Situation
Following a suspected Ransomware incident, the client contacted our Cyber Incident Response (CIRT) team having access to this service through some retained support.
The incident from the outset appeared to be linked to a ransomware group that operated the ‘double extortion’ model, where data was encrypted and exfiltrated from the client environment. However, this needed to be proven.
At a Glance
Organisation: UK based Financial Service Provider
Industry: Financial Services
Situation: The organisation was subject to a ransomware incident, where sensitive data had potentially been exposed.
Challenge: Gather any intelligence as to whether data was in fact stolen and identify if it was made available for sale or in a ransomware ‘leak site’.
Solution: Our OXM service, which is used to monitor the clear, deep, and dark web for sensitive data relating to an organisation’s digital footprint, was used tactically during the Incident response case to monitor for any post-incident insights and leaked data.
Results: The rapid deployment of OXM was able to find data that was exposed during the incident, timely intelligence to the client, meaning they were able to respond and reduce the overall impact of the incident. The use of OXM was extended beyond the initial incident for multiple years.
Challenge
A key challenge for organisations that are impacted by double extortion ransomware is understanding what (if any) data had been exposed during the incident. Criminal groups exfiltrate data and then use the threat of making it publicly available through a ‘leak site’, to add extra pressure on the victim.
The release of this data has potentially massive implications for the victim, and as such, our client needed to have a clear understanding of whether anything had been leaked, and if so, where.
Solution
Within a matter of hours, NCC Group’s Threat Intelligence Team, which works very closely with our CIRT, were able to tactically deploy our OXM service.
OXM is used to provide continuous clear, deep, and dark web monitoring on behalf of our clients. In this case, we used OXM to monitor for any mentions of the client organisation in leak sites, paste sites or criminal forums and marketplaces. But it also has much broader use cases, helping organisations by providing brand protection, identify any vulnerabilities in their internet facing infrastructure, and identifying exposed credentials or sensitive material in code repositories and malicious file/malware corpus.
Result
OXM was able to identify data that was believed to have been exposed as a result of the incident. This provided the client with a near real-time alert which supported their already robust incident response and recovery plan, enabling them to reduce the overall impact of the incident by being best prepared and armed with timely intelligence.
The deployment of OXM in this case proved so valuable to the client that they have extended its use for multiple years.
NCC Group exists to make the world safer and more secure.
As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.
Get started on your cyber security journey.
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cyber security needs.