Incident Response: Your Guide to the Cybersecurity Championship 

Warning: What follows is an example of a real-life ransomware attack and the resulting incident response.

Picture this: you’re cruising through your usual workday, coffee in hand, inbox under control, when suddenly ring! ring! you get a call from a co-worker. They can’t access a file on the shared drive. Odd, but manageable… right? 

You try to open the file yourself, only to notice something strange. The familiar icons Word, PDF, Excel are gone. In their place? Blank, unrecognizable symbols. You double-click, hoping it’s just a glitch or your computer is having a stroke from Chrome eating all your memory. Nothing opens. 

Then you spot it: every file extension ends in “. lukitus.” That’s not normal. 

Digging deeper, you find a mysterious .htm file, conveniently associated with Chrome. You open it, and what you read sends a chill down your spine… 

Step One: Don’t Panic (and Maybe Don’t Print Your Résumé Just Yet) 

At this point, you might be thinking there’s only one logical move as an IT technician: print your résumé and start fresh somewhere far, far away. Kidding! (Although that would definitely give your boss a heart attack and that’s not the kind of impact we’re aiming for.) 

So, what should you do? 

Most people’s instinct is to dive headfirst into chaos. But before you touch a single keyboard or mouse, take a breath. The very first thing you should do is notify your team and formulate a game plan. Ideally, you’ve got an up to date Incident Response Plan ready to go. If so, follow it to the letter. 

But let’s be honest this is real life, and in this scenario, the only copy of that plan was stored on the shared drive… which is now encrypted. Oops. 

So now, you’re starting from scratch. 

Ransomware attacks come in all shapes and sizes. Over the years, I’ve seen everything from highly sophisticated exploits to attacks that look like they were put together during someone’s lunch break. That’s why the first thing I always do is verify whether the files are actually encrypted. 

Believe it or not, I’ve encountered cases where the attacker simply changed all the file extensions. No encryption, no malware just a sneaky rename job. In those cases, I “recovered” the data by restoring the original extensions. Voilà! Instant hero. Let’s go! 

Then there was the time attackers used a remote access tool with the admin password set to wait for it, passwordpassword1. No fancy malware here. They just enabled BitLocker on every machine and removed the recovery keys. Low-tech? Yes. Effective? Unfortunately, yes. 

But let’s assume this time it’s the real deal. The files are encrypted, the ransom note is clear, and you’ve opened the provided link in your Onion browser. You’re now staring at a chat prompt, and the first thing you see is… 

Welcome to the Ransomware Negotiation Table 

The first thing you might notice in the chat window? That iconic “Anonymous Hacker” mask staring back at you as the avatar. Yep, this is real screen capture from my conversation. A live ransomware chat session between me and the infamous cybercriminal group known as LockBit. Buckle up. 

A Few Key Observations from the Chat: 

• Data Theft Confirmed: We can verify how much data was stolen. Depending on the client, it might be a few gigabytes… or everything. This is a critical factor in the ultimate decision: To pay, or not to pay? That is the million-dollar (or multi-million-dollar) question. 

• They’ve Done This Before: By following the LockBit links in the chat, we can see they’ve hit other businesses too. It’s like a twisted portfolio of past “clients.” 

• Proof of Life (Sort Of): They ask you to upload a file so they can prove they have the decryption keys. Think of it as a weird trust-building exercise. The attacker is clearly trying to entice you, so you can assure if you pay you get the keys.  

• The Price Tag: They’re asking for $2,000,000 for the decryptor. Honestly? That’s a bargain. I’ve seen demands as high as $24 million. However, the most common number is $6,000,000. Why that number? Because that’s a common cap on cyber insurance policies. In fact, I’ve even seen attackers helpfully highlight your own insurance coverage in their ransom note. Thoughtful, right? 

• And My Personal Favorite: If you pay, they promise to delete all the stolen data and get this offer: recommendations on how to improve your network security. Nothing like getting cybersecurity advice from the people who just broke into your network! 

Now that we’ve made contact, we know a few things: 

1. This is a legitimate ransomware group with a history of successful attacks. 

2. They’ve published stolen data from other victims. 

3. We have a price. 

4. And yes, while the FBI says “don’t pay,” the reality is more complicated. Some businesses simply don’t have the luxury of walking away, especially if their backups are encrypted too. No cold backups? No business. 

So You’re Chatting with a Ransomware Gang—Now What? 

Once you’re face-to-face (well, screen-to-screen) with the ransomware chat prompt, your next move is critical: upload one of your most important encrypted files and ask them to decrypt it. Most legitimate ransomware groups (yes, that’s a thing now) will decrypt one or two files to prove they actually have the keys. 

