Any one here responding to ransomware attacks this past week or two?

Looking to share intel and experiences as I believe my organization has been a tangential target with the Ardent attacks. Here's some of the more relevant bigger things I've seen in this case:

* compromised account attacking a server
* same account runs a "install.dll" via regsvr32
* tons of automation enumeration follows, saving some results to disk
* Attacker used xenarmor to output a few files that appeared to contain passwords/hashes
* files deleted
* anomalous connections

Next day …

account ardent attacks case compromised cybersecurity dll experiences install intel organization ransomware ransomware attacks regsvr32 relevant server share target things week