Ransom demand to a financial company (Dec 2019)
Late Thursday night, a call was received from the CISO of a large financial services company with a market value of over a billion dollars. He stated that he’d received a ransom demand threatening to leak privileged internal corporate information unless $1 million was paid within 48 hours.
As an Incident Response Team, we packed our unique ‘jump bag’ and rushed to the company headquarters. Our Intelligence & Negotiation Team discovered that the attacker had advertised the privileged internal information “for sale” on dark web forums. To show just how serious they were, the attackers included a customer’s private account balance, a value updated to the internal CRM just a day prior. The Team initiated contact with the attackers.
OP Innovate’s Incident Response Manager realized that the attackers may have a real-time foothold in the company’s systems so the Team began to search for indicators of the attackers’ persistence. They also sought to minimize exposed systems and recover normal business operations.
Eventually, the organization’s CEO announced that this incident had been a top secret drill prepared by the company’s Board of Directors. This simulation was critical to demonstrate that the organization’s IT team could handle a serious incident with potentially far-reaching consequences to the organization’s reputation, under the pressures of a crisis situation.