Welcome to the latest edition of our “Breaking Down the Breach” series. In this installment we dissect a ransomware incident that leapt from a corporate headquarters into a branch office through an overly‑permissive site‑to‑site VPN. The story is a cautionary tale about what can happen when tool coverage is inconsistent and network tunnels are left wide‑open.
While the parent company ultimately hired a third‑party incident‑response firm—limiting our visibility into the final outcome—the attack encrypted an estimated 15 – 20 workstations and severely disrupted day‑to‑day operations at the branch. Read on to learn what we know for certain about what happened, why it happened, and—most importantly—how it could have been prevented.
IN THIS ARTICLE
What happened
A service company had recently been acquired by a larger parent company. Corporate quickly shipped new laptops—but without telling WingSwept or installing our security stack. When a server at corporate HQ was compromised, the attacker used the always‑on site‑to‑site VPN to move laterally into the branch environment.
Almost immediately, branch users saw pop‑ups warning that an application was reaching out to download a suspicious DLL. A classic “README.txt” ransom note began dropping, and 15–20 of the corporate‑managed machines were encrypted before staff called us.
Our cybersecurity team traced the malicious traffic back through the VPN tunnel to the HQ server. Because the affected endpoints were outside the visibility of our security tools, we had no active monitoring in place to detect and respond to the malicious activity; there was no chance of the spread being automatically contained effectively. In accordance with best practice, and due to low endpoint visibility, we advised a full re-image of every impacted workstation.. However, corporate brought in a third‑party IR team and withheld further details, so we cannot confirm the exact remediation steps or recovery timeline.
Complicating matters, WingSwept’s services were slated to be phased out after the acquisition, so the branch expected the new corporate devices to ship with equivalent protection. Instead, we found at least one low‑performing antivirus product in place, and no modern EDR or ransomware containment—leaving the environment dangerously exposed.
Why it happened
TOOLSET SATURATION GAP
Corporate shipped laptops to the branch without WingSwept’s protection stack. We were never told what security tools were installed, but we confirmed at least one low‑performing antivirus product. Without consistent, modern defenses on every machine, gaps were inevitable.
UNRESTRICTED VPN TUNNEL
Corporate asked us to establish a permanent site‑to‑site VPN that allowed broad, “any‑to‑any” traffic between headquarters and the branch. Although we built the tunnel, its settings did not follow our recommended least‑privilege standards, leaving both networks exposed.
POOR POST‑ACQUISITION COMMUNICATION
After the acquisition, communication between Corporate and the branch office was limited and inconsistent. Corporate offered little guidance during the transition, leaving the branch unclear on responsibilities for patching, monitoring, and incident response. As a result, critical security tasks were neglected.
FRAGMENTED INCIDENT RESPONSE
When the ransomware hit, corporate brought in an outside incident‑response firm but did not share details with us. The split effort reduced visibility and slowed coordinated containment and recovery.
How It Could Have Been Prevented
FULL TOOLSET SATURATION
Every asset—new or old—needs the same endpoint detection & response (EDR) and ransomware protection. One unprotected device is all an attacker needs.
LEAST‑PRIVILEGE VPN RULES
Site‑to‑site tunnels should grant only the subnets, ports, and protocols required for business. Anything more widens the blast radius.
CO‑MANAGED VISIBILITY
During mergers & acquisitions, clearly define who owns patching, security tooling, and monitoring. Shared dashboards prevent blind‑spots.
CENTRALIZED INCIDENT RESPONSE
A single Incident response lead coordinates faster, clearer decision‑making. Multiple teams create gaps and duplicate effort.
Key Insights
- Security gaps travel fast. If an attacker can reach one unmanaged device, they can often reach many.
- VPNs are not one‑size‑fits‑all. Treat them like fire escapes—open only when and where absolutely necessary.
- M&A transitions demand a tooling parity checklist. No device should go live until it meets baseline security standards.
- Visibility is power. Without logs and EDR telemetry, containment capabilities are greatly diminished.
Need a quick audit of your VPN rules or tool coverage? Reach out to the WingSwept security team at Team_WingSwept@wingswept.com.