incident case study

An official website of the United States government

Here’s how you know

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. .

FEMA Case Study Library

Collections.

• COVID-19 Best Practice Case Studies
• Interagency Recovery Coordination Case Studies
• Mitigation Best Practices
• Preparedness Grants Case Studies
• Assistance to Firefighters Grant Case Studies
• Loss Avoidance Studies
• Risk MAP Best Practices
• Cooperating Technical Partners Program Success Stories

Search All Case Studies

Pierce county, wa: using community lifelines to increase community engagement.

Pierce County’s All Hazard Mitigation Plan covers over 900,000 residents across 76 jurisdictions. A key part of the planning process is to seek input from all individuals and groups. Those who do not take part in updating the plan are less likely to understand or use it. With 76 jurisdictions and many partners, it was hard to engage everyone in the planning process. Also, once the HMP was updated, they all had to adopt the plan. The jurisdictions had different timelines, and the county has many hazards. It needed a planning process for all members of the area that would help address each hazard risk.

Bring Out the Sheep

Wildfire fuel reduction using goat and sheep grazing can be funded by FEMA.

Oyster Lake Outfall Improvement

When a coastal dune lake reaches a high water level, flow breaks through the dune system forming a channel between the lake and the Gulf. Oyster Lake’s outfall is critical for regulating water levels and mitigating flooding.

Mitigation Minute: Native Village of Newtok

FEMA awards $6.7 million for Native Village of Newtok, Alaska, relocation efforts.

Delaware State Park Tornado Shelter

FEMA-funded Ohio safe room provides shelter during two recent tornadoes.

Mitigation Minute: Native Village of Ouzinkie

BRIC Direct Technical Assistance helps Alaskan tribe develop hazard mitigation plan, enables new tsunami shelter project.

Building Code Lessons From the 1994 Northridge Earthquake

At 4:30 a.m. on January 17, 1994, the M6.7 Northridge struck in the San Fernando Valley, roughly 20 miles northwest of downtown Los Angeles. Although the duration was only 10 to 20 seconds, the ground motions included a reading of 1.82g, the highest ever recorded in an urban area in North America, and the MMI was IX (violent). The earthquake resulted in around 60 fatalities, and damage estimates were as high as $50 billion.

The Role of Florida’s Building Codes in 2018 Hurricane Michael

The State of Florida first adopted a statewide minimum building code in 1974. However, that code allowed local governments to adopt one of four different codes that they could amend and enforce as they saw fit. When Hurricane Andrew struck south Florida in 1992, it broke all records for insured losses and became Florida’s worst insurance crisis in history. It quickly became obvious that Florida’s building code system was not adequate and that improvements were needed for the entire state.

How Building Codes Have Changed the Lives of U.S. Virgin Island Residents

In 1995, within two weeks, the U.S. Virgin Islands (USVI) were hit by Hurricane Luis and Hurricane Marilyn. Hurricane Luis caused $300 million worth of damage, while Hurricane Marilyn caused even more of an impact. Marilyn was responsible for eight deaths and the loss or damage of 21,000 homes, including 75% of the residences on St. Thomas. As a result, USVI damage estimates from Hurricane Marilyn were $2.1 billion.

Harnessing Knowledge for Impact: Hurricane Ian MAT Report

In the aftermath of Hurricane Ian’s devastating impact on Florida in 2022, the need for information on resilience and mitigation against future disasters became abundantly clear.

• Contact AIChE
• Communities
• Learning & Careers
• Publications
• Careers at AIChE
• Equity, Diversity, Inclusion
• Young Professionals
• Operating councils
• Local Sections

Other Sites & Tools

Technical groups, follow aiche, you are here.

• Risk Analysis Screening Tool (RAST) and Chemical Hazard Engineering Fundamentals (CHEF)
• Case Studies

Last updated May 21, 2024

Table of Contents

• RAST Overview
• CHEF Overview
• Terms and Conditions
• Download and Install
• RAST Manual and CHEF Aid
• Frequently Asked Questions (FAQs)
• RAST Development History

The following case studies can be used with RAST and are based on actual incidents

TRAINING & SAFETY

• AOPA Flight Training Advantage
• Flight Training Quizzes
• Flight Training Videos
• Cross Country
• Collision Avoidance
• Communication
• Mountain Flying
• Night Flying
• Takeoffs and Landings
• Aeronautical Decision Making
• Aircraft Systems
• Aviation Education Programs
• Flight Planning
• Pilots License Requirements
• Flight Review
• Situational Awareness
• Performance
• Pilot Health and Medical
• Backcountry
• Advanced Training
• Flight Instruction
• Scholarships
• Turbine Aircraft
• Flight Training Scholarships
• AOPA Flight Training Scholarships
• Pilot License Cost
• Destinations
• EAA AirVenture
• Movies and Television
• Sweepstakes
• Air Safety Institute Webinars
• Airworthiness Records
• Avoiding Common Aircraft Damage Causes
• Companion Copilot
• Implementing Learn to Turn with Rich Stowell
• Our Mission
• Safety Notices
• Scalable Safety Framework
• ASI Speaking Engagement Request Form
• View Your ASI Transcript
• Accident Analysis
• Safety Publications
• Safety Centers
• Safety Videos
• Safety Quizzes
• Reality Check
• Real Pilot Stories
• Online Courses
• Beyond Proficient
• Webinar Gallery
• Taming the Twin
• Pilot Short Stories
• Peak Performance
• From the Archives
• Early Analysis
• ASI Safety Tips
• AOPA Webinars

Accident Case Studies

• Online CFI Renewal (FIRC)
• Flight Training Survey
• Focused Flight Review
• Ratings and Endorsements
• Pilot Safety and Technique Resources
• Transitioning to High-Performance Aircraft
• Transporting Firearms in General Aviation Aircraft

If you would like to contribute to AOPA's aviation safety efforts, please make a donation today.

Looking for your Education Transcript?

EHS Daily Advisor

Practical EHS Tips, News & Advice. Updated Daily.

Injuries and Illness

The case of the wobbly ladder: an accident investigation case study.

Updated: Mar 15, 2016

It is often helpful to see an example of an accident investigation in order to better understand how the process works. Here is a simple accident investigation case study.

This is the accident scenario:

• An employee is working on a ladder and the ladder seems to collapse.The employee falls off the ladder and breaks arm.

The investigation reveals the following details:

• Employee had worked seven 12-hour shifts in a row.
• Accident happened at end of shift.
• Employee was standing on the top step of the ladder (an unsafe action).
• The employee was approximately 10 feet above floor level.
• No fall arrest or restraint system was used.
• A ladder inspection policy is in place, but there is no evidence that the ladder has ever been inspected.
• Investigation reveals the ladder was damaged and did not provide a stable working platform in any environment.
• Interview with facility manager reveals that he did not inspect the ladder when it was due for inspection. He was aware that ladder needed to be inspected.

Factors and Possible Causes Affecting Incident

• Extended work hours may have caused employee to be tired and not clear-headed.
• Employee violated safety rule (standing on top step).
• No fall arrest system in place (required at 6 feet above floor level).
• Ladder was defective and unusable.
• Ladder had not been inspected.
• Facility manager was aware that ladder needed to be inspected but did not adhere to the existing policies and procedures for ladder inspections.

What is the Root Cause?

Which factor, if not present, could have prevented the accident?

If the facility manager had inspected the ladder and discovered the defect, the ladder would not have been used, and this accident would have been prevented. Failure to follow established ladder inspection procedures is the root cause.

What about the Other Factors?

