In December 2024, hackers slipped into our client’s network without setting off any alarms. They went unnoticed until January 2025, when the attackers unleashed the ransomware breach and caused a full-scale shutdown.
What’s so unusual about this attack? Our client is a Fortune-500 company with robust security tools and an in-house SOC team. If an organization of this scale failed to detect the ransomware early on, any company could miss a hacker’s intrusion.
Key Takeaways
- A SIEM without real-world testing creates a false sense of security. Even the best tools fail when their configurations haven’t been checked under real-world conditions.
- Visibility isn’t the same as resilience. Collecting logs doesn’t stop ransomware; only real-time detection and proactive threat hunting can.
- Defense must evolve beyond tools. Integrating SIEM with MDR and redesigning network architecture transforms security.
Don’t let ransomware catch you off guard
Download our Incident Response Plan Template with instantly usable checklists.
The Myth of “SIEM Is Enough”
Having a SIEM and an in-house SOC team can create a false sense of security. On the surface, you might have everything — security specialists monitoring your infrastructure and tools designed to detect threats. But in reality, many companies fail to configure their SIEM properly, leaving their SOC analysts drowning in false positives while real threats slip through unnoticed.
Even if businesses invested in configuration, they still need to stress-test their system, which is something they rarely do. Without knowing how your defenses perform in real-life attack scenarios, you’re like a knight wearing only the front half of their armor, convinced you’re fully protected, while your back is completely exposed.
One client’s experience showed us that cybersecurity is about more than just having SIEM and a SOC team and assuming you’re “doing everything right.” Below, we’ll break down how the ransomware incident happened and why all those tools and experts still couldn’t stop it.
The Breach From the Inside Out
Hackers acted quietly to cause maximum damage to the business. Here’s how one breach escalated from a single entry point to millions in losses.
Stage 1: Infiltration
The hacker group bypassed the company’s VPN protection and took advantage of an exposed Virtual Desktop Infrastructure (VDI). This is how they directly accessed the internal network without triggering any alarms.
Stage 2: Lateral Movement
For weeks, hackers escalated privileges, gaining access to critical accounts and launching a DCSync attack. This allowed them to mimic a domain controller and pull sensitive account credentials. At this point, they owned the company’s identity management system.
Stage 3: Ransomware Launch
Attackers triggered a data breach, ransomware, and encrypted 22 hypervisors, locking critical systems and virtual machines at a single stroke.
Stage 4: The Aftermath
The breach caused two weeks of complete system downtime and cost $29,73 million, a combination of business disruption and recovery attempts.
Where SIEM and SOC Didn’t Work Out
On paper, the company’s SIEM looked reliable — processing logs, connected to the right data sources, and backed by an in-house SOC team. In reality, the tool was noisy, overwhelming the SOC team with false-positive alerts, making it nearly impossible to separate genuine threats from harmless anomalies. Over time, alert fatigue slowed down the team’s ability to recognize real attacks.
On top of the alert overload, SIEM’s effectiveness was impeded by 900 outdated correlation rules that no longer matched modern attack patterns. The tool was focused on unimportant threats, blind to the real issues.
Without real-world scenario testing, the SOC team didn’t have the skills to detect and respond to the attack. Misconfigurations in Active Directory left critical doors open, allowing attackers to escalate privileges and move deeper into the network without being noticed.
Our Improvements in Security Infrastructure
To contain the threat, we immediately deployed an EDR system across affected endpoints. This stopped the attacker’s activity and prevented further ransomware encryption attempts. After a full forensic analysis, we traced each step the hackers took to enter and spread within the network. Our ransomware removal experts eliminated any traces of the hackers to ensure the environment was truly clean.
Now, it was the time to reimagine the client’s approach to security. We created over a hundred targeted correlation rules for their SIEM to develop a tailored cyber attack protection. Additionally, our team redesigned the network architecture, introducing segmentation that would impede lateral movement. In case of a potential compromise, the threat would be contained in a small part of the environment instead of spreading undetected through the entire network.
