Root Cause Analysis - Ransomware Incident

1 min read Advanced Security Topics

Root Cause Analysis - Ransomware Incident

Problem: Ransomware encrypted critical file servers

Why 1: Why were file servers encrypted?

Because ransomware was executed with administrative privileges

Why 2: Why did ransomware have admin privileges?

Because it was run using a domain admin account

Why 3: Why was a domain admin account compromised?

Because the admin used the same password for email and domain access

Why 4: Why was password reuse possible?

Because we lacked technical controls enforcing unique passwords

Why 5: Why weren't password controls implemented?

Because password policy focused on complexity, not uniqueness

Root Cause: Inadequate password policy and lack of technical controls


**Fishbone Diagram Analysis**:

                 Ransomware Incident
                        |
People ----------------+---------------- Technology
|                      |                      |
- No security training |              - No EDR deployed
- Password reuse       |              - Outdated antivirus
- Admin credential use |              - No email filtering
                       |
Process ---------------+---------------- Environment
|                      |                      |
- No privilege review  |              - Remote work increase
- Weak access controls |              - BYOD policies
- No incident drills   |              - Shadow IT growth