• Extended work hours might contribute, but there is no statistical evidence available that indicates extended work hours increase the risk of accidents.
• The safety rule violation could be a contributory cause in this accident, but not the root cause. However, if the ladder had been used properly, it is possible that the incident might have been prevented.
• •The existence of a fall arrest system may have prevented or reduced injury. This could be a contributory cause.
• The fact that the ladder was defective is certainly a contributory cause. But if the facility manager had followed procedures and removed the ladder from service, the accident would have been prevented.

The root cause of this accident could even be tracked deeper than just finding the facility manager’s failure to inspect the ladder. With more in-depth analysis, it might be found that the real cause was a failure in the system itself. Perhaps the safety system in place had no means of ensuring the facility manager actually carried out these inspections.

It is for reasons like this that accident investigations are best conducted by a team. This can ensure that as many possibilities are explored until all causes are discovered. It is easy to place blame on individuals when in actuality, the problem may be with your management systems.

1 thought on “The Case of the Wobbly Ladder: An Accident Investigation Case Study”

PingBack from http://www.rimonabantexcellence.com/t.php?aHR0cDovL3NhZmV0eWRhaWx5YWR2aXNvci5ibHIuY29tL2FyY2hpdmUvMjAxMy8wMS8wMy9pbmp1cmllc19pbGxuZXNzX2FjY2lkZW50X2ludmVzdGlnYXRpb25zX2Nhc2Vfc3R1ZHkuYXNweA==

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Accident case studies

It is important that we all learn from accidents and the misfortune of those involved - so that other workers and their families can avoid the loss of a loved one and the pain and financial costs of an accident.

The case studies in this section are all real incidents with real and sometimes fatal consequences for the people involved. The case studies concentrate on some of the key themes which are being targeted by HSE, including;

• Overhead power lines
• Electrical maintenance
• Excavations
• Ignition of flammable atmospheres

The case studies in this section indicate when fines and costs have been awarded where there was a prosecution. The real cost of the accidents is much higher than this; the pain and suffering, the time off work, damaged equipment, replacement staff costs, lost produce, increased insurance premiums and offenders' own legal costs far exceed this figure. Taking precautions to avoid it happening to you makes moral, legal, and financial sense.

Is this page useful?

JavaScript seems to be disabled in your browser. For the best experience on our site, be sure to turn on Javascript in your browser.

Incidents & Accidents

• You are here:
• ACS Institute
• ACS Center for Lab Safety
• High School Labs
• College & University Labs
• ACS Seguridad Para Las Comunidades Hispanas
• Safer Experiments & Demonstrations
• Safety Videos & Webinars
• What Is RAMP?
• What is Safety Culture?
• Building Safety Cultures
• Safety Document Archive
• Chemical Hygiene Plan
• Safety Data Sheets
• Fundamentals of Hazard Assessment
• Ways to Conduct a Hazard Assessment
• Hazard Assessment Tools
• Chemical Enterprise
• ACS Committees
• Divisions & Partners
• Collaborations
• Safety Advocacy
• Safety News & Announcements
• Flame Jetting

Case Studies

Texas tech university chemistry lab explosion.

In 2010, an explosion severely injured a graduate student at Texas Tech University in Lubbock, Texas. The incident occurred in the chemistry department during the handling of a high-energy metal compound, which suddenly detonated. The Chemical Safety Board (CSB) released a study that involves an up-close, in-depth, and detailed examination of this accident.

Read Case Study

Guidelines for Writing an Effective Case Study

Case studies are an effective publication method used to document the facts and analysis of a specific observation or incident. The content and format of a case study can vary depending on several factors, including the purpose of the case study, the degree of analysis available at the time of the report, the derived lessons learned, and any recommendations. This commentary outlines the guidelines for writing an effective case study

View Guidelines

How to Improve Lab Safety: Lessons Learned

Tales of lab safety: how to avoid rookie accidents.

There is a learning curve with everything, but mistakes made in the lab can ruin your research and cause dangerous accidents. A lab fire at the University of California, Los Angeles, in 2008 led to the death of researcher Sheharbano (Sheri) Sangji, shocking the chemistry and laboratory safety communities. This ACS Webinar details of the incident and its cultural and legal aftermath, along with other recent notable chemistry lab incidents and their common themes.

Key Lessons for Preventing Incidents from Flammable Chemicals in Educational Demonstrations

Three accidents involving methanol which injured children during lab demonstrations are examined by the CSB. All the incidents involved demonstrations of flames – usually with a color additive – using methanol as the flammable liquid. In all three cases there was a flash back to the methanol bulk containers, and fire engulfed members of the viewing audience who were not protected by any physical barriers.

Lessons Learned to Improve the Safety Program in Your Lab

Cases from U.S. Universities: Lessons Learned to Improve Safety in your Lab. Compiled by the UC Center for Laboratory Safety.

Get involved with Chemical Safety Initiatives

Engage with other members of the chemical safety community. Membership provides networking opportunities, access to career advancement tools, meeting discounts, and more.

Join the Division     Become an ACS Member

Connect with Us

Email the Safety team at  [email protected]

• Virtual CISO
• Incident Response
• Risk Assessment
• Cloud Security Assessment
• Gap Assessment
• Vendor Risk Management
• Vulnerability Management
• Penetration Testing
• Purple Team
• Social Engineering
• Vulnerability Scanning
• SOC 2 Audit
• Project Hyphae
• InfoSec Blueprint
• CISSP Mentor Program
• InfoSec Pathways
• Client Stories
• Certifications
• Hacks & Hops
• Partnerships and Brand Guidelines

Cyber Security Incident Response Case Study

The unfortunate truth with cyber security incident response is that sometimes the attackers come out ahead. This was the case with a recent incident we responded to, during which it felt like everything that could go wrong did.

The past can be a powerful teacher, and we invite you to use this case study to find out what went wrong and how you can learn from these mistakes to improve your own security. We will walk you through the timeline of events, what went wrong, and how the impact could have been lessened.

At 2:30 in the morning on a Sunday, the client’s managed service provider (MSP) received alerts and quickly realized that something was wrong. The SQL servers began alarming on resource utilization, network connectivity was slow, and disks on the SAN were buzzing at alarming rates.

After a brief investigation, they discovered an active ransomware attack was taking place. In an instinctual reaction, the MSP began shutting everything down. Systems and networking hardware were taken offline in an attempt to disrupt the attack.

But it was too late. The damage had already been done.

The MSP frantically accessed the client’s backup server to develop a plan of recovery, only to realize the backups were destroyed before the ransom event began. It was the same case for any volume shadow copies or any other form of backup. The attackers found the client’s backups, methodically gained access and destroyed them before the ransom event began.

If a network path to your backups from the network exists, attackers will find it to gain access. The only way to prevent this is to air gap your backups . Backing up to tape, offline disk, or an air-gapped network would have been a saving grace here, but it was too late. As they say, hindsight is 20/20.

All critical servers were encrypted, and all backups were destroyed. What could they do?

Seeing no other option, the client engaged a firm to assist in ransom negotiation to try to get their data back. The client quickly learned that their ransom demand was $750,000, and their cyber insurance deductible was $500,000.

At the time, the business was hard down, meaning all operations had stopped. Each day without production equated to over $100,000 in losses.

It felt like things couldn’t get any worse. And then they did.

Things Got Complicated

While the client was working diligently to negotiate with the attackers, a few things came to light.

First, the ransom deployment was botched. This variant was meant to encrypt an entire system with one decryption key to be used for all files. However, the attacker had mistakenly generated a unique encryption key for each file on the system. Even if the client negotiated to get the keys, the effort to restore the millions of files would take weeks rather than days.

