Kevin BeaumontJan 3, 2023
#TheGuardian have closed their offices until January 23rd after their ransomware incident (which is still going on). HT @dannyjpalmer https://pressgazette.co.uk/publishers/guardian-ransomware-attack/
Guardian offices closed until 23 January due to ongoing fallout from suspected ransomware attack

The Guardian is continuing to be severely impacted by a suspected ransomware attack which hit the publisher’s global IT systems on 20 December. Guardian Media Group chief executive Anna Bateson sent a

Press Gazette
ImagibeardingJan 3, 2023
Show threadKevin Beaumont

By the way, having dealt with both monitoring human operated ransomware and dealing with it first hand, my experience is recovering, even if you pay, is around a 2 month ordeal on average.

It can stretch to 6 months or more before operations are fully restored.

You’ll frequently find IT and security people quit after recovery as the mental health toll is large - they never want to go through something like they again.

Jan 3, 2023 at 12:50pmWeb
Show threadKevin BeaumontJan 3, 2023

You basically go from having a day job in IT to being an IT open heart surgeon trying to save an entire company full time for months in the middle of the chaos of a war zone, where every outcome is hindered by decades of poor business investment.

Which is then covered up for the public with legal privilege and NDAs, so nobody knows how things work, ‘cos you gotta protect shareholder value most important of all.

Show threadKevin BeaumontJan 5, 2023

#TheGuardian are refusing to be transparent about their #ransomware incident. One staffer describes it as “a total nightmare”.

https://www.semafor.com/article/01/03/2023/cyberattack-shutters-the-guardians-office-for-a-month

A mysterious cyberattack has shuttered the Guardian's office for a month | Semafor

The news organization won't go into detail about what attackers hit, and why.

Show threadKevin BeaumontFeb 19, 2023
#TheGuardian Media Group ransomware incident is still ongoing several months later - staff have relocated to a pub. https://www.telegraph.co.uk/business/2023/02/19/guardian-staff-forced-work-former-brewery-ransomware-attack/
Guardian staff forced to work out of former brewery after ransomware attack

King's Cross headquarters remains shuttered following cyber attack in December

The Telegraph
Show threadToddJan 3, 2023
@GossiTheDog a fair summation
Show threadLiamJan 3, 2023
@GossiTheDog 100% correct.
Company I work for last year suffered a ransomware attack, in some fashion we are still recovering from it almost a year later, most things are up and running, but there are the little systems which everyone forgets about which crop up now and again.
All because security was never invested in... usual story.
Show threadSimeonJan 3, 2023

@GossiTheDog We should really normalize hazard pay tbh.

I'm looking to run a department again so when we inevitably get hit I'm going to see about getting everyone several significant bonuses as the recovery progresses. I should probably lay that expectation with the executives beforehand, thinking about it...

Show threadMichał "rysiek" Woźniak · 🇺🇦Jan 3, 2023
@GossiTheDog somewhere there is a sysadmin who is is having a "bullet fscking dodged" drink, after spending years in meetings with upper management explaining to them over and over again why website hosting should not be done on the same infra as internal/office services.
Show threadcyber.philosohackJan 3, 2023
@GossiTheDog the toll on people is often ignored or forgotten. I make a point of stopping and saying 'is everyone ok' in incidents
Show threadオルソンニコラス NetCat-Dad -l -p 2022 -e /bin/bashJan 3, 2023
@_4_d_4_m_ @GossiTheDog sat in a presentation once given by a guy who was involved in Equifax. Said afterwards he had depression, a stroke, and literal permanent organ damage from the lack of sleep and stimulants used to get through it. He was in his 30s.
Show threadDaniel Betz  Jan 3, 2023
@[email protected] eeesh. I had three at prev employer due to lack of emphasis on security. Recovered each within 12 hours thanks to the Dell CDP which was discontinued. So disappointing.
Show threadseamooseJan 3, 2023
@GossiTheDog you just described the first 6-12 months at my previous job.
My second day, thrown into incident response / recovery for a new client that got owned. Spent ~6 months getting them back online, I never properly completed any of my onboarding / induction requirements, so knew little about the job I was hired to do or the systems to do it.
12 months later they still had broken functionality, they are now a managed client. It was pretty clear staff had a form of PTSD, as they would get anxious every time the client submitted a ticket.
Show threadjack danielJan 3, 2023
@GossiTheDog Question.. when a ransomware hits, it is usually on the end user machines isn't it? The application servers, databases, containers would be unaffected. Is that the reason the guardian website seems to be functional continuously still? Or does it spread to even those systems?
Having never been involved in one, I have always thought of ransomware affecting the machines that we work on, based on what I learnt.
Show threadStumpyJan 5, 2023
@jack_daniel @GossiTheDog Generally not all systems get impacted by ransomware, but the risk is that backdoors (RATs) are implanted on hosts that don't have ransomware. It then becomes a risk management issue - do you take everything offline and cease all business operations or leave the un-ransomwared systems in prod in order to continue business ops? Do you have failovers that you can trust for critical systems? How quickly can you rebuild/restore critical systems are all part of the calculations. In most cases attackers won't deploy ransomware until they have access to the critical systems, dbs, back-ups etc.
Show threadjack danielJan 17, 2023
@stumpyuk @GossiTheDog
Thank you for explaining this. I just figured out that mastodon notifications are not working and am just seeing this reply.
Show threadLiam DennehyJan 3, 2023
@GossiTheDog Can you cite specifics? I'd love to highlight this risk with my org.
Show threadStumpyJan 5, 2023
@GossiTheDog Great points! A significant factor in Incident Management during a ransomware case should be ensuring that the IT team are not over-burdened and properly supported by HR and management. I see Orgs launching Threat Hunts and Pen Tests during the investigation phase which generates huge volumes of queries to the IT team along the lines of "Is this activity normal/expected?" and other demands on IT resources. Getting the C-Suite out of their bunker and showing some leadership is also important in terms of getting IT teams the support they need during a ransomware incident.