Do not skip this step. There are plenty of copycat groups out there who have the ransomware tools but not the actual decryptors. If they don’t ask you to upload a test file, do it anyway. I’ve done this many times, usually with a line like, “Alright, hacker man, if you’re so good, let’s see you decrypt this.” If they can’t, well, that tells you everything you need to know. 

Once you’ve confirmed they have working decryption tools, it’s time to make a plan: to pay or not to pay. 

If you decide to pay, be warned, getting your hands on Bitcoin for the first time can be a bit of a headache. I highly recommend working with someone who’s been through the process before. The last thing you want is a delay that gives the attackers an excuse to stall or escalate the price.  

Now, during this part of the incident response engagement, I often get asked two big questions: 

1. Do the attackers actually delete the stolen data after payment? 
   Honestly, I can’t say for sure. But in cases where clients have paid, we’ve historically been unable to find their data floating around on the dark web. So… maybe?IDK 

2. Does the decryptor actually work? 
   Yes—and no. Some data may be corrupted, especially if it was in use during the attack. In my experience, about 75% of data is recoverable. Not perfect, but better than nothing. 

Incident Response: If You Choose to Fight Back 

If you’re not paying, it’s time to play defense and play it smart. First, slow-roll the conversation with the attackers. Keep them talking while you investigate how they got in. 

I’ve seen too many cases where a company says, “We’ve rebuilt everything, we’re good now.” Then two weeks later: “Uhh… they deleted our backups.” Yep, second attacks happen more often than you’d think. Part of your Incident Response Plan should include a post-breach assessment to make sure the attack doesn’t happen again.

Start with an external penetration test. You need to know if there are still holes in your network. If vulnerabilities are found, patch them immediately and begin rebuilding your infrastructure with security in mind. 

Bonus Tip: Shodan Says Hello 

While you’re at it, go ahead and check your external IP address on Shodan.io. Think of it as the search engine for exposed devices on the internet basically, the Google of “oops, we left that open.” 

Shodan scrapes and stores historical data about your external infrastructure, which can be incredibly handy (or horrifying) during an investigation. 

True story: I once ran a pen test where a tech confidently told me, “Port 3389 has never been open.” (That’s Remote Desktop Protocol, for the uninitiated.) I pulled up Shodan, showed him a month-long history of it being wide open, and hit him with a friendly “Gotcha!” It was a mic-drop moment professional, of course. 

Next, check your firewall logs. You might be surprised—over half of the environments I’ve worked in only retain logs for 7 days (the default setting on many firewalls). If that’s you, maybe go check that right now. 

Once you have the logs, look for signs of data exfiltration—IP addresses, transfer volumes, timestamps. This helps confirm whether the attackers are bluffing about stealing your data. 

For example, I had a client hit with ransomware where 80GB of data was exfiltrated. Sounds bad, right? But after digging into the logs, our Incident Response team found it was just an old IT directory full of freeware and tools, nothing sensitive. In that case, we stood down and didn’t engage further with the attackers. 

Verified! Data Was Stolen. Now What? 

If your firewall logs confirm that sensitive data has been exfiltrated, it’s time to start feeding that information to your legal counsel and executive leadership. Yes, it’s officially above your pay grade now but your job is far from over. 

At this point, the C-suite needs to step in and make some big decisions. One of the first things they should do? Dust off those contracts—the ones with clients, employees, and vendors. Hopefully, there’s a data breach clause in there (and if not, well… add that to your post-incident to-do list). These clauses typically outline what needs to be communicated, to whom, and when. And yes, the requirements can vary wildly between customers, staff, and third parties because why make anything simple? Welcome to contracts, ha! 

Meanwhile, because multitasking is the name of the game you should be scanning your environment for signs of the ransomware still lurking around. You should be using a variety of vendor tools to make sure you are not dealing with an active command and control (C2) situation. Because nothing says “bad day” like attackers still having a live connection into your network. 

Once you identify the files or processes being used to maintain that C2 connection, push out updates across your environment using your remote management tools. Think of it as cutting the puppet strings before the puppet master gets creative. 

In some cases, the damage is so extensive that our Incident Response team had to build an entirely new domain. Yep, scorched earth style. We slowly migrate clean devices over, enforce strong passwords, enable MFA (multi-factor authentication), and make sure everything is patched and running a solid EDR (end-point detection response) solution. Honestly, it’s often faster (and less frustrating) than playing whack-a-mole with a persistent attacker. 

Looking to avoid the headache of dealing with a ransomware attack? Our SOC monitors threats 24/7, and our expert Incident Response team is ready to go the second you’ve been compromised, without needing approval from your cyber insurance provider.