Next, as negotiators attempted to reach a lower price, the attackers responded by raising the ransom demand. Then, they would disappear for days. The attacker was well aware that this business was not operational. These negotiation techniques were intentionally forceful to ensure the next time they engaged, our victim would come ready and prepared to pay.

After nearly one week of downtime and continued negotiations, our client had finally reached an agreement with the attackers and was prepared to pay the ransom.

Then, we hit another snag. During our investigation, we learned that the ransomware adversary was on the OFAC sanction list of known terrorist organizations. The government stepped in and prohibited the client from paying the ransom.

Back to square one: no data, no backups, and no possibility of getting the decryption keys.

At this point, our customer determined that a full rebuild of the network and restoring any records from hard copies was their only path to recovery. That hurts, but it was the reality, and the client saw it as an opportunity to harden their environment while they recover.

Yet another snag. Insurance informed the client that their coverage would only support restoring the infrastructure to the previous state. Any improvements would not be covered.

Lessons Learned

The repercussions of this attack – financial impact and reputation degradation – were likely preventable. During our investigation, we determined the root cause of the incident was an insecure VPN portal with single-factor authentication.

In this very unfortunate series of events, one thing is apparent. All of this could have been prevented with a solid cyber security incident response program and some proactive testing on the network.

A good cyber security incident response partner would have reviewed the backup posture and helped them design a better program. A good security partner would have discovered the single-factor VPN portal and worked with the client to secure the network access. But again, hindsight is 20/20.

Moral of the story? Air gap your backups. Once ransomed, don’t trust that you can get your data back, even if you choose to negotiate. Develop your cyber security incident response plan before an incident, and test your plan. Be proactive by partnering with a vendor that will help you identify and close the gaps before an attack happens. And finally, make sure your insurance plan makes sense to your business model, including the deductible.

Need help creating your own incident response plan? Check out our free IR plan template or get in touch with our IR team today.

Author:  Oscar Minks

President of FRSecure, Oscar Minks, is a seasoned security and ethical hacking expert with over two decades of technical experience. To Oscar, our focus on fixing a broken industry is key. Leading by example and demonstrating the importance of doing things correctly, not just conveniently, remains a major focus in his position among FRSecure's leadership today. Oscar is a frequent speaker at security events and conventions, the author of FRSecure's Annual State of InfoSec Report , and a leading voice in the security world.

Related Posts

Thanks for the insight, Oscar!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Post comment

Cisco Talos Blog

Case Study: Incident Response is a relationship-driven business

Proof that incident response is "the ultimate team sport".

By Brad Garnett .

Introduction

As a seasoned incident responder, and now IR business leader here at Cisco Talos Incident Response (CTIR), I have always said that incident response is the ultimate team sport. People are building blocks for organizations — and an effective incident response is about people, relationships and leveraging those relationships into the incident response workflow (processes and security instrumentation). This all plays a part in effectively containing and eradicating a determined adversary from the organization’s network environment.

To highlight this, I want to share a recent CTIR engagement that shows how we can work together with an organization’s IR and IT teams to quickly contain and remediate a threat. In this case, we dealt with an adversary that could critically affect a business by deploying ransomware and virtually completely shutting down their network. One of my favorite parts about my role with CTIR is the customer relationships I get to build around the world by leveraging our awesome Cisco Secure collaboration technology to work from anywhere and at home during the pandemic. I hear first-hand about the challenges and successes our customers have facing today’s most challenging threats.

This customer case study I am going to highlight is a publicly traded company with more than $8 billion in revenue. This incident was even more complicated because the company was going through a merger and acquisition when the customer CISO received a phone call from my organization. This customer had an existing IR retainer with us and has a strong relationship with my organization — to the extent that we are viewed as an extended team. We notified this customer after we identified suspicious Cobalt Strike activity and TTPs consistent with pre-ransomware activity via SecureX telemetry.

“Our Cisco Talos partners recognize the critical role relationships play in cybersecurity and Incident Response. The Talos Team has invested significant time and effort in us to fully understand our people and environment before an incident occurred. Together, we built familiarity and trust between our teams that can only be obtained through constant engagement and drills. When we were faced with a significant security incident, that trust and familiarity were the key differentiators that enabled us to successfully contain the threat and minimize damages,” customer CISO. 

Initial notification

During the initial notification, we supplied our customer with the specific hostname and indicators we contacted them about. Below is the initial Cobalt Strike beacon that we identified in global telemetry:

cmd.exe executed powershell -nop -w hidden -encodedcommand <redacted_base64_string> 

Followed by the following for command and control (C2):

cmd.exe executed powershell -nop -w hidden -encodedcommand <redacted_base64_string>  powershell.exe Connected to 95[.]174[.]65[.]241[:]4444 

Note: Please visit the Talos Reputation Center for accurate threat information.

Detection and analysis

This blog post will only highlight endpoint analysis, but the same approach was included in our analysis plan for the two compromised domain controllers.

Based upon our global SecureX telemetry and the customer’s Cisco Secure Endpoint deployment, we were identified patient zero and focused our forensic analysis efforts on three key systems as part of our analysis plan:

• Endpoint (Patient Zero): Windows 10 Enterprise 1909
• Domain Controller 1 (DC1): Windows Server 2016 Standard
• Domain Controller 2 (DC2): Windows Server 2012 R2 Standard

Patient zero (Windows 10 endpoint)

Att&ck technique with sub-technique (t1204.002) user execution: malicious file.

Forensic analysis of the patient zero endpoint found that the file Document_1223672987_11142020.zip was downloaded to \Users\%Compromised_User%\Downloads. The RecentDocs registry entry shows that the user opened the ZIP archive shortly after the file was downloaded. Analysis of the Excel document contained within Document_1223672987_11142020.zip showed a malicious macro that was set to execute once the document was opened. This macro attempted to download a payload from “http[:]//redacted[.]com/bpebqznfbkgl/55555555555.jpg”. This payload was then stored on the system in the “C:\IntelCompany” folder and executed using the rundll32 executable. The analysis also shows that the payload delivered by this document is the Qakbot banking trojan . The user was not warned of the macros existence before it was executed because this host was configured to trust all macros and all Excel documents from the internet.

ATT&CK Technique with Sub-Technique (T1059.001) Command and Scripting Interpreter: PowerShell

We observed multiple executions of Cobalt Strike beacon-encoded PowerShell payloads from the ‘Compromised_User’ user during the analysis of the Windows PowerShell event log.

Analysis of the encoded payloads revealed that the Cobalt Strike command and control traffic was configured to use the following user agents:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36  Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 

The PowerShell event log also showed that at 2020-11-20T16:58:22Z, the following PowerShell command was executed to enumerate the domain controllers on the domain:

powershell [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select -property Name,IPAddress,OSVersion 

ATT&CK Technique with Sub-Technique (T1087.002) Account Discovery: Domain Account

Att&ck technique (t1018) remote system discovery.

During analysis of the Master File Table ( $MFT ), we concluded that at 2020-11-20T17:55:29Z “20201120104627_BloodHound.zip”, which was an archive containing an open-source tool known as BloodHound used for enumerating windows domains, was downloaded to the “\Users\Public” folder. At 2020-11-20T18:22:00Z, the file “20201120132133_users.json” was created in “\Users\%Compromised_User%\Downloads”. Although the contents of the file were not included in the evidence collected, our assumption based upon supporting evidence is that this file is an output file from the execution of bloodhound containing information about the users within the domain. Similarly, at 2020-11-20T20:40:00Z the file “20201120132133_computers.json” was created in the “\Users\%Compromised_User%\Downloads” folder. We concluded with high confidence that this file contained BloodHound output with information about the hosts within the domain.

