Chapter 2, Part 2: Ransomware damage control and when to alert stakeholders
DISCLAIMER: This case study depicts a fictional cyber incident based on real-life scenarios described by expert interviewees, media reports, and other publicly available resources. While the details surrounding the characters, company, and ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on actual cases.
Within 24 hours of the ransom note’s receipt, the chief information security officer (CISO), his team of IT experts, and the digital forensics examiner feel confident the breach has been contained. The attacker has been isolated, and there is no more lateral movement on the Vulnerable Electric (VE) network.
Sitting at the far end of the table across from the chief executive (CEO), the CISO addresses the whole team gathered in the war room. Following the incident response process, he reviews the facts, business impact, and root cause determination:
An attacker gained access to the network by tricking an employee to click on a virus-laden hyperlink, installing software onto the employee’s workstation and giving the attacker a backdoor to the company’s intranet. From there, the attacker scanned the corporate intranet for machines running software with known vulnerabilities.