Apparently they pretended to be an employee and the help desk reset the password for them. Once in the door, active directory imploded as usual, with full access they encrypted everything and demanded ransome.
Reminds me of Maersk. They had poor endpoint hygiene and no EDR. In 2017 about 90% of their infrastructure was wiped in less than one minute. They had to reinstall a lot of things due to backups weren't up to par. Usually level 1 merchants (> 6 million transactions per year) are put on an audit and improvement plan if this occurs. In the UK, there could be an investigation and penalty from the ICO for the data breach.
> They had to reinstall a lot of things due to backups weren't up to par.
"After a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk’s desperate administrators finally found one lone surviving domain controller in a remote office—in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company’s domain controller data left untouched by the malware—all thanks to a power outage... So the Maidenhead operation arranged for a kind of relay race: One staffer from the Ghana office flew to Nigeria to meet another Maersk employee in the airport to hand off the very precious hard drive. That staffer then boarded the six-and-a-half-hour flight to Heathrow, carrying the keystone of Maersk’s entire recovery process."
Remote DC's were always entertaining for us. We had hundreds, and it was usually and reluctantly due to environmental conditions where they didn't want to deal with authentication issues if the network was down.
The downside was the occasional DC that disappeared. Once in Egypt, a fire caused relocation of servers and what not, and we actually had a guy take a photo of our DC on a donkey cart in the process of moving down the street. I thought those were made up things, but donkey carts usually don't need a license or insurance.
Source: https://specopssoft.com/blog/marks-spencer-ransomware-active...