The Breach That Never Closed: A 2-Year-Old Compromise That Survived Backup Restoration
How an improper recovery left threat actor access intact, and what At-Bay found when we looked closer
Company Industry: Commercial real estate
Attack Type: Incomplete remediation → persistent access
Ransom Payment: $0 — full recovery without payment
Time to Identification: 4 days to identify initial access vector, exfiltration, and persistence
Before the Alert
This commercial real estate company had been through a security incident before. Their managed service provider (MSP) restored from backups, operations resumed, and the incident was considered closed. On paper, their environment was recovered. What the backup restoration didn’t include: a full forensic investigation into how the attacker got in, what they touched, and whether they were actually gone.
What was missing: no continuous threat monitoring, no post-incident validation that access had been fully revoked, and no visibility layer to detect whether persistence mechanisms had survived the recovery. The client didn’t know they had been published on a threat actor leak site — because no one had ever looked.
What Happened
A new security alert flagged possible exfiltration on the network. When At-Bay Response & Recovery investigated, we found something that had gone undetected: the original breach, two years earlier, had never been fully remediated. The threat actor’s access was still active.
The MSP’s recovery had restored operations, but restoring from backup is not the same as closing a breach. Key Active Directory and system resources remained encrypted on servers from the original incident, dated approximately two years prior. That encryption had prevented full domain recovery and no one had noticed.
How At-Bay Responded
- Detection: The earlier breach was discovered while At-Bay’s recovery engineers were preparing to restore Active Directory. While reviewing existing systems, they encountered encrypted files that didn’t match the current event. Forensics investigated further and confirmed the source.
- Forensics & Investigation: Analysis identified evidence of encryption on critical servers from an event approximately two years prior. The Counter Extortion team searched leak sites and databases and confirmed the client had previously been published on a threat actor leak site — something the client was entirely unaware of, as no investigation had ever been performed after the original incident.
- Containment: The network was isolated from the internet. At-Bay worked with the existing MSP to stand up a separate, clean network for all rebuilt systems. SentinelOne was deployed and handed off to At-Bay MDR for continuous monitoring.
- Negotiation: The client chose not to engage with the threat actor. At-Bay assisted in recovering all data without making any payment.
- Recovery: All servers and workstations were rebuilt from scratch. At-Bay rebuilt Active Directory from the ground up, confirmed all systems and software were fully updated, and coordinated dedicated all-day support sessions for employees to reset credentials and validate their systems.
At-Bay didn’t just address the new alert, we went back to the root. The legacy breach was fully remediated for the first time, and what had persisted for two years was closed for good.
Stop Hidden Threats with MDR
Restoring from backup gets the business back online but it isn’t the same as closing the breach. Without continuous monitoring, incomplete remediation can go undetected for years. MSPs keep systems running, but post-incident validation and persistent threat detection are a different discipline.
At-Bay Stance Managed Detection & Response (MDR) gives policyholders continuous visibility into their environment so threats that survive initial response don’t stay hidden. At-Bay’s MDR experts monitor endpoints, cloud, email, and identity around the clock, catching what backup restoration alone will miss.
*Response timelines differ. Past results do not guarantee future outcomes. This content is provided for information purposes only and is not intended to define any Policy commitment. No warranty is given or liability accepted regarding this information.
At-Bay Stance MDR is provided by At-Bay Security, LLC (“At-Bay Security”), and available to eligible businesses with or without an insurance policy placed through At-Bay Insurance Services, LLC. At-Bay Security, LLC is a wholly owned subsidiary of At-Bay, Inc., providing cybersecurity services including MDR and incident response. At-Bay Security, LLC does not provide insurance services.