My fake company was hit by a ransomware attack — here’s what I learned to do, and what not to do

Ransomware is a devastating and highly disruptive form of cyberattack, with the main motivation behind a hacker launching an attack on your organization being financial gain.

Hackers are also lazy, and will take the path of least resistance whenever the opportunity presents itself, and they will keep throwing attacks until one sticks.

So what happens when a company is hit, what are the best practices, and how does it feel to have your organization brought to its knees by a ransomware attack?

Secureworks rSimulation

Earlier this month, Secureworks held a tabletop ransomware simulation at the historic King’s Cross Station Masters Office to provide first-hand insight into how an organization could and should respond to a such an attack.

Secureworks provides incident response services to businesses undergoing cyberattacks, and has extensive experience in responding to ransomware attacks.

Some of the team were on hand to provide insights into how a ransomware attack begins, progresses and concludes, and how businesses can improve their cyber resilience to best respond to an attack.

Typically, the easiest point of entry for an attacker is through a particularly vulnerable part of a business network that has an internet connection. In Q1 2024, the company found 64% of intrusions used an internet facing vulnerability to gain access, with just 13% of attacks being launched through both phishing and stolen credentials, with the latter being particularly vulnerable if no form of multi-factor authentication is in place.

It is definitely cliche to say, but the world of cybersecurity is constantly evolving, which means for many businesses, it is no longer a matter of if an attack will succeed, but when. But this doesn’t play well with a C-suite looking to save a little money here and there, because there isn’t an easy way to justify a return on investment on something that is likely doomed to fail.

But what is important to recognize is that an organization’s cybersecurity hasn’t failed if it is breached. Yes, cybersecurity is a shield to keep threats out, but it is also a contingency plan for when the shield fails. Cyber resilience is just as important as cyber defense.

This is why organizations with the determination, funding and vested interest to keep attackers out, such as banks and financial institutions, are less susceptible to ransomware attacks than organizations that rely on external funding for cybersecurity, such as hospitals and schools.

In the situation presented by Secureworks, we were put at the helm of a media organization about to be hit by some kind of outage. One second, we were relaxing at the weekend, enjoying a celebratory picnic party, and the next we were plunged into the fog-of-war of a full-blown ransomware attack.

Sunday 5pm

At 5pm, my team and I received a panicked call from a member of the IT department who was unable to access parts of the network, including business critical servers and the IT administration system, to which the passwords had been changed. From the panicked tones of the IT administrators voice, it sounds like it might be time to update my LinkedIn profile and set myself as #OpenToWork.

We didn’t know what's happening yet, but there are several key things that I should take into consideration. I needed to identify the scale of the issue, and find out exactly what systems are down or inaccessible. I needed to gather evidence of what has happened such as server logs and network monitoring logs if they are available, and I needed to check if this issue is directly related to my internal organization, or if it is the result of a third party, power outage, or even a cleaner who unplugged something important while vacuuming.

There was more to consider. The issue could be caused by a recent change to network settings, or it could all be a test organized by an external pentesting company. I wonder if we’ve changed the firewall rules recently?

The IT team finally gets back to me and tells me that they have lost access to the servers that handle the content management system, payroll, internal communications, and ordering. Without these, the business cannot function and from this point is now hemorrhaging money.

At this point, a wiser business leader than I would have a contingency plan in place that would allow the business to continue to operate, even if at a reduced pace. There should have been a backup plan for internal communications, content management and other critical systems that are now seemingly lost forever.

A few hours later, the Chief Executive gets a voicemail. It’s the attacker. They say they have left a .txt file in our systems, with instructions to open an anonymous browser to begin ransom negotiations. They threaten that if I involve any law enforcement, or refuse to pay the ransom, the data will be leaked. However, they want to work with us and help us, so they say that as soon as the ransom is paid, a decryption key will be immediately available, and they even offer to patch the backdoor they exploited so that it “never happens again” - how kind.

The pressure to cave immediately is overwhelming. How am I supposed to justify that what little cybersecurity investments I get are worthwhile when I am now faced with a ransom? Wait, they didn’t give a figure on how much it would cost. They also didn’t say the Chief Executive’s name, or the name of the business. Curious.