Containment, eradication and recovery

The collaborative, joint incident response between the customer’s IR team and CTIR led to a quick containment and full eradication of an active adversary in the enterprise IT environment that had the capability to deploy ransomware. During these phases of the incident response, there were various actions performed, including but not limited to, re-imaging the patient zero endpoint, password resets, and the deployment of additional GPOs to restrict document macros, PowerShell and SMB/ Admin Shares. In every incident response, there are lessons learned. This is how organizations continue to evolve defense and detection capabilities, threat models, and incident response plans and playbooks. If your organization is interested in any of these services, please reach out to CTIR for more information.

Post-incident activity

During our post-incident briefing with this customer and its executive leadership, we commended the customer and their entire organization for their swift response and collaboration with CTIR to successfully contain and eradicate a determined adversary that likely would’ve caused millions of dollars in lost revenue and recovery expenses. I am humbled to share this joint success story, as a lot of IR organizations are summoned once ransomware has been deployed and the entire organization has affected, which is something that we observe globally and across industry verticals in our quarterly IR trends .

I am grateful for the mutual, high-trust relationship between this customer and my organization. Incident response is a relationship-driven business. CTIR retainers are critical for organizations to augment their IR capabilities. A tested incident response plan that accurately reflects your organization’s current capabilities is critical, as evidenced in the two Case Studies we released today . Organizational and third-party relationships are tested during a crisis. It’s important that there is an elevated level of trust between IR team and client, and that there is an established and agreed-upon process when time is of the essence to prevent an enterprise-wide ransomware attack when adversary pre-ransomware activity is identified. CISOs and executives should review and refine third-party relationships on a routine basis. Have your third-party IR relationships been tried and tested — and are those relationships resilient?

If you want to learn more about CTIR, check out our website here and visit us at this year’s virtual RSA Conference this week .

Share this post

Related content, blackbyte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks.

In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. Read the full analysis.

IR Trends: Ransomware on the rise, while technology becomes most targeted sector

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Microsoft Incident Response ransomware case study

• 6 contributors

Human-operated ransomware continues to maintain its position as one of the most impactful cyberattack trends world-wide and is a significant threat that many organizations have faced in recent years. These attacks take advantage of network misconfigurations and thrive on an organization's weak interior security. Although these attacks pose a clear and present danger to organizations and their IT infrastructure and data, they are a preventable disaster .

The Microsoft Incident Response team (formerly DART/CRSP) responds to security compromises to help customers become cyber-resilient. Microsoft Incident Response provides onsite reactive incident response and remote proactive investigations. Microsoft Incident Response leverages Microsoft's strategic partnerships with security organizations around the world and internal Microsoft product groups to provide the most complete and thorough investigation possible.

This article describes how Microsoft Incident Response investigated a recent ransomware incident with details on the attack tactics and detection mechanisms.

See Part 1 and Part 2 of Microsoft Incident Response's guide to combatting human-operated ransomware for more information.

Microsoft Incident Response leverages incident response tools and tactics to identify threat actor behaviors for human operated ransomware. Public information regarding ransomware events focuses on the end impact, but rarely highlights the details of the operation and how threat actors were able to escalate their access undetected to discover, monetize, and extort.

Here are some common techniques that attackers use for ransomware attacks based on MITRE ATT&CK tactics .

Microsoft Incident Response used Microsoft Defender for Endpoint to track the attacker through the environment, create a story depicting the incident, and then eradicate the threat and remediate. Once deployed, Defender for Endpoint began detecting successful logons from a brute force attack. Upon discovering this, Microsoft Incident Response reviewed the security data and found several vulnerable Internet-facing devices using the Remote Desktop Protocol (RDP).

After initial access was gained, the threat actor used the Mimikatz credential harvesting tool to dump password hashes, scanned for credentials stored in plaintext, created backdoors with Sticky Key manipulation, and moved laterally throughout the network using remote desktop sessions.

For this case study, here is the highlighted path that the attacker took.

The following sections describe additional details based on the MITRE ATT&CK tactics and include examples of how the threat actor activities were detected with the Microsoft Defender portal.

Initial access

Ransomware campaigns use well-known vulnerabilities for their initial entry, typically using phishing emails or weaknesses in perimeter defense such as devices with the enabled Remote Desktop service exposed on the Internet.

For this incident, Microsoft Incident Response managed to locate a device that had TCP port 3389 for RDP exposed to the Internet. This allowed threat actors to perform a brute-force authentication attack and gain the initial foothold.

Defender for Endpoint used threat intelligence to determine that there were numerous sign-ins from known brute-force sources and displayed them in the Microsoft Defender portal. Here's an example.

Reconnaissance

Once the initial access was successful, environment enumeration and device discovery began. These activities allowed the threat actors to identify information about the organization's internal network and target critical systems such as domain controllers, backup servers, databases, and cloud resources. After the enumeration and device discovery, the threat actors performed similar activities to identify vulnerable user accounts, groups, permissions, and software.

The threat actor leveraged Advanced IP Scanner, an IP address scanning tool, to enumerate the IP addresses used in the environment and perform subsequent port scanning. By scanning for open ports, the threat actor discovered devices that were accessible from the initially compromised device.

This activity was detected in Defender for Endpoint and used as an indicator of compromise (IoC) for further investigation. Here's an example.

Credential theft

After gaining initial access, the threat actors performed credential harvesting using the Mimikatz password retrieval tool and by searching for files containing “password” on initially compromised systems. These actions enabled the threat actors to access additional systems with legitimate credentials. In many situations, threat actors use these accounts to create additional accounts to maintain persistence after the initial compromised accounts are identified and remediated.

Here's an example of the detected use of the Mimikatz in the Microsoft Defender portal.

Lateral movement

Movement across endpoints can vary between different organizations, but threat actors commonly use different varieties of remote management software that already exists on the device. By utilizing methods of remote access that the IT department commonly uses in their day-to-day activities, threat actors can fly under the radar for extended periods of time.

Using Microsoft Defender for Identity, Microsoft Incident Response was able to map out the path that the threat actor took between devices, displaying the accounts that were used and accessed. Here's an example.

Defense evasion

To avoid detection, the threat actors used defense evasion techniques to avoid identification and achieve their objectives throughout the attack cycle. These techniques include disabling or tampering with anti-virus products, uninstalling or disabling security products or features, modifying firewall rules, and using obfuscation techniques to hide the artifacts of an intrusion from security products and services.

The threat actor for this incident used PowerShell to disable real-time protection for Microsoft Defender on Windows 11 and Windows 10 devices and local networking tools to open TCP port 3389 and allow RDP connections. These changes decreased the chances of detection in an environment because they modified system services that detect and alert on malicious activity.

Defender for Endpoint, however, cannot be disabled from the local device and was able to detect this activity. Here's an example.

Persistence

Persistence techniques include actions by threat actors to maintain consistent access to systems after efforts are made by security staff to regain control of compromised systems.

The threat actors for this incident used the Sticky Keys hack because it allows for remote execution of a binary inside the Windows operating system without authentication. They then used this capability to launch a Command Prompt and perform further attacks.

Here's an example of the detection of the Sticky Keys hack in the Microsoft Defender portal.

Threat actors typically encrypt files using applications or features that already exist within the environment. The use of PsExec, Group Policy, and Microsoft Endpoint Configuration Management are methods of deployment that allow an actor to quickly reach endpoints and systems without disrupting normal operations.

