Professional Documents
Culture Documents
Final Project
Mawadda S. Abuhamda
Author Note
Here is my final project about how I would respond to a ransomware attack that started from a
phishing email.
FINAL PROJECT 2
The company I work for is called RandomCyber. We provide cyber security software to
clients. We are a small company with around 50 employees. Our company is located in Mesa,
Arizona. Even though we are a small company, we take cyber security very seriously. All our
employees attend cyber security awareness training once a month. We change all our passwords
every 90 days. We keep our devices and software updated and patched. We also use antivirus
software, a network intrusion detection system, security cameras, bulletproof windows and
doors, and mantraps. We use mantraps to prevent tailgating, bulletproof windows and doors to
prevent a break-in, security cameras to detect unusual or malicious activity, an IDS to detect
suspicious network traffic, and antivirus software to protect employees’ devices from any
malware that might get past their firewalls. We also use Virtual Local Area Networks to separate
different departments at our company so if one department happens to get compromised the
others won’t. IT, HR, marketing, sales, and helpdesk are all on separate networks but some of
them are able to communicate with each other as needed. IT is in charge of security at the
organization although almost everyone at the company is very skilled in security as well (since
This morning, an employee from marketing notified us that all five people from that
department were not able to complete their work because their files in their shared folder
appeared to be encrypted. When they logged in, a notepad document opened which said that their
files had been encrypted using AES-256. It said that with the hacker’s help, they could recover
their files but they had to pay a ransom. The note also said that the files would be permanently
We immediately activated our incident response plan. We disconnected all five affected
devices from the network. We ensured that no other departments were experiencing similar
FINAL PROJECT 3
issues. Then we checked the audit logs of all the infected devices to see who last modified them.
The files, which were all part of a network share for the marketing VLAN, had all been modified
at 10:00 pm last night by Steve, who is one of our newest employees. After we discovered this,
we suspected that the attack may have started from a phishing email or a compromised website.
We asked Steve if he had seen any suspicious emails or websites in the past week, and we
discovered that he had clicked a link in a phishing email yesterday that said he had won a $50
Amazon gift card. He said that the link redirected to a strange-looking page with a lot of popups
so he closed out of it and didn’t notify IT because he didn’t want to get in trouble. We told him
that he should have notified us immediately and that anything that he suspects could be a cyber
attack should be reported to us. We also informed him that he would have to attend extra security
We are certain that the ransomware attack was the result of the link in the phishing email.
It appears that the link in the email was a drive-by download website that downloaded a
malicious script which encrypted the network shared files on the marketing VLAN. The
encrypted information didn’t include any information from our clients or any employee
information. It did, however, include important information about our company’s new marketing
After checking the network to ensure that the hacker didn’t still have access to any of our
systems, we reset all five affected devices, which are all running Windows 10. After the devices
were finished resetting, we installed Nessus on them through a USB and another device that was
connected to the internet (since these computers were still offline). We also installed and ran our
antivirus software on the devices. We ran Nessus host scans on all five computers to detect
vulnerabilities in the system configuration. We found that we had some patches and updates that
FINAL PROJECT 4
we needed to install. We also had a few vulnerable services enabled that weren’t in use, like
Bluetooth Support Service. We disabled these services once the scans were complete.
When we were sure that there was no sign of the malicious code on any of the devices,
we reconnected them to our network. We installed the updates and patches that Nessus
recommended. We then decided that if we wanted to prevent another similar attack, we needed to
change our antivirus software from Windows Defender to a paid antivirus, Kaspersky, that uses
After installing Kaspersky on all five computers, we restored the stolen files from our
cloud backup. We decided to install Kaspersky on all devices throughout the company. As a
our IDS. After some research, we decided on Solar Winds Security Event Manager which even
Throughout the next few days, we ensured that Steve attended security awareness
trainings and we conducted phishing simulations for everyone at the company. We also offered
Steve the chance to take a CompTIA Security+ course to get Security+ certified.
If we hadn’t responded the way we did, the situation could have been much worse. The
ransomware could have spread to other departments and employees’ or customers’ personal
information may have been stolen. We would have had to notify the public about the attack
which would have damaged our reputation. Because we’re a cyber security company, the effect
on our reputation would have been worse. Thankfully, we were able to remediate the situation
without the public’s knowledge. With the security measures we took, which included upgrading
our antivirus, installing a network IPS, and training employees, we will likely be able to avoid
References
Bradley, T. (2011, July 27). Find the Holes in Your Network with Nessus. Retrieved from
BizTech: https://biztechmagazine.com/article/2011/07/find-holes-your-network-nessus
Cooper, S. (2020, August 28). 8 Best IPS Software Tools & Intrusion Prevention Systems Guide.
software/
M.W, S. (2019, October 4). Ransomware Response: What to do After an Attack. Retrieved from
TechGenix: http://techgenix.com/ransomware-response/
Mir, F. (2013, February 28). List Of Windows Services That Can Be Safely Disabled. Retrieved
services-that-can-be-safely-disabled/
Rubenking, N. J. (2020, July 13). The Best Ransomware Protection for 2020. Retrieved from
PCMag: https://www.pcmag.com/picks/the-best-ransomware-protection?
test_uuid=001OQhoHLBxsrrrMgWU3gQF&test_variant=a
https://docs.tenable.com/nessus/Content/InstallNessusOffline.htm
FINAL PROJECT 6