Ransomware Incident Investigation — Halden & Rowe Freight Solutions

On the morning of 11 January 2024, Halden & Rowe Freight Solutions (“the client”) engaged Tyroniq after dispatch operators discovered encrypted files and ransom notes across their Windows estate. Shipment scheduling, the ERP platform, and shared drives were inaccessible, halting fleet dispatch across two regional depots.

Tyroniq deployed an incident response team on-site within four hours. This report documents our forensic findings, the attacker’s likely timeline, the scope of data exposure, and a prioritised roadmap to remediate the underlying weaknesses that made the incident possible.

The root causes were not exotic. They were the ordinary gaps that opportunistic ransomware crews rely on every day: a remote-access appliance missing a critical patch, a contractor account without MFA, a flat network with no meaningful segmentation, legacy signature-based anti-virus instead of EDR, and online backups sitting on the same domain as production.

The following high-level measures are required immediately to contain residual risk and prevent recurrence. A detailed prioritised plan is provided in the Advice section.

• Harden remote access. Patch and re-image the perimeter VPN appliance, enforce phishing-resistant MFA on every externally reachable service, and replace contractor accounts with short-lived, scoped identities proxied through a zero-trust gateway.
• Replace legacy AV with modern EDR/XDR. Deploy a behaviour-based endpoint platform with managed detection & response coverage across workstations, servers, and domain controllers.
• Rebuild identity tier. Reset the krbtgt account twice, rotate every privileged credential, and adopt a tiered administration model that prevents Tier-0 assets from being logged into by day-to-day workstations.
• Segment the network. Split servers, workstations, OT/telematics gateways, and guest Wi-Fi into isolated VLANs with explicit firewall rules; block lateral SMB and RDP between workstations by default.
• Immutable, offline backups. Move to an air-gapped or object-lock backup target, validated through quarterly restore drills — not only backup success metrics.
• Centralised logging & SIEM. Forward authentication, endpoint, firewall, VPN, and DNS logs to a tamper-evident SIEM with alerting on high-fidelity ransomware precursors.
• Least-privilege & account hygiene. Remove standing domain admin rights, review service accounts, and automate off-boarding on the same day employment or contracts end.
• Vulnerability & patch management. Track a firm SLA for critical CVEs on perimeter and internet-exposed systems (72 hours) and on the internal estate (14 days).

Tyroniq’s investigation ran from 11 January through 18 January 2024. The scope covered two domain controllers (SRV-DC01, SRV-DC02), the ERP application server (SRV-ERP01), the primary file server (SRV-FS01), the backup appliance (NAS-BKP01), the perimeter VPN gateway, and a representative sample of 12 end-user workstations across dispatch, finance, and HR functions.

We performed forensic imaging of volatile memory and disk on in-scope servers, triage collection on the endpoint sample, and reviewed 90 days of logs from the perimeter firewall, VPN gateway, Active Directory, and the internet-facing email security gateway. Where logs were missing — notably on endpoint EDR telemetry and file-share access — findings rely on on-disk artefacts, registry hives, USN journals, Windows Event logs, and NetFlow captured during response.

Reconstruction of attacker activity is based on timeline correlation across these sources. Confidence levels are stated per finding where relevant.

• Initial access vector. How the attacker gained the first foothold in the environment — in particular, authentication to the remote access gateway and any evidence of exploitation of public-facing services.
• Credential hygiene and MFA coverage. Whether MFA was enforced on external services, privileged accounts, and contractor identities, and whether any credentials appeared in known infostealer or combolist dumps.
• Lateral movement and privilege escalation. How the attacker moved from the initial foothold to domain-wide control, including use of credential-theft tooling, remote execution utilities, and built-in administration tools (living-off-the-land).
• Backup integrity. Whether backup systems were logically or physically isolated from production, and whether restore procedures had been tested recently.
• Data exfiltration. Volume, timing, and destinations of any outbound data transfers preceding the encryption event, and which datasets were most likely staged for exfiltration.
• Detection and logging coverage. The completeness and retention of logs available to reconstruct the attack, and the presence of alerting on common ransomware precursors.