The threat actor for this incident leveraged PsExec to remotely launch an interactive PowerShell Script from various remote shares. This attack method randomizes distribution points and makes remediation more difficult during the final phase of the ransomware attack.

Ransomware execution

Ransomware execution is one of the primary methods that a threat actor uses to monetize their attack. Regardless of the execution methodology, distinct ransomware frameworks tend to have a common behavioral pattern once deployed:

• Obfuscate threat actor actions
• Establish persistence
• Disable windows error recovery and automatic repair
• Stop a list of services
• Terminate a list of processes
• Delete shadow copies and backups
• Encrypt files, potentially specifying custom exclusions
• Create a ransomware note

Here's an example of a ransomware note.

Additional ransomware resources

Key information from Microsoft:

• The growing threat of ransomware , Microsoft On the Issues blog post on July 20, 2021
• Human-operated ransomware
• Rapidly protect against ransomware and extortion
• 2021 Microsoft Digital Defense Report (see pages 10-19)
• Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
• Microsoft Incident Response ransomware approach and best practices

Microsoft 365:

• Deploy ransomware protection for your Microsoft 365 tenant
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Recover from a ransomware attack
• Malware and ransomware protection
• Protect your Windows 10 PC from ransomware
• Handling ransomware in SharePoint Online
• Threat analytics reports for ransomware in the Microsoft Defender portal

Microsoft Defender XDR:

• Find ransomware with advanced hunting

Microsoft Defender for Cloud Apps:

• Create anomaly detection policies in Defender for Cloud Apps

Microsoft Azure:

• Azure Defenses for Ransomware Attack
• Backup and restore plan to protect against ransomware
• Help protect from ransomware with Microsoft Azure Backup (26 minute video)
• Recovering from systemic identity compromise
• Advanced multistage attack detection in Microsoft Sentinel
• Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Security team blog posts:

3 steps to prevent and recover from ransomware (September 2021)

A guide to combatting human-operated ransomware: Part 1 (September 2021)

Key steps on how Microsoft Incident Response conducts ransomware incident investigations.

A guide to combatting human-operated ransomware: Part 2 (September 2021)

Recommendations and best practices.

Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

See the Ransomware section.

Human-operated ransomware attacks: A preventable disaster (March 2020)

Includes attack chain analyses of actual attacks.

Ransomware response—to pay or not to pay? (December 2019)

Norsk Hydro responds to ransomware attack with transparency (December 2019)

Was this page helpful?

Additional resources

• Incident response
• Microsoft Incident Response

The five-day job: A BlackByte ransomware intrusion case study

• By Microsoft Incident Response
• Threat intelligence
• Microsoft Defender

Microsoft Defender for Endpoint

Microsoft Defender Vulnerability Management

• Microsoft Defender XDR
• Microsoft Security Experts

Microsoft Sentinel

• Attacker techniques, tools, and infrastructure
• Vulnerabilities and exploits
• Credential theft
• Elevation of privilege
• Living off the land

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

• Exploitation of unpatched internet-exposed Microsoft Exchange Servers
• Web shell deployment facilitating remote access
• Use of living-off-the-land tools for persistence and reconnaissance
• Deployment of Cobalt Strike beacons for command and control (C2)
• Process hollowing and the use of vulnerable drivers for defense evasion
• Deployment of custom-developed backdoors to facilitate persistence
• Deployment of a custom-developed data collection and exfiltration tool

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.  

Forensic analysis

Initial access and privilege escalation.

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

• Attain system-level privileges on the compromised Exchange host
• Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
• Construct a valid authentication token and use it against the Exchange PowerShell backend
• Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
• Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

• 185.225.73[.]244

Persistence

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

• hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png , was identified to have similarities to api-msvc.dll . This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh :

• hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

• 109.206.243[.]59:443

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

• C:\systemtest\anydesk\AnyDesk.exe
• C:\Program Files (x86)\AnyDesk\AnyDesk.exe
• C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

• netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
• netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log . Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe , we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

• C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

• hxxps://g.api.mega.co[.]nz

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0 :

• If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs , which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

• If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
• If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

• hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

• schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

• When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
• When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch ( -s or -a ), execution may create the following files:

• C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
• C:\SystemData\wEFT.exe (Additional BlackByte binary)
• C:\SystemData\MsExchangeLog1.log (Log file)
• C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
• C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
• C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
• C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

• The file rENEgOtiAtES created matches RTCore64.sys , a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
• The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES , and exploits this service to evade detection by installed antivirus software
• cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
• cmd /c netsh advfirewall set allprofiles state off
• cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
• cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
• cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
• cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
• cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
• cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
• cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
• Ability to terminate running services and processes
• Ability to enumerate and mount volumes and network shares for encryption
• Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
• Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

• Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
• Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
• Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
• Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
• Block inbound traffic from IPs specified in the indicators of compromise section of this report
• Block inbound traffic from TOR exit nodes
• Block inbound access from unauthorized public VPN services
• Restrict administrative privileges to prevent authorized system changes

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in the Microsoft Digital Defense Report , common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more .

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Trojan:Win32/Kovter!MSR
• Trojan:Win64/WinGoObfusc.LK!MT
• Trojan:Win64/BlackByte!MSR
• HackTool:Win32/AdFind!MSR
• Trojan:Win64/CobaltStrike!MSR

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• ‘CVE-2021-31207’ exploit malware was detected
• An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
• Suspicious registry modification.
• ‘Rtcore64’ hacktool was detected
• Possible ongoing hands-on-keyboard activity (Cobalt Strike)
• A file or network connection related to a ransomware-linked emerging threat activity group detected
• Suspicious sequence of exploration activities
• A process was injected with potentially malicious code
• Suspicious behavior by cmd.exe was observed
• ‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2021-34473
• CVE-2021-34523
• CVE-2021-31207
• CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

Suspicious vssadmin events

Detection for persistence creation using Registry Run keys

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

• Web shell activity
• Suspicious file downloads on Exchange Servers
• Firewall rule changes
• Shadow copy deletion
• Anamolous RDP activity

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

NOTE: These indicators should not be considered exhaustive for this observed activity.

File extensions targeted by BlackByte binary for encryption:

Shared folders targeted for encryption (Example: \\[IP address]\Downloads ):

File extensions ignored:

Folders ignored:

Files ignored:

Processes terminated:

Services terminated:

Drivers that Blackbyte can bypass:

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog .

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel .

Related Posts

• Best practices

Why a proactive detection and incident response plan is crucial for your organization  

Matt Suiche of Magnet Forensics talks about top security threats for organizations and strategies for effective incident response.

• Threat actors

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques  

Chinese state-sponsored actor Volt Typhoon is using stealthy techniques to target US critical infrastructure, conduct espionage, and dwell in compromised environments.

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign  

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.

• Security operations

Why you should practice rollbacks to prevent data loss in a ransomware attack  

Tanya Janca, Founder and Chief Executive Officer of We Hack Purple, shares insights on application security and offers strategies to protect against data loss from ransomware attacks.

Training Industry

The impact of case studies on safety training.

Experience is the greatest teacher of all and there is nothing like learning from our mistakes. But, in many critical industries, making a mistake can lead to grave injuries — or possibly even death. Whatever your industry, safety should be at the heart of everything you do. By committing to innovation and new, more effective ways to approach online training, your people will be more prepared to make safer, smarter and better decisions on the job.

Making Compliance Training Engaging

Learning from the mistakes of someone else — without actually having to make that mistake yourself — is an invaluable tool when it comes to adult learning. In fact, eLearning courses developed from real-life scenarios that highlight to learners what went wrong can help prevent similar injuries from occurring in the future.

