Mitigating & Resolving a Ransomware Attack

Deployment of Cyber Threat Intelligence to reduce resolution time

[maybe-frm-field-value field_id=4685 user_id=current entry=7670 equals=”Anonymous during judging stage”]

Information Security award entry for the “[4721]” category

[/maybe-frm-field-value] [maybe-frm-field-value field_id=4685 user_id=current entry=7670 not_equal=”Anonymous during judging stage”]

Information Security award entry from for the “[4721]” category


Cyjax were engaged by a leading cyber insurance underwriter to assist in the mitigation of a serious attack being levied against a medical organisation. The company was being held to ransom after a cyber-crime syndicate exploited their infrastructure and infected their medical files with ransomware. With no backups the company was looking at a total loss of all digital information, its operational capacity and a serious fine under the HIPPA compliance framework. Further, 24 months mandatory credit profile monitoring for all affected clients and a public press release that would cause brand damage and encourage law suits.
A ransom payment had already been attempted, but to no avail.
The Cyjax Live Intelligence team, a team of highly skilled analysts and technical intelligence experts, used their darknet technology to quickly identify the source of the attack and the actors that needed to be engaged if there was to be any chance of a successful recovery.
Whilst this was a time critical and extremely sensitive case for all involved, it was important to secure the evidence needed should our attempts be unsuccessful in mitigating the attack or in the event of legal/compliance scrutiny.
Using one of the personas we maintain for darknet engagements, we made contact and proceeded to negotiate.
As part of our negotiations over price, we asked a series of seemingly innoculous questions aimed at generating responses that could be used as evidence should the case end up in court; but, to also help the medical organisation at the center of the attack understand what has been breached, how, and why. Ultimately our approach was successful; not only did we negotiate the price down to half of what was originally asked, we also got them to document their methods in writing, explaining what they did, how they did it, and why. This helped the medical organisation to assess the likelyhood of customer data access, personal information theft and also to inform their ongoing recovery strategy by helping them focus their resources on the facts, rather than waiting for the results of a lengthy and expensive forensic investigation that was initiated by their incident responder once they realised they were unable to restore the systems.
Ultimately, we secured the release of the encryption keys from the attackers, and enabled a complete restoration of all data.
The medical organisation’s legal representatives were satisfied that their client had not broken any laws or contrived to cover up a serious breach of the HIPPA compliance framework. The expensive incident response and subsequent forensic process could end, and no further losses would be incurred by the insurance underwriters or the medical organisation that was attacked.
It was later determined by the underwriter that our actions in this case saved a claim that would have resulted in a payout of $3.5m.

A saving of $3.5m – this was the insurance policy value should a disaster such as the one described above ever happens. Fortunately we were able to aid a complete restoration of their services.

We use psychology in our approach to engage actors on a more personal level and have them open up and reveal far more intelligence about themselves and the look and shape of the organisations that support them.

Do not attempt to engage ransomware actors yourself. They will take advantage of anything they can.

The currencies they deal in are untraceable, and they often run with the money.

Never give them any of your files for so called ‘testing’ or ‘proof’ – you are just giving away personal or sensitive data.

If you do engage them, negotiate, hard! Even if it is time critical. If you do not, you are likely to be seen as an easy target and will be scammed.

The most important advice we have for you if you have been the victim of a ransomware attack is: They have not taken any of your files, they have absolutely no interest in looking inside any of your systems, and they certainly are not still present on your network after a successful attack, so keep that in mind and do not waste any time investigating to the contrary – this is not how ransomware works, and never will be. They want you to give them your money with absolutely zero risk of exposing their identities or real locations, as quickly as possible, and will say anything to achieve this.