Phishing/Ransom Attack Scenario, What Would You Do?

Phishing/Ransom Attack Scenario, What Would You Do?

26th March 2019

What would you do if you were a victim of a live cyber phishing attack?


What should you already be doing to protect your company from further damage and threats?

Should you pay that dreaded ransom demand?



A cyber hacker’s auto detect software has found a weakness in your company network and alerted them to take a closer look. After researching, the hacker decided on his attack method and put it into action. Phishing emails were sent out to every email address registered on the domain, most were caught by the firewall and spam filter, but a few made it through and landed in some of your employee’s inboxes. Majority of these staff members didn’t act on them and deleted, however one employee was knee deep in work that morning, his phone had been ringing off the hook and had a deadline to meet – he wasn’t concentrating and when going through his unread emails, clicked the link to reset a company login password, which opened a spoof website because they thought the email looked legitimate. It wasn’t and now a world of problems are waiting to start.

This was 6 weeks ago and nothing has happened yet, nobody is any the wiser…until now.

Tuesday 8:30am

Your day starts as normal, going through emails, drinking your coffee and ready for the challenges that lay ahead. Suddenly you get a message on your screen which tells you all company files, folders and data have been locked and there is only one way of getting them back, payment!

At this point you wonder if it’s just a hoax, or one of those adware pop ups that want you to call ‘Microsoft’, so you restart the computer and to your horror, the message is still there and won’t disappear.

You try to open files, they won’t open, you try to access the network, its locked out. Everyone in the office is experiencing the same thing and nobody knows what to do or what happened.

This is serious. Any downtime for the company is lost money and every staff member is sitting there not being able to do their jobs.

You call in your IT Manager for an urgent investigation into what has happened and how it can be rectified, it can’t, all files are encrypted. He suggests the first thing to do is take everything offline, but warns it may be too late for this and the data has already been breached.

There is a message below the ransom demand stating that if payment is made in Bitcoin to the value of £10,000 within 48 hours, all encrypted files will be unlocked and you can continue to operate again, if it isn’t, all customer data will be stolen and made public, plus the encryption will remain in place…. There is a timer on the screen and sure enough, its counting down.

 Tuesday 13:30

43 hours remaining and every possible scenario is going through your head, if I pay will they really unlock the files, or will they just leave anyway and use us as a trophy to brag about?

It suddenly occurs to you that even if the encrypted files can eventually be unlocked, you have a duty to report this to the information commissioner (ICO) under GDPR rules, this alone could potentially ruin the company.

Tuesday 10pm

Every effort made to override this catastrophe has failed, nobody can unlock the files, the company could be doomed and the only option available seems to be paying their demands and hoping for the best.

You’ve heard stories about this happening to other businesses and bankrupting them, but never in a million years expected it would happen to yours, its only large corporations that get taunted with these sorts of threats isn’t it? Sadly not.

Wednesday 2:30am

Reality kicks in, not only have you got a hefty ransom demand to consider, you also have GDPR and cyber insurance to contend with.

It suddenly strikes you… how complaint are we?? That’s what you employ people to take charge of, so surely everything is fine in that area….isn’t it???


Wednesday 8:30am

Nothing has changed, apart from the fact there are only 24 hours left.

Data compliance has to be priority now, so an urgent meeting is called with all management.

How cyber compliant are we if data gets leaked? Are we covered from an insurance point of view?

Suddenly it dawns on everyone that you aren’t! The IT manager suggested you should get Cyber Essentials certified last month, but after having been assessed whether you would pass for certification prior to officially applying, it was pointed out that a few changes needed to be made and it was put on the back burner. You were meant to get the latest threat detection software, some of the Windows updates weren’t proven to be installed within the required time of release and the remote workers are all using their own mobile devices with company email access, plus the laptops don’t have the proper safeguards and procedures put in place.

Everyone realises you can’t prove there were adequate controls in place and could be in trouble, also the cyber-insurance company might not pay out either.”

Suddenly the prospect of being covered from a data perspective is no longer a reality. The office manager has drafted a public statement but doesn’t propose releasing it until you know what is going to happen, you now feel there is no choice but to pay the ransom demand and see if the promise to unlock the files are true.

Wednesday 11am

The ransom demand is paid.


What happened after that?

This kind of attack happens every day, the world over and SME’s are now at more risk than ever. There is no guarantee on the outcome, you may have gained all access back and your data remained untouched, but you would still be £10,000 out of pocket, plus need to address the fact customer data may have breached without your knowledge.

On the other hand, you might have found the files remained locked, which would be an extra expense to try and decrypt them, still faced with the data dilemma.

Whatever the outcome, surviving a data breach after it has become public knowledge is likely to be a very long road of repair and to an SME this could mean not surviving any longer than 6 months, being forced to shut down, as the business just cannot sustain the amount of financial and media related damage it so commonly holds.

 So, what should they have done?

  1. All staff should have immediately reported any suspicious email to management and IT
  2. Identify where the ransom demand came from
  3. Been fully cyber secure and compliant, gaining Cyber Essentials certification
  4. Prepared a data breach plan and rehearsed it with staff
  5. Prepared a statement for customers demonstrating how it would help deal with any damage
  6. Plan to make sure this doesn’t happen again

For more information on training your staff to become cyber aware, or gaining Cyber Essentials certification, click here, or feel free to give us a call on 01323 287828.


Keen to learn more? Explore our other resources on Connectivity Solutions below: 

Can your business recover from Disaster?

Do you have a backup? is it sufficient? when did you last review it, or test it?

Download our free 25 point checklist to help give you peace of mind that you've got the best system in place for your business needs.