Group-IB DFIR Team Contracted By Fawry Following LockBit Attack

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has been contracted by Fawry, one of the largest Egyptian e-payment companies, to investigate an incident after the ransomware group LockBit, on November 8 published on its dedicated leak site (DLS) a sample of data allegedly stolen during a breach of Fawry’s infrastructure.

Fawry selected Group-IB, which has more than two decades of Incident Response experience, due to Group-IB’s specialization in solving highly complicated cases and the fact that Group-IB Threat Intelligence has tracked LockBit since the group’s inception. Both Group-IB and Fawry coordinated on and consented to the publication of this statement.

As of November 24, Group-IB’s Digital Forensics and Incident Response (DFIR) team can confirm Fawry’s production segment was out of scope of the LockBit ransomware attack, and that data was exfiltrated from Fawry’s testing environment during a past attack.

Group-IB’s DFIR team started its incident response engagement on November 9. Over the course of three days, they deployed the company’s proprietary advanced monitoring solutions across 100% of Fawry’s server infrastructure. Both segments — production and testing environment — are clean as of November 24 of LockBit presence. The Fawry team has performed 100% incident eradication for observed indicators of LockBit compromise, and Group-IB experts confirmed the completion of network cleanup.

At the time of writing, Group-IB’s advanced monitoring solutions are covering 100% of Fawry’s production and testing environments, as confirmed by Fawry’s infrastructure team.