Running head: FINAL PROJECT 1

Final Project

Mawadda S. Abuhamda

University of Advancing Technology

Author Note

Here is my final project about how I would respond to a ransomware attack that started from a

phishing email.
FINAL PROJECT 2

The company I work for is called RandomCyber. We provide cyber security software to

clients. We are a small company with around 50 employees. Our company is located in Mesa,

Arizona. Even though we are a small company, we take cyber security very seriously. All our

employees attend cyber security awareness training once a month. We change all our passwords

every 90 days. We keep our devices and software updated and patched. We also use antivirus

software, a network intrusion detection system, security cameras, bulletproof windows and

doors, and mantraps. We use mantraps to prevent tailgating, bulletproof windows and doors to

prevent a break-in, security cameras to detect unusual or malicious activity, an IDS to detect

suspicious network traffic, and antivirus software to protect employees’ devices from any

malware that might get past their firewalls. We also use Virtual Local Area Networks to separate

different departments at our company so if one department happens to get compromised the

others won’t. IT, HR, marketing, sales, and helpdesk are all on separate networks but some of

them are able to communicate with each other as needed. IT is in charge of security at the

organization although almost everyone at the company is very skilled in security as well (since

we’re a cyber security company).

This morning, an employee from marketing notified us that all five people from that

department were not able to complete their work because their files in their shared folder

appeared to be encrypted. When they logged in, a notepad document opened which said that their

files had been encrypted using AES-256. It said that with the hacker’s help, they could recover

their files but they had to pay a ransom. The note also said that the files would be permanently

deleted in two days if they didn’t receive a response.

We immediately activated our incident response plan. We disconnected all five affected

devices from the network. We ensured that no other departments were experiencing similar
FINAL PROJECT 3

issues. Then we checked the audit logs of all the infected devices to see who last modified them.

The files, which were all part of a network share for the marketing VLAN, had all been modified

at 10:00 pm last night by Steve, who is one of our newest employees. After we discovered this,

we suspected that the attack may have started from a phishing email or a compromised website.

We asked Steve if he had seen any suspicious emails or websites in the past week, and we

discovered that he had clicked a link in a phishing email yesterday that said he had won a $50

Amazon gift card. He said that the link redirected to a strange-looking page with a lot of popups

so he closed out of it and didn’t notify IT because he didn’t want to get in trouble. We told him

that he should have notified us immediately and that anything that he suspects could be a cyber

attack should be reported to us. We also informed him that he would have to attend extra security

awareness trainings in the next few weeks.

We are certain that the ransomware attack was the result of the link in the phishing email.

It appears that the link in the email was a drive-by download website that downloaded a

malicious script which encrypted the network shared files on the marketing VLAN. The

encrypted information didn’t include any information from our clients or any employee

information. It did, however, include important information about our company’s new marketing

campaign which is very necessary to our success.

After checking the network to ensure that the hacker didn’t still have access to any of our

systems, we reset all five affected devices, which are all running Windows 10. After the devices

were finished resetting, we installed Nessus on them through a USB and another device that was

connected to the internet (since these computers were still offline). We also installed and ran our

antivirus software on the devices. We ran Nessus host scans on all five computers to detect

vulnerabilities in the system configuration. We found that we had some patches and updates that
FINAL PROJECT 4

we needed to install. We also had a few vulnerable services enabled that weren’t in use, like

Bluetooth Support Service. We disabled these services once the scans were complete.

When we were sure that there was no sign of the malicious code on any of the devices,

we reconnected them to our network. We installed the updates and patches that Nessus

recommended. We then decided that if we wanted to prevent another similar attack, we needed to

change our antivirus software from Windows Defender to a paid antivirus, Kaspersky, that uses

signature-based and behavior-based malware detection.

After installing Kaspersky on all five computers, we restored the stolen files from our

cloud backup. We decided to install Kaspersky on all devices throughout the company. As a

further precaution, we decided to implement a network Intrusion Prevention System instead of

our IDS. After some research, we decided on Solar Winds Security Event Manager which even

has some host-based IPS and IDS capabilities.

Throughout the next few days, we ensured that Steve attended security awareness

trainings and we conducted phishing simulations for everyone at the company. We also offered

Steve the chance to take a CompTIA Security+ course to get Security+ certified.

If we hadn’t responded the way we did, the situation could have been much worse. The

ransomware could have spread to other departments and employees’ or customers’ personal

information may have been stolen. We would have had to notify the public about the attack

which would have damaged our reputation. Because we’re a cyber security company, the effect

on our reputation would have been worse. Thankfully, we were able to remediate the situation

without the public’s knowledge. With the security measures we took, which included upgrading

our antivirus, installing a network IPS, and training employees, we will likely be able to avoid

another successful ransomware attack in the future.

FINAL PROJECT 5

References

Bradley, T. (2011, July 27). Find the Holes in Your Network with Nessus. Retrieved from

BizTech: https://biztechmagazine.com/article/2011/07/find-holes-your-network-nessus

Cooper, S. (2020, August 28). 8 Best IPS Software Tools & Intrusion Prevention Systems Guide.

Retrieved from Comparitech: https://www.comparitech.com/net-admin/ips-tools-

software/

M.W, S. (2019, October 4). Ransomware Response: What to do After an Attack. Retrieved from

TechGenix: http://techgenix.com/ransomware-response/

Mir, F. (2013, February 28). List Of Windows Services That Can Be Safely Disabled. Retrieved

from Addictive Tips: https://www.addictivetips.com/windows-tips/list-of-windows-

services-that-can-be-safely-disabled/

Rubenking, N. J. (2020, July 13). The Best Ransomware Protection for 2020. Retrieved from

PCMag: https://www.pcmag.com/picks/the-best-ransomware-protection?

test_uuid=001OQhoHLBxsrrrMgWU3gQF&test_variant=a

Tenable, Inc. (n.d.). Install Nessus Offline. Retrieved from Nessus:

https://docs.tenable.com/nessus/Content/InstallNessusOffline.htm
FINAL PROJECT 6