When an end user reports some “strange looking file names”, which, after investigating, you discover include several hundreds of Gigabytes of encrypted data, you of course know you are going to have a bad day. Your AV solution has failed you, your firewall has failed you, and your SIEM has failed you. Basically every piece of security infrastructure you have put your trust (and money) into has left you out in the cold and you thank <deity of choice> that at least the nightly backup was completed successfully. Spin up the tape drive, and soon you will be back in business, or will you…?
This talk is about failure. Not only about a failing security infrastructure, but also about failure in doing the Right Thing™ as a first responder, about the failure of Operating System tools, failing APIs, and ironically, also the failure of malware (which is unfortunately not as positive as it may sound). The scenario presented comes pretty close to the worst chain of events you can imagine, in an attempt to recover from a ransom ware incident.
Luckily – this story has a happy ending. We will reveal how one can be prepared for when both Count Olaf and Murphy come knocking on your door simultaneously.