Alex Papadopoulos, Director of Incident Response at Secureworks, explains that the attackers work based on volume and return on investment. Up to this point, the attack has cost the cybercriminals time and money, so doing research into the specifics of the victim is not worthwhile until the ransomware has done its job. Only once we engage with the attackers in negotiations will they do their research to see how much of a ransom the organization can afford in order to maximize the return on investment.

Monday 6am

It’s been a long and sleepless night trying to figure out what happened, but it’s time to face the board of directors and explain what's happening and figure out the next steps. We know we have been hacked, and the attackers say they have exfiltrated 100GB of sensitive information from our servers and if we don’t pay the ransom they will either leak it online or sell it to the highest bidder to recoup their losses.

By this point, or even before, Matt Bennet, Senior Manager for Incident Response, recommends the organization should be in contact with the experts. Before making any rash decisions on payment it is important to consider several key factors.

Number one is requesting proof-of-life, so to speak. If the attackers provide evidence that they have what they say they have, even if it is a simple picture of the file tree, it could provide critical information on the sensitivity of the data they have stolen. If it’s just 100GB from the recycling bin, then there is nothing to worry about.

It’s also important to consider rules regarding data breach disclosures. In the UK, a data breach should be reported to the ICO within 72 hours, but in the US it varies from state to state. It may also be worth considering if compliance requirements and cybersecurity best practices were followed, as GDPR fines and lawsuits can be crippling.

You’ll likely be talking with your internal legal team anyway to prepare for the worst case scenario, and it’s worth checking to see if they have an existing relationship with law enforcement, a third party incident response team, or insurance that covers cyber incidents as this could save vital time and money.

Keeping information on a need to know basis is another vital aspect of dealing with a ransomware attack in order to reduce speculation and information leakage that could reputationally or financially damage the organization.

And finally, it might be time to begin a forensic investigation. Although unlikely, the attackers may have left some clues as to how much and what data was stolen. Bare in mind that during exfiltration the attackers will likely compress the files, obfuscating the actual amount of data.

Friday 2pm

A long and sleepless night has turned into an even longer week, and at 2pm the news is lit up with breaking stories that the company has suffered a huge cyberattack. Someone has told the press. All of the juicy details are out in the open - 100GB of sensitive data and remote access credentials are up for grabs - and we don’t have a public message prepared to address the breach.

Once again the team jumps into action stations. Our negotiations with the attackers are ongoing, did they tell the press to apply more pressure? We have proof of life that they have at least some of the data they say they have, and if leaked, the expected fallout wouldn’t be great but it also wouldn’t be terrible.

So what should the message be, and who should deliver it? If we use the wrong message in our breach disclosure we could open ourselves up to lawsuits and fines, but if we don’t say enough then the wolves could come calling at the door. How are the negotiations going, could we afford to pay? If we can’t, how can we still be the good guys? Refusing to pay ransoms removes the financial incentive from the attacker, right?

Stephen Venter, Incident Readiness Lead for EMEA, explains that managing internal and external communication at this state is key. Keep the language simple, and explain what has happened. For those who may have had their sensitive data leaked, it is important to get ahead of the problem by offering support such as identity theft protection . Make sure the public knows that you are the victim of a crime, this (hopefully) wasn’t a case of negligence or user error.

Conclusion

The most important part of a ransomware attack isn’t any of these three phases. The most important decisions are made before the attack happens. Secureworks Incident Response team recommends that building resilience as early as possible is key. Ideally your shield would keep out every attack, but responding when one gets through is just as important as keeping attacks out.

Focus on building a response team and cyber crisis plan for the inevitable, and exercise this plan regularly until it is muscle memory. Also focus on regular IT housekeeping, such as ensuring multi-factor authentication is working properly, security patches are applied to all devices, especially internet-facing vulnerabilities. Harden your active directory and ensure that users and devices are regularly sanitized when employees leave the business.

Test your backups on a frequent basis and ensure that your predicted incident response and recovery time is realistic and achievable. Get retainers with cyber experts who can help augment your defenses and provide expertise on best practices, and check your cyber insurance coverage to see if ransomware attacks are covered.

Finally, Secureworks recommends that regular tabletop exercises take place, with free resources available from both the National Cyber Security Center and the Cybersecurity & Infrastructure Security Agency .