SITUATION
A major agricultural multinational corporation suffered a ransomware attack on the network infrastructure that resulted in the encryption and exfiltration of data. In response, FTI Cybersecurity was hired to provide incident response services conducted in the form of threat actor intelligence analysis and ransomware negotiations.
OUR ROLE
Our incident response services included threat intelligence collections and analysis; dark web and open-source monitoring; and threat actor negotiation.
FTI Cybersecurity professionals collected intelligence and assessed the tactics, techniques and procedures (TTPs) demonstrated by the threat actor to inform the ransom negotiation decision-making process. This data was assessed with FTI Cybersecurity proprietary and third-party threat intelligence sources relevant to the specific ransomware variant to determine typical threat actor behavioral patterns towards data exfiltration and ransom negotiations.
Monitors were established based on key words of interest related to the client and case. These monitors were set up to alert on any relevant hits for appropriate analysis. Sources included dark web and open-source forums, marketplaces, and criminal communication channels to identify evidence of data leaking or public knowledge of the ransomware event.
FTI Cybersecurity coordinated threat actor negotiations following applicable laws and established best practices to determine if the threat actor could provide evidence of data exfiltration activity, negotiate payment terms and data decryption where necessary, and facilitate artifacts related to destruction.
OUR IMPACT
This process was used to gather, analyze, and disseminate information to ensure decision-makers had access to accurate and timely intelligence to inform their negotiations. Negotiations resulted in a 94% reduction in ransom payment.