In this article, we’ll review some top tips on integrating case studies into your health and safety training programs, and how this can help save lives in the workplace.

3 tips for designing (or selecting) case study courses.

• Select case studies with care.

Not all examples of workplace incidents are relevant for all trainees. That’s why you should start by identifying any employee skills gaps and training needs. You’ll also want to ensure you’re selecting or designing case studies that grab the attention of those who engage with the narrative.

Here are just a few questions to consider while developing safety training for employees:

• Is there a particularly compelling voice that can share this story?
• Is there a clear lesson that can be learned from this experience?
• How can this particular case study help develop problem-solving skills in learners?
• Is there an interactive element that can be included in a training based on this case study?

Ensure to choose topics that are relevant to employees and the work environment, and that learners can connect with personally. The importance is to ensure that the training content is memorable.

• Structure training for engagement.

As you are designing or selecting case studies for training courses, you’ll need to consider the best way to communicate a real-life narrative. This is not the same as storytelling or explaining what not to do. Instead, you will need to structure the training so that it immerses learners into the experience. Combine different features to create a blended learning experience, like interviews and/or a 3D recreation of the incident with explanations by an expert on how the incident could’ve been prevented. This can drive home the point of occupational safety and hazard association (OSHA) training.

• Include interactive elements.

Interactive multimedia elements are also imperative to creating an immersive learning experience. You can also structure the content so learners can problem-solve their way through the experience while you narrate it. For example, add scenarios like “branching” or choose-your-own-adventure activities so they can see how the situation plays out based on their selection.  Don’t overdo it with the entertaining elements. The point of adding immersive features is to make an authentic impact on your learners.

3 key benefits of using case studies in training.

• Better buy-in.

When it comes to safety training, buy-in from stakeholders is a must and completing online courses should be more than checking boxes for compliance requirements. The best way to do that is explain the value of the training. Most adults have a higher sense of self-direction and motivation, which is why many adult learners learn because they need it and/or recognize the benefit. We know that humans learn better when they connect their training to a narrative. Case studies have the power to make what may otherwise feel like a series of do’s and don’ts come to life with a compelling story based on real-life events.

Learners can better understand the importance of safety training when its personable and relevant to their role. Transforming mandatory compliance health and safety training from abstract concepts into lessons grounded in the real-world can not only maximize the impact of training, but also help safeguard lives.

• #adult learning
• #case studies in training
• #compliance training
• #engaging eLearning
• #health and safety programs
• #interactive safety training.
• #OSHA training
• #prevent workplace injuries
• #safety training
• #workplace safety

Michael Ojdana

Michael Ojdana is the chief learning officer at Vector Solutions. He leads the content team and has a rich background in all aspects of content development. In his role, Ojdana strives to guide his team to create engaging, innovative courses that meet customer needs, positively change behaviors and help make employees safer.

This topic is proudly sponsored by

Related Content

5 ways ai and vr can improve crisis management training courses, arthrex launches online learning tool for orthopedic patients, the business of learning, episode 78: l&d’s role in supporting employee well-being.

Stay up to date on the latest articles, webinars and resources for learning and development.

Privacy Overview

Help Center

5 Best Crisis Communication Case Studies and Examples

Cristina Hure

 on  Sep 6, 2024

in  Internal Communications

Today’s uncertain times increase the need for organizations to prepare for unexpected events. Explore these real-life examples of crisis communications case studies to protect your reputation and operations – in case fire lands on your doorstep one day! 

Every brand, no matter how big or small, will face challenges from time to time. These can range from minor issues like a typo in a marketing campaign to major crises with global implications. 

Some brands navigate these situations skillfully, while others struggle. Real-life crisis communication examples—including both best crisis communication examples and bad crisis communication examples—offer crucial insights into effective crisis communication strategies. 

Whether dealing with internal crisis communication examples or broader corporate crisis communication examples, studying case study crisis communication scenarios helps organizations develop a robust crisis communication plan that effectively responds to difficult circumstances. For internal communicators and HR leaders, the crisis communication case studies in this article serve as valuable lessons in the art and science of dealing with crises.

Unmissable employee comms

Always get your message across with contactmonkey., what is crisis communication.

Crisis communication involves the technologies, systems, and protocols that enable an organization to efficiently communicate during a crisis. This strategic communication function is designed to mitigate damage to the organization’s reputation by asserting control in situations that could potentially be chaotic and damaging. 

When communicators ensure consistent messaging, manage stakeholder expectations and maintain trust through transparency and prompt updates, effective crisis communication plays a critical role in mitigating damage.

How Does Internal Communications Play a Role in Crisis Communications?

In a crisis, internal communications are not just about damage control—they’re about safeguarding your organization’s most valuable asset: its people. Knowing what to do—and what to avoid—when managing an internal communications crisis can make all the difference in how your organization emerges on the other side.

As an internal communicator, your responsibilities go beyond fostering engagement and connection. You must also be prepared to respond swiftly and effectively when disaster strikes, demonstrating the importance of internal communications . Clear, consistent, and empathetic communication is essential in guiding employees through the turmoil, and ensuring that everyone understands the organization’s stance and next steps.

The insights below will help create a comprehensive crisis communication plan template to navigate crises with transparency, speed, and accountability.

Crisis Communication Best Practices

To handle crisis communications, communicators should adhere to key principles outlined in a wide-range of crisis communication case studies:

• Stay consistent with your message: Every message should align with the organization’s overall narrative. For instance, if transparency is a priority, all internal updates should reflect this value, as seen in corporate crisis communication examples.
• Practice what you preach: Deliver on promises. If safety measures are announced, promptly implement them to build trust—another common theme in many case study crisis communication examples.
• Balance speed with accuracy: Timing is key in a crisis, but so is accuracy. Rather than rushing to communicate incomplete information, prioritize getting the facts right. For example, if there’s an incident affecting operations, promptly acknowledge it, but follow up with detailed, accurate information as soon as it’s available. Successful crisis communication plans balance both speed with accuracy to maintain credibility.
• Lead with empathy: Recognize the emotional impact of a crisis on employees and tailor your communication to acknowledge their concerns. For instance, if layoffs are imminent, express understanding and support, offering resources like counseling or career transition services. Internal crisis communication examples show that addressing concerns compassionately can strengthen trust.

By following these principles, you can navigate crises more effectively and maintain the trust and confidence of your audiences. And, if you’re looking for more on this front, our internal communications best practices article can help. 

5 Best Crisis Communication Case Studies to Know for 2024

1. marriott: authentic leadership in times of crisis.

Authentic leadership goes beyond being just a buzzword—it’s about genuinely acting and communicating in ways that build trust and inspire loyalty. Arne Sorenson, CEO of Marriott International, exemplified this approach in a 6-minute video directed at employees, shareholders, and customers during the COVID-19 crisis. 

Following the video’s release, what exactly did Sorenson do to earn overwhelming praise? This crisis communication case study is a prime example of effective crisis communication:

Context: As the COVID-19 pandemic caused unprecedented disruptions to the travel and hospitality industry, Marriott International faced significant challenges, including drastic reductions in business, employee layoffs, and financial losses. Arne Sorenson’s video message became a key crisis communication case study by setting a benchmark for crisis communication strategies.

Analysis: Sorenson’s video was marked by its raw emotion, as he candidly acknowledged the severe impact of the pandemic on the company. He shared personal anecdotes, including his own battle with cancer, which humanized him and strengthened the message’s authenticity. As a prime example of crisis communications and effective planning, Sorenson communicated difficult decisions, such as employee layoffs, with empathy and transparency, helping to maintain trust and morale among Marriott employees.