• Initial access via unpatched VPN appliance. The perimeter gateway was running firmware vulnerable to a known pre-authentication CVE disclosed in late 2023. Gateway logs show anomalous session establishment from two unfamiliar ASN ranges on 02 January 2024, nine days before encryption. No patch had been applied despite vendor advisories.
• Reuse of contractor credentials without MFA. The account [email protected]authenticated from the same foreign IP range. The password matched one exposed in a 2022 third-party data leak. MFA was not enforced for this account.
• Credential theft on SRV-DC01. Forensic artefacts consistent with an LSASS memory dump (Mimikatz-class tooling) were found on the primary domain controller, together with a PowerShell history referencing DCSync-style replication requests from a non-standard host.
• Persistence via scheduled task. A scheduled task named “WindowsUpdateCleanup” was created across six servers, executing a signed but abused system binary that side-loaded the ransomware payload from C:\\ProgramData\\Intel\\Update\\svc.dll.
• Bulk data staging and exfiltration. Approximately 142 GB of data was copied to an RFC1918-staged archive on SRV-FS01 and then uploaded via rcloneto an external S3-compatible endpoint over TLS, based on NetFlow volume and destination IP reputation.
• Backups encrypted in place. NAS-BKP01 was domain-joined and reachable from the ransomware beachhead using a cached domain-admin token. Snapshots older than 36 hours were deleted or overwritten before encryption. No immutable or offline copy was available.
• Flat network and no EDR. There were no VLAN boundaries between user workstations and production servers. The installed endpoint protection was a legacy signature-based AV; the ransomware payload was not detected by its on-access scanner.
• Insufficient logging. File-share access auditing was not enabled, PowerShell transcription was disabled, and firewall/VPN logs rolled over after 14 days. This severely limits retrospective investigation beyond the retained window.

The staged archive H&R_export_0109.7z(recovered during imaging) and the corresponding NetFlow records indicate that the following datasets were, at minimum, read and copied by the attacker. Volume and file hashes are documented in Appendix A.

ERP application database (SRV-ERP01)

• customer master data (company name, VAT ID, billing contact)
• shipment manifests and tracking history
• pricing agreements and commercial rate cards
• invoices, credit notes, and aged-debtors ledger
• carrier and subcontractor payment details

Finance share (\\SRV-FS01\\Finance)

• monthly management accounts (12 months)
• bank reconciliations and IBAN lists
• signed supplier contracts
• ongoing M&A due-diligence working papers

HR share (\\SRV-FS01\\HR)

• full name
• date of birth
• national ID / social-security equivalent
• home address
• IBAN
• monthly salary
• employment contract type and start date
• driver licence & CPC qualification scans
• sickness and disciplinary records (selected folders)

Operations share (\\SRV-FS01\\Ops)

• fleet telematics export (vehicle IDs, routes, driver identifiers)
• warehouse floor plans and access-card lists
• signed customer SLAs and penalty clauses

In addition, a ransom note RESTORE-FILES.txt was dropped in every encrypted directory containing a Tor onion link, a victim-specific ID, a 1.85 BTC demand, and a threat to publish the exfiltrated data after 7 days. The onion portal listed the client’s name as “coming soon” at the time of writing, which is consistent with active leak-site staging rather than a bluff.

Affected data subjects include, at minimum, employees, contractors, and customer contact persons whose personal data resided on the ERP database and the HR/ Finance file shares. Our preliminary estimate is approximately 8,400 individuals across current and former staff, contractors, and commercial customer contacts in the European Economic Area.

Because the attacker obtained domain-level control prior to encryption, we also consider every credential present in cached form on any in-scope host to be compromised. All passwords must be treated as known to the adversary until rotated and MFA re-enrolled.

A communications plan covering data subjects, supervisory authorities, key customers, and insurers should be executed in parallel with technical remediation. Legal and privacy counsel should validate the notification decision and its timing.

Halden & Rowe experienced a textbook double-extortion ransomware intrusion. The attacker chained an unpatched perimeter gateway, a contractor account without MFA, credential theft on a domain controller, a flat internal network, and connected backups — each of which is individually preventable with well-known controls.

The business impact is severe. Fleet dispatch was offline for 72 hours, contractual SLAs with three top-tier customers were breached, and our conservative estimate of direct cost (response, lost revenue, overtime, and contractual penalties) is between €0.9M and €1.4M, excluding potential regulatory fines, civil claims, and the commercial impact of a public leak.

The security posture that permitted this incident is not unusual for mid-market logistics operators. It is, however, demonstrably insufficient against today’s commodity ransomware crews. The measures outlined in the Advice section are scoped to be achievable within 90 days and should be treated as a minimum baseline, not an aspirational target.