The Black Boss Attack

Ransomware was using plaintext FTP for X-Fill, but they were X-Filling files that they had already encrypted correct. They didn't pre-encrypt it and then try to get it out. So as soon as they found themselves on a file server with valuable information, it was just flat out our clone unencrypted FTP traffic.