Case 1: The "No Pay" Stand
Victim: Consumer Council (Hong Kong SME/NGO equivalent)
- Day 0: Hackers breached the server and stole data of 8,000 people.
- Day 1: "LockBit" gang demanded US$500,000 (HK$3.9M) ransom.
- Day 2: Council Chief holds press conference, publicly refuses to pay.
Double Extortion: The attackers didn't just lock the files; they stole them first. They threatened to release sensitive data if the money wasn't paid.
A vulnerability in a remote access account allowed the hackers to enter. The system was not patched quickly enough.
Zero Negotiation: The Council refused to pay. Paying funds criminal activity and guarantees nothing. Instead, they notified the police and the public immediately (Transparency).
Case 2: The "Total Wipeout"
Victim: CloudNordic (Danish Cloud Hosting Firm)
- Day 0: IT team started migrating servers from one data center to another.
- 02:00 AM: During migration, they connected infected servers to the internal network.
- 04:00 AM: Ransomware spread to the Admin Systems AND the Backup Systems instantly.
Lateral Movement: The virus used the company's own internal network administrator tools to copy itself to every connected drive, including the backups.
Network Segmentation Failure: The backup servers were on the same network as the live servers. There was no "Air Gap" (physical separation).
They should have had "Offline Backups" (Tape drives or immutable cloud storage) that were not connected to the main network.
Case 3: The "Tech Support" Panic
Victim: 51-year-old Woman (Hong Kong Resident)
- Event A: Victim browsing web; screen freezes with loud alarm.
- Event B: Message says "Infected! Call Support." Victim calls the number.
- Event C: Scammers instruct her to install remote control app.
- Result: HK$1.2 Million transferred out of her bank account.
Social Engineering (Fear): The hackers did not hack the computer technically; they hacked the human mind using loud noises and fear of legal consequences.
Compliance: The victim obeyed the instructions on the screen and installed "TeamViewer/AnyDesk" for the scammers.
Hang Up & Pull Plug: Never call numbers on pop-ups. Disconnect the internet immediately to break the connection.
Case 4: The Fake "Microsoft" Alert
Victim: General Public / Office Workers
- Trigger: User clicks a wrong ad or visits a compromised website.
- Lock: Browser goes "Full Screen." Mouse cursor disappears or gets stuck.
- Audio: A robotic voice loops: "Do not restart your computer. Windows is locked. Call Microsoft..."
"Browser Locker" (Malvertising): This is NOT a virus. It is just a web page running a script that prevents you from closing the tab easily.
Believing the Browser is the OS: Users think the entire computer is broken. They force shutdown the PC (which is okay) or call the number (which is fatal).
Task Manager Kill: Press Ctrl + Alt + Delete. Open Task Manager. Select the Web Browser (Chrome/Edge). Click "End Task." The "virus" disappears instantly.
Case 5: The "Infected Backup"
Victim: Wood Ranch Medical (Small Clinic)
- Day 0: Ransomware infects the clinic's reception computer via email.
- Response: Staff realizes files are locked. They decide to restore from backup.
- The Error: They plug the backup drive into the infected computer.
- Result: Ransomware encrypts the backup drive immediately.
Automated Encryption: Modern ransomware constantly scans for new drives (USB, Network Shares). As soon as a new drive is detected, it encrypts it.
Restoring to a "Dirty" Environment: The staff tried to solve the problem using the infected machine. They did not verify the environment was clean first.
The "Phase 3" Protocol: Take the backup drive to a SEPARATE, CLEAN computer. Scan it there. Wipe the infected clinic computer before plugging the backup drive in.
📝 Knowledge Check
Test your understanding of the case studies above.