The threat actors then established the usage of multiple proxy tools such as SystemBC and GhostSOCKS to maintain persistence and traverse laterally within the environment. Over the course of the next few days, they leveraged a combination of tools: PsExec, WMI, and Rclone. Initial attempts at exfiltration via FTP failed, but the attackers shifted later to MEGA.io using Rclone and succeeded in exfiltrating gigabytes of sensitive information within a 16-hour timeframe. On the eleventh day, LockBit ransomware was released onto all available Windows hosts through batch scripts, scheduled tasks, and administrative tools to maximize their impact. Because of this, data got encrypted to such an extent that it almost paralyzed the operation of the victim.