RealTime Cyber conducted a full-scope red team engagement emulating the tactics of theBlackCat (ALPHV) ransomware group, notorious for high-impact intrusions like the ChangeHealthcare ransomware attack. This red team exercise helped leadership evaluate theirdetection and response capabilities, while also serving as an important training exercise for thesecurity and IT teams.
The Red Team’s Objectives:
- Gain admin privileges.
- Establish persistent network access.
- Access PII/PHI.
- Demonstrate capability to disrupt critical operations.
- Remain undetected until final phase
The RealTime Cyber team coordinated with internal security leadership to plan the simulatedransomware deployment during off-peak times in order to minimize business disruption.
Over the course of 60 days the attack followed this stealthy flow:
- Help desk compromised via vishing and a spoofed internal software site.
- Executable payload injected into explorer.exe and maintained persistent C2communication.
- EDR evaded via NetLimiter, which silently blocked outbound telemetry.
- Use of legitimate system administration tools to move laterally, escalate privileges, andmaintain persistence while avoiding detection.
- Credentials harvested from local scripts and Windows Vault.
- Cloud access gained through exposed AWS keys, leading to admin role assumption andRDS database access.
- Action and objective: the exercise ended with mock exfiltration and ransomwaredeployment on sensitive systems.
The Results
The red team exercise gave the security and IT team hands-on experience in incident responsewhile also exposing key gaps in SOC monitoring and in security awareness among privilegedusers.
Interested in Protecting Your Company Against Cyber Attacks?
Contact us
Our work
Proven Expertise Proven Results
All projects
