NEC XON detects and stops ransomware attack with Cortex XDR

Cyber attackers stopped in real-time. (Image: NEC XON)

---

Ransomware attacks rarely begin with chaos. More often, they start quietly – with probing, mapping and patient reconnaissance inside a target’s network.

That was the situation facing a global recruitment firm when cyber criminals attempted to navigate through the company’s systems. What followed became a real-world demonstration of how modern AI-driven cyber security, combined with skilled human intervention, can stop an attack before it escalates into a business crisis. At the centre of the response was NEC XON and its managed XDR service powered by Palo Alto Networks' Cortex XDR.

“International recruitment firms are particularly attractive targets for ransomware operators,” says Armand Kruger, NEC XON head of Cyber Security. “Their systems contain highly sensitive candidate data, employment records, client agreements and workforce intelligence spanning multiple countries and jurisdictions. For attackers, disrupting those operations can create enormous pressure to pay a ransom quickly.”

Armand Kruger, head of Cyber Security at NEC XON.

---

In this case, the attacker had already established an initial foothold through a public-facing segment of the company’s network. “From there began what we call ‘enumeration activity’ – systematically probing internal systems, identifying routes deeper into the environment and searching for opportunities to move laterally across the network,” Kruger explains. “Had the activity gone undetected, the attacker could have escalated privileges, stolen credentials and ultimately deployed ransomware capable of crippling the organisation’s operations.”

Instead, the intrusion was identified in real-time.

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

Continuously monitoring the customer’s environment, Cortex XDR detected unusual activity originating from the organisation’s DMZ – the public-facing boundary separating external traffic from critical internal business systems. The behaviour matched known patterns associated with attackers mapping environments ahead of a ransomware deployment. Without waiting for manual intervention, Cortex XDR automatically blocked the remote IP address responsible for the activity, effectively severing the attacker’s access before they could advance further into sensitive systems.

That rapid automated action bought valuable time for NEC XON’s security operations team to mobilise. Security specialists quickly moved to contain the broader threat, shutting down all command-and-control communications to ensure the attacker could no longer issue instructions or attempt data exfiltration. Investigators identified compromised user credentials believed to have been used as the initial access point and disabled them immediately. The team then conducted a full forensic investigation to trace the source of the intrusion and provide the client with a clear understanding of how the attack unfolded – and how it had been stopped.

For the recruitment firm, the result was more than simply avoiding operational disruption. The incident reinforced the value of having around-the-clock protection backed by both intelligent automation and experienced cyber security professionals. In an environment where attacks are becoming faster, more sophisticated and increasingly automated themselves, early detection and rapid response can mean the difference between a contained incident and a major business disaster.

The case also highlights a growing reality for organisations across every sector: cyber resilience is no longer just about preventing attacks, but about detecting and neutralising threats before they can cause lasting harm.

Don’t leave your business exposed. Click here to see how NEC XON can help.