Finally, we integrated the client’s existing tools with an MDR system to ensure ransomware data breach prevention. While SIEM provides visibility and helps to collect and analyze data, MDR security company ensures proactive threat hunting and real-time response. This combination transformed the client’s defenses into a smarter, more resilient framework.
How MDR Saves the Day
MDR services enable 24/7 threat monitoring and provide expert support from an experienced SOC team that complements in-house specialists. This service improves visibility and detection accuracy by using intelligent automation and advanced analytics to filter out the noise and stop ransomware.
Currently, our client has fewer false positives and no wasted hours chasing alleged threats, only the real ones. Triage and remediation are handled instantly, without the need for manual intervention. When a complex threat arises, MDR’s expert security team investigates it and executes an incident response to prevent full-scale disasters.
As a cherry on top, our client receives detailed reporting on critical threats, turning them into actionable insights that improve security. UnderDefense MDR delivers enterprise-grade ransomware protection, eliminating the need to hire and train a large in-house team.
Right MDR partner stops ransomware
Download our MDR Buyer’s Guide to compare providers and choose a reliable vendor.
Lessons Learned From “Good Enough” Security
Ransomware attacks often slip in unnoticed, even when you think your defenses are tight and well-prepared. Here are the gaps you might be overlooking in your security approach:
- More data doesn’t equal more protection. Our client received large volumes of SIEM logs and hundreds of alerts, yet the ransomware still spread across the system. Attackers can take advantage of your team’s alert fatigue.
- An in-house SOC team can still miss threats. Despite the client’s internal resources, the hackers remained undetected for over a month, gathering critical information.
- Network segmentation fails if it’s untested. Isolating network parts is a good practice, but it can fail under real-world attack conditions.
- Insecure onboarding procedures can lead to a breach. One procedure handled improperly can become an open door for a full-scale targeted ransomware incident.
The takeaway: An in-house SOC team + security tools ≠ guaranteed protection from ransomware. Without proper configurations and a proactive approach, the system will miss hidden vulnerabilities and threats.
Why a Combined Security Approach is More Effective
Relying on a single layer of security is risky for your business. A combined security approach, which blends MDR with SOCaaS and your SIEM, will ensure the necessary level of ransomware attack protection.
With managed detection and response services, you get 24/7 monitoring, advanced threat detection, and expert-level incident response from a cybersecurity team that has real experience removing ransomware and guiding companies through full recovery. Add SOCaaS, and your in-house capacity is boosted by professionals who help resolve critical threats.
At UnderDefense, we work with your existing tools to improve your cybersecurity protection. Our experts fine-tune configurations, close blind spots, and optimize your tech stack to detect real threats, without drowning you in false alerts.
To make sure your system can withstand attacks, we also provide penetration testing services. Our specialists simulate real-world attack scenarios, helping you measure your system’s readiness and fix vulnerabilities before attackers exploit them.
If you doubt your current ransomware defense, drop us a line. We’ll help you uncover hidden weaknesses and strengthen your security posture so you can face today’s cyber threats with confidence.
1. What is a SIEM?
A SIEM is an advanced system that continuously monitors your digital environment. The tool identifies suspicious activity in real time to help your team respond to potential threats before they escalate.
2. Can a SIEM integrate with cloud services?
Yes, most modern SIEM platforms are built to work seamlessly with hybrid and cloud-native environments.
3. How Does SIEM Work?
SIEM collects vast amounts of security data from endpoints, servers, and cloud platforms. Then, the system filters these events through correlation rules to indicate genuine threats. These threats are categorized as incidents and prioritized for immediate investigation. Finally, your security team is alerted so they can take quick, targeted action to contain the threat.
4. Who Needs a SIEM?
Any organization that values visibility and fast response across its digital ecosystem will benefit from SIEM.
