A deep dive into a ransomware attack - the Gloucester City Council

In 2021the Gloucester City Council (GCC) in the UK suffered a devastating ransomware attack, with the recovery taking over 18 months. Because this is a public body there’s some great data on the attack available, including the incident report from NCC as well as the reprimand the ICO issued, and even the internal report from the council themselves. Some details have been redacted, but there’s some good insights in there about ransomware operations.

In this video, I cover what happened, and what we as defenders can learn from it.

LinkedIn articles:   / beyond-headlines-unpacking-2021-gloucester...   and   / gcc-ransomware-modest-update-steve-townsle...  

GCC report: https://www.local.gov.uk/case-studies...

Incident response report: https://democracy.gloucester.gov.uk/d...

ICO reprimand: https://democracy.gloucester.gov.uk/d...

EDR explained:    • EDR explained - my FAVOURITE technica...  

Phishing explained:    • Phishing explained - a major initial ...  

Attack surface reduction rules: https://learn.microsoft.com/en-us/def...

Credential guard: https://learn.microsoft.com/en-us/win...

Applocker: https://learn.microsoft.com/en-us/win...

00:00 Introduction
00:54 What happened?
01:35 Initial access
02:50 Privilege escalation
03:14 Lateral movement
03:27 Persistence
03:52 Data exfiltration
05:07 The cost of recovery
05:20 Lessons for defenders
09:55 Outro

#cybersecurity #informationsecurity #ransomware