The Challenge
A new client was mid-onboarding when our SIEM lit up with suspicious traffic, and our EDR flagged suspicious admin activity tied to the Domain Controller (DC). This was not “new environment noise.” This was “someone has the keys to the kingdom” noise.
What Happened
During the investigation, we uncovered something worse than a one-time intrusion. The DarkSide ransomware group
had been installed on the DC for roughly 4 years prior to discovery. It appeared the organization had not been hit by an actual encryption event because it was so small that the attacker likely did not want to reveal access or trigger a full-scale response. In other words, they were “too small to ransom,” but not too small to compromise.
Why It Matters
If ransomware is living on your Domain Controller, your environment is essentially pre-ransomed. The DC controls identities, access, and the trust relationship across the network. Once that’s compromised, every system is one bad day away from being locked up. This case is a reminder that “we’re small” is not a security control; it’s just a tempting
excuse.
Gipson Cyber’s Response:
→ Confirmed malicious behavior
→ Traced activity
→ Identified persistent ransomware
→ Contained the threat quickly
The Outcome
- Ransomware presence discovered
- Immediate containment of suspicious admin activity
- Established a clear remediation path Security monitoring is established