Discussion: The video highlighted how authenticity in corporate crisis communication examples can strengthen organizational values and unity. By speaking openly about the challenges facing Marriott and his personal struggles, Sorenson connected with employees on a human level, which is often difficult to achieve in corporate communications.

Conclusion: This case study underscores the importance of transparency, emotional intelligence, and authenticity in crisis communication, providing valuable lessons for leaders in all industries.

Win at internal communications 

2. slack: honesty is the best policy when failures occur.

Effective crisis communication is about managing a message and building trust through honesty and transparency. Slack showed exactly how to do this during a service outage that left many users without access. Let’s take a look at the details behind Slack’s standout crisis management: 

Context: In February 2022, Slack, a widely used messaging platform, experienced a significant outage that left many users unable to access its services. The disruption was attributed to a configuration change that unexpectedly increased activity on the company’s database infrastructure, causing instability and downtime.

Analysis: Slack’s swift and transparent response serves as a strong crisis communication case study. The company posted updates on its status page approximately every 30 minutes, detailing its progress toward a solution and openly acknowledging any errors made during the process. Additionally, Slack used Twitter to keep users informed, using a tone that was both apologetic and sincere. This multi-channel approach ensured that users were kept in the loop throughout the five-hour disruption, demonstrating Slack’s commitment to honest and transparent communication. Discussion: By being open about the problem, promptly sharing updates, and acknowledging their missteps, Slack reinforced its reputation as a customer-focused company. Their communication strategy aligned with best practices by being timely, transparent, and empathetic, which are essential elements in maintaining trust and credibility during a crisis. Moreover, Slack’s decision to use multiple platforms—its status page for detailed updates and Twitter for real-time communication—ensured that a wide audience was reached.

Conclusion: As one of the best crisis communication examples, Slack’s handling of the 2022 outage is a compelling case study in crisis communication. Their approach illustrates the importance of transparency, timely updates, and multi-platform engagement in managing public perception and maintaining trust during a crisis. By being forthright about the situation and openly acknowledging their errors, Slack not only managed to preserve user trust but also set a strong example for other brands on how to communicate effectively in the face of adversity.

3. Cracker Barrel: No Response is a Response

When Cracker Barrel unexpectedly found itself at the center of a social media storm over the firing of an employee, many expected the company to respond swiftly. However, Cracker Barrel opted for an unconventional crisis communication approach by letting the internet frenzy unfold without any public comment. This approach demonstrated that sometimes silence can be an effective part of a crisis management plan . 

Our next case study explores how the brand’s decision to remain quiet during a viral crisis became a surprising example of how no response can be a powerful crisis communication strategy.

Context: In February 2017, Cracker Barrel faced a crisis when a customer named Bradley Reid publicly questioned why his wife, Nanette, was fired from her retail manager position after 11 years. His post on Cracker Barrel’s corporate website went viral, and the hashtag #JusticeforBradsWife began trending across social media. The situation quickly escalated, with over 17,000 signatures on a Change.org petition, altered Yelp and Google pages, and viral content on YouTube plus other platforms mocking the brand.

Analysis: Despite the growing public outcry and media attention, Cracker Barrel chose to remain silent. The company did not issue a public response, comment on the controversy, or acknowledge the online movement. While some brands and internet users capitalized on the situation for humor or publicity, Cracker Barrel’s silence became a notable aspect of the crisis.

Discussion: Cracker Barrel’s handling of the incident challenges traditional crisis communication techniques. While this strategy defied conventional wisdom, it ultimately had minimal impact on the brand’s core customer base, showcasing that an effective crisis communication plan can sometimes involve choosing not to engage. 

Conclusion: The key takeaway for brands is that while silence carries risk, it can also prevent further escalation, especially when the crisis is fueled primarily by online chatter rather than significant operational failures or ethical breaches. 💡 PRO TIP: While certain situations are better left to fizzle out on their own, some require an internal communications response and plan to strengthen customer relationships. Read our article on how internal communication impacts customer engagement to learn more.

Plan like a pro: 2024 Internal Communications Calendar

Your blueprint for meeting kpis., 4. johnson & johnson: immediate corrective action saves the day .

In 1982, Johnson & Johnson found itself at the heart of a public health crisis. Instead of deflecting blame, the company launched an immediate, transparent response that set a new benchmark for crisis management.

This crisis communication case study is now one of the most notable examples of crisis communication. Read on to find out how the company’s approach became a model for corporate crisis response worldwide.

Context: Johnson & Johnson faced a major crisis when seven people in Chicago died after consuming Tylenol capsules laced with cyanide. Despite evidence suggesting that the tampering occurred after the product reached store shelves, the company’s handling of the situation became a benchmark for effective crisis communication examples.

Analysis: Johnson & Johnson immediately took decisive action by halting all Tylenol advertising, issuing safety warnings, and sending 450,000 messages to healthcare facilities and stakeholders. The company maintained full transparency and did not attempt to downplay the situation, even expressing regret for not switching to tamper-proof packaging sooner.

Discussion: The company’s response set a standard for crisis management, emphasizing transparency, accountability, and swift action. Johnson & Johnson’s efforts were widely praised by the media and public, helping the Tylenol brand recover and setting a precedent for how companies handle similar situations. Conclusion: This crisis communication case study is considered one of the best examples of effective crisis management in corporate history. By prioritizing consumer safety, transparent communication, and taking immediate corrective action, the company not only reduced the impact of the crisis but also reinforced its reputation for integrity and responsibility.

5. Pepsi: Taking Responsibility Builds Trust

When Pepsi released an ad featuring Kendall Jenner, the company quickly found itself at the center of a public relations firestorm.  This crisis communication case study explores how Pepsi managed the crisis with rapid communication and what lessons can be learned from their approach.

Context: In April 2017, Pepsi launched an advertisement featuring Kendall Jenner that quickly led to controversy. The ad portrayed Jenner leaving a modeling shoot to join a protest, ultimately handing a police officer a can of Pepsi to “resolve” tensions. The ad was immediately criticized for trivializing social justice movements and co-opting serious issues to sell a product. The backlash was intense, with widespread condemnation across social media and traditional news outlets, labeling it as tone-deaf and culturally insensitive.

Analysis: Initially, Pepsi defended the campaign by describing it as a message of global unity and harmony. However, within less than 24 hours, the company shifted its stance in response to the overwhelming criticism. Pepsi pulled the ad from all platforms and issued a second statement acknowledging its mistake: “Pepsi was trying to project a global message of unity, peace, and understanding. Clearly, we missed the mark, and we apologize.” This rapid decision-making showcased Pepsi’s agility in crisis management and its recognition of the public’s sentiment.

Discussion: Pepsi’s response was notable for its speed and directness. By quickly retracting the ad and publicly admitting fault, the company took a proactive stance that demonstrated accountability and empathy. This helped contain the immediate fallout and prevent a prolonged controversy that could have further damaged the brand’s reputation. Despite the initial uproar, Pepsi’s brand weathered the crisis relatively well, thanks largely to its quick acknowledgment of error and efforts to communicate openly with its audience.

Conclusion: Pepsi’s swift apology and the decision to pull the ad were crucial first steps in mitigating negative reactions. By responding quickly and sincerely, Pepsi managed to limit the damage to its reputation. This crisis communication case study demonstrates the importance of prompt, empathetic communication and taking responsibility in a crisis, which can help protect a brand’s image and maintain public trust. 

Worst Crisis Communication Examples

1. open ai: surprises aren’t always a good thing.

After OpenAI abruptly fired its CEO, Sam Altman, the news sent shockwaves through the tech world. The decision, announced on a Friday afternoon with little explanation and no immediate plan for leadership succession, quickly escalated into a crisis. Let’s examine the missteps and lessons learned from this controversial episode in tech leadership.

Context: In November 2023, OpenAI faced a PR crisis when news broke that CEO Sam Altman had been abruptly fired. The announcement came on a Friday afternoon, catching the tech world by surprise and leaving major stakeholders, including Microsoft, in the dark.

Analysis: OpenAI’s response to the crisis was poorly managed and an example of bad crisis communications. The company failed to prepare for the backlash, and communication was inconsistent, with no immediate follow-up to address concerns. The decision to release the news on a Friday, without a clear successor or explanation, fueled confusion and criticism.

Discussion: This situation illustrates the pitfalls of inadequate crisis management. OpenAI’s lack of preparedness, inconsistent messaging, and poor timing resulted in a loss of trust among stakeholders and negative media attention. The newly appointed CEO later admitted that the process had not been handled smoothly, further highlighting the missteps.

Conclusion: The key lessons are clear: have a crisis communications plan in place, avoid releasing significant news on a Friday expecting it to pass unnoticed, and ensure consistent, clear communication with all stakeholders. Proper preparation and transparency are essential to maintaining trust and minimizing damage in such situations.

2. Twitter: Confusion and Controversy Aren’t the Way 

When Elon Musk acquired Twitter for $44 billion, his unconventional approach to managing the platform quickly became a crisis. 

This social media crisis communication example examines whether Musk’s unorthodox methods were reckless or a calculated risk — and what lessons can be learned from this high-profile rebranding saga.

Context: Since the Twitter acquisition, Musk had introduced a series of controversial changes, including firing employees, banning and unbanning users, charging for verification badges, and rebranding Twitter to “X” in 2023 without prior announcement. Analysis: Musk remained active on the platform, nonchalantly implementing these changes without formal crisis communication strategies. The sudden rebranding unsettled some advertisers and users but eventually normalized as people adapted to the new brand name, “X.”

Discussion: While Musk’s unconventional approach garnered significant media attention, it demonstrated a lack of strategic PR planning. The rebranding could have been managed more effectively to avoid initial confusion and backlash.

Conclusion: Musk’s handling of Twitter’s rebranding offers a critical lesson: purposeful and well-communicated changes are crucial for maintaining brand trust and stability. The controversy underscored the need for structured crisis communication plans, especially during significant transitions.

💡 PRO TIP : If you’re experiencing challenges with organizational alignment, read our article on how to avoid miscommunication in the workplace . 

3. Facebook: Slow and Vague Responses Breed Distrust

In the 2010s, Facebook found itself at the center of a massive data privacy scandal. This case study explores how Facebook’s delayed reaction to the scandal turned a breach of trust into one of the most significant PR disasters of the decade.

Context : Facebook faced a major crisis when it was revealed that Cambridge Analytica, a political consulting firm, had collected data from up to 87 million users without their consent through a third-party app. This data was then used to influence the 2016 U.S. presidential election, sparking public outrage and leading to one of the biggest PR crises.

Analysis : Facebook’s response to the scandal was slow and marked by a lack of transparency, making it one of the worst crisis communication examples. It took several days for CEO Mark Zuckerberg to publicly address the issue, explain what had happened, and identify those affected. By the time a formal apology was issued, significant reputational damage had already occurred, and trust in the platform was compromised.

Discussion : This crisis communication case study underscores the importance of a timely and transparent response in crisis management, especially when dealing with sensitive user data. The company’s initial failure to clearly communicate the facts of the situation and outline corrective measures compounded the fallout.

Conclusion : The Cambridge Analytica scandal serves as an example of crisis communication failure, emphasizing the need for prompt action to prevent lasting harm to a brand’s reputation. The key lesson for companies is to quickly explain what went wrong, who was affected, and what steps are being taken to prevent future issues.

Connect teams during crisis

Most fast with sms and ensure everyone gets the memo., how contactmonkey can help with crisis communication.

ContactMonkey can play a prominent role in crisis communication by providing internal communicators and HR leaders with the tools they need to deliver clear, timely, and effective messages. From email templates to emergency SMS text alerts , here’s what you’re offered to enhance crisis communication plans:

• Real-time internal email tracking : Helps communicators monitor who opens and clicks links emails, and engages with the content.
• Avoids spam filters : Reduces friction through the Outlook and Gmail integration to ensure emails don’t end up in junk mail. 
• Integrated email templates : Provides ready-to-use templates for crisis communication through the email builder , ensuring consistency and speed when delivering urgent messages.
• Segmentation and personalization : Allows targeted communication to specific groups within the organization, reducing confusion and ensuring relevant information reaches the right people.
• Analytics and feedback : Collects data on email performance and employee feedback through the analytics and reporting dashboard , enabling better decision-making and response adjustments during a crisis.
• Lead with speed : Take advantage of our SMS for internal communications to reach employees quickly and reliably. 

Ready to unlock the benefits of managing crisis comms effectively? Book a free demo and connect with our team to learn more about how to optimize your crisis communication strategy with ContactMonkey, today! 

Related articles

Top Internal Communications Trends for 2024

10 Best Internal Collaboration Tools to Unlock Your Team’s Productivity

Why Is Internal Communication Important?

Medic’s rape-murder: SC to hear on Monday RG Kar hospital incident case

New Delhi: The Supreme Court is scheduled to hear on Monday the case related to the murder and alleged rape of a junior doctor at the RG Kar Medical College and Hospital in Kolkata.

According to the cause list uploaded on the apex court’s website, a bench of Chief Justice D Y Chandrachud and justices JB Pardiwala and Manoj Misra is slated to hear on September 9 the case, which was initiated by the top court on its own.

The Centre has recently filed an application in the apex court alleging “unpardonable” non-cooperation by the West Bengal government in extending logistical support to the CISF, tasked with providing security at the hospital.

In its application, the Union Ministry of Home Affairs has termed the alleged non-cooperation of the Trinamool Congress (TMC) government as an example “symptomatic of a systemic malaise” and sought a direction to the state authorities to extend full cooperation to the Central Industrial Security Force (CISF).

In case of their failure to do so, the Centre has urged the apex court to initiate contempt proceedings against the state government officials concerned for “wilful non-compliance” of the court orders.

While hearing the matter on August 22, the top court tore into the Kolkata Police over the delay in registering the unnatural death of the doctor.

Making an impassioned appeal to the protesting doctors across the country, the apex court had also asked them to get back to work, saying “justice and medicine” cannot be stopped. Moreover, it said it was issuing all necessary directions to ensure their safety.

On August 20, the apex court had termed the rape and murder of the doctor as “horrific” and issued a slew of directions including setting up of a 10-member National Task Force to formulate a protocol for ensuring the safety and security of doctors and other health care professionals.

The murder and rape of the junior doctor inside a seminar hall of the state-run hospital sparked nationwide protests.

The medic’s body with severe injury marks was found inside the seminar hall of the hospital’s chest department on August 9. A civic volunteer was arrested by the Kolkata Police in connection with the case the following day.

On August 13, the Calcutta High Court transferred the probe from Kolkata Police to the CBI, which started its investigation on August 14.

Get the news updates on WhatsApp & Telegram by subscribing to our channels. For all the latest India updates, download our app Android and iOS .

• Andhra Pradesh
• Arunachal Pradesh
• Chhatisgarh
• