Issue:
CRA’s Forensic Services Practice client faced a formidable set of business, legal, and operational challenges when it was contacted by the Russian-affiliated cyber ransomware group Cl0p, which demanded a huge ransom payment in exchange for promising not to post the stolen data on the web. Cl0p claimed to have exploited a critical zero-day vulnerability present in an enterprise managed file transfer solution being used by our client and its business partners.
Action:
Our team was swiftly retained to launch three critical work streams:
- Systems Assessment: to determine if there was any compromise beyond the file transfer utility.
- Data Analysis: to confirm the nature and extent of the stolen data and analyze it (with guidance from counsel) to identify who needed to be notified under various applicable laws.
- Support a “No Ransom Payment” response: our client was opposed to making any kind of ransom payment and needed our help to recover quickly, thereby obviating the need for such a payment.
Impact:
- Incident Containment: leveraging proprietary methodologies, we immediately isolated affected systems to prevent further data exfiltration or compromise.
- Forensic Investigation: our team conducted a meticulous examination of attack vectors and malware, concluding that no backdoors were left behind.
- Data Recovery: we assisted our client in recovering critical data, and ensuring its integrity remained unaltered during the incident.
- Communication Strategy: working closely with our client and its external communications firm, we assisted with the development of a factually accurate, transparent communication strategy.
- Data Mining: we conducted programmatic searches and AI-assisted managed reviews to generate detailed customer notification lists.
The engagement was co-led by Kristofer Swanson and Aniket Bhardwaj, with invaluable support from Carlo Lakay, along with Bharadhwaj Subramanian, Yung Han Yoon, and Riley Burningham.
