and financial data were exfiltrated [4].

  4. Service restoration timeline: Core financial systems operational by 11:30 AEST. Full client-facing services restored by 14:00 AEST. Total downtime: approximately 11 hours.

Stage 6: Lessons Learned — What the Post-Incident Review Found

  1. The MSP was the single point of failure. The firm had no visibility into the MSP's security posture — no contractual requirement for MFA, no quarterly access reviews, no audit of third-party remote access logs.

  2. Service accounts ran with excessive privileges. The svc_backup account had Domain Admin rights — it only needed backup operator and Exchange admin roles. This allowed the attacker to pivot from the server layer to the M365 tenant without additional privilege escalation.

  3. DNS logs were not being centrally collected. The DNS tunnelling exfiltration ran for 40 minutes before detection. If DNS query logs had been fed into the SIEM with anomaly detection (high TXT query volume, queries to newly registered domains), the exfiltration could have been detected within 5 minutes.

FAQ

Q: How could this have been detected before the PowerShell execution? A: The MSP credential-stuffing attack against ScreenConnect generated multiple failed login attempts from 103.224.182[.]253 over a 2-hour period. If the MSP had login failure alerting configured — or if the firm had a contractual right to review MSP access logs — the attack could have been interrupted at the credential-stuffing stage.

Q: What's the single most impactful change an Australian SMB can make after reading this? A: Require MFA on every third-party access pathway to your environment. This includes MSP RMM tools, vendor VPNs, and any external support accounts. The ASD Essential Eight lists MFA as a Level 1 maturity control for exactly this reason [4].

Q: Does cyber insurance cover vendor-caused incidents? A: Most Australian cyber insurance policies cover third-party breaches, but coverage depends on whether you can demonstrate "reasonable security controls." If your vendor contract didn't mandate MFA, some insurers will apply sub-limits or deny coverage for negligence. Review your policy's vendor-risk clauses.

Q: How long should immutable backups be retained? A: Minimum 30 days. KRYBIT and similar ransomware operators typically maintain persistence for 14–21 days before triggering encryption. Backups older than 30 days with integrity verification ensure you have a clean restore point outside the attacker's dwell time window.

Conclusion

This incident was recoverable because the firm had three things working in their favour: a properly configured EDR that detected the PowerShell execution within 2 minutes, immutable backups that survived the encryption event, and an IR team that made fast, evidence-based containment decisions. Three preventive controls would have stopped this attack at its earliest stage:

  1. MFA on all third-party access (including MSP RMM tools) — blocks credential-stuffing entirely.
  2. Application allowlisting (AppLocker or WDAC) on all servers — prevents unsigned PowerShell execution, even from trusted parent processes.
  3. Immutable, offline backup verification with monthly restoration drills — ensures recovery capability independent of the attack path.

For SMBs without a dedicated SecOps team, these three controls deliver the highest risk reduction per dollar spent. Your MSP's security posture is your security posture — govern it accordingly.

Protect your business before the 3 AM call comes. Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs.

References

  1. CYFIRMA Weekly Intelligence Report — KRYBIT Ransomware Analysis (May 2026)
  2. Core Managed — Cybersecurity News Fatigue: Which Threats Actually Matter for SMBs (March 2026)
  3. LinkedIn — Judah Eckstein: Weekly Cybersecurity Roundup — September 2025: Threats, Incidents, SMB Focus
  4. Australian Cyber Security Centre — Essential Eight Maturity Model
  5. The Cyber Express — Weekly Roundup: APT28 DNS Hijacking, State-Backed Threats (April 2026)

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation