The office is encrypted. The clock is ticking. Everyone is panicking.
Everyone except Duke Dillingham.
Ransomware is malware that encrypts your files — documents, databases, spreadsheets, everything — and demands payment (usually in cryptocurrency) for the decryption key.
Modern ransomware gangs don't just encrypt — they steal your data first, then threaten to publish it if you don't pay. Encrypt AND leak. Belt AND suspenders, but for criminals.
compromised VPN
intrusion to encryption
ransom demand
hit again
Compromised VPN/RDP Credentials
Stolen or weak passwords to remote access systems. Bought on the dark web, brute-forced, or harvested from previous breaches. They log in like an employee. Because they have an employee's password.
Phishing Emails
Malicious attachments, macro-enabled Word docs, links to credential harvesting pages. The classic. "Please review the attached invoice." The invoice is not an invoice.
Exploited Vulnerabilities
Unpatched software, zero-day exploits, exposed services. That update you've been snoozing for three weeks? That's the one.
Supply Chain Attacks
Compromised software updates, trusted vendor access, managed service provider breaches. They don't hack you — they hack someone you trust.
Initial Access
The attacker gets a foothold. A phishing email gets clicked. Stolen VPN credentials get used. An unpatched server gets exploited. One way or another, they're in.
Persistence & Reconnaissance
They install backdoors, create scheduled tasks, and start mapping your network. They use "living off the land" tools — legitimate admin tools like PowerShell and WMI — so they don't trigger antivirus. Clever. Annoyingly clever.
Lateral Movement
They spread through the network. Privilege escalation. Domain admin credentials. Jumping from workstation to server to domain controller. They're building a map of everything valuable.
Data Exfiltration
Before they encrypt anything, they steal your data. Customer records, financial data, intellectual property. This is the "double extortion" setup. Insurance policy for the bad guys — even if you have backups, they can still threaten to leak.
Encryption & Ransom Note
The locks go on. Every file gets encrypted. The ransom note appears. The phone starts ringing. This is the part everyone sees. But it's the last thing that happens, not the first.
The lobby is chaos. Karen from Accounting is hyperventilating. Dave from IT is running — actually running — down the hallway. Three people are crying. One person is trying to unplug a printer for some reason.
YOUR FILES HAVE BEEN ENCRYPTED
All your files have been encrypted with military-grade AES-256 encryption.
To decrypt your files, you must pay 15 BTC to the following address:
If payment is not received before the timer expires,
the price will double. After 7 days, your data will be published.
DO NOT attempt to decrypt files yourself. DO NOT contact law enforcement.
Dude takes a long sip of coffee. Looks at the screen. Looks at Karen. Looks back at the screen.
The hoodie comes off. The badge glows. Dude Diligence has activated.
Unplug your ethernet cable. Turn off Wi-Fi. Do NOT power off the computer. Isolating the machine stops the ransomware from spreading to other systems on the network.
Karen unplugs the cable. Her hands are shaking but she does it. Dude gives her a gentle nod.
Call your IT security team by phone. Do not use email — it may be compromised. Use your cell phone, a landline, or walk to their office in person.
Walk around. Use your voice. Tell nearby coworkers to unplug their network cables. If their screen looks odd — weird file extensions, error messages, ransom notes — they need to disconnect immediately.
Take photos with your phone. Every ransom note. Every error message. Every weird file name. Write down the exact time you noticed the problem. This is evidence now — treat it like a crime scene.
IT and security take point from here. Follow their instructions exactly. Do not run your own antivirus scan. Do not try to decrypt files yourself. Do not negotiate with the attackers. Do not "just check one thing real quick."
Use a Password Manager
Every account gets a unique, complex password. Generated by the password manager, not by your brain. Your brain is good at many things. Random 24-character strings is not one of them.
"'123456' isn't a password, it's an invitation. You might as well leave a key under the mat and a sign that says 'PLEASE ROB ME.'"
MFA on Everything
Multi-factor authentication on VPN, email, cloud services, admin accounts — everything. A stolen password with MFA enabled is just a stolen password. Without MFA, it's a stolen kingdom.
"MFA on everything. Especially VPN. ESPECIALLY email. I cannot stress this enough. I have stressed this in four all-hands meetings, two memos, and one haiku. Enable MFA."
Never Enable Macros
If a document asks you to "Enable Content" or "Enable Macros," that's malware asking you to let it run. Legitimate documents don't need macros to display their content.
"Don't enable macros. Ever. I don't care what the document says. I don't care if it says 'URGENT: ENABLE MACROS TO VIEW YOUR BONUS.' Especially then, actually."
Patch Your Software
Install updates promptly. That "Update and Restart" button you've been ignoring for two weeks is closing security vulnerabilities that attackers are actively exploiting.
"Patch your software. Yes, the updates are annoying. You know what's more annoying? Ransomware. You know what's more annoying than ransomware? Explaining to the CEO that ransomware got in through a vulnerability that was patched three months ago."
Back Up Your Data (Offline, Tested)
Maintain offline backups that are disconnected from the network. And test them. Regularly. A backup you haven't tested is a box of mystery — it might contain your data, it might contain nothing.
"Back up your data. Offline. Tested. If you haven't tested your backups, you don't have backups. You have hopes and dreams in a storage format."
Trust Your Gut on Attachments
If an email or attachment feels wrong — unexpected sender, weird subject line, urgent language, strange file type — trust that feeling. Report it to IT. Better a false alarm than a real incident.
"If an attachment feels weird, it IS weird. Trust your gut. Call IT. We would rather get 50 false alarm calls than miss the one real one. Seriously. Call us. We like talking to people. Well, most of us."
You arrive at your desk and your screen shows a ransom note. Red background. "YOUR FILES HAVE BEEN ENCRYPTED." A countdown timer is ticking. What do you do?
You notice your coworker's computer is acting strange — files are renaming themselves with weird extensions, and programs are crashing. They haven't noticed yet because they're in the break room. What do you do?
You receive an email with a Word document attached. When you open it, a yellow bar at the top says "PROTECTED VIEW — Enable Content to edit this document." The email says it's an urgent invoice from a vendor. What do you do?
During an active ransomware incident, IT tells you to keep your encrypted computer powered on and not to restart it. Your instinct says to turn it off to stop the damage. What do you do?
What is the most common entry point for ransomware attacks?
What should you do FIRST when you see a ransom note on your screen?
Why should you NOT restart a computer during a ransomware incident?
What is "double extortion" in a ransomware attack?
Why are macros in Office documents dangerous?
How does multi-factor authentication (MFA) help prevent ransomware?
How do you verify that your backups actually work?
During a ransomware incident, who should you contact first and how?
Dude puts his hoodie back on. Badge stops glowing. He picks up his coffee. Walks out of the frame.
Dude Diligence will return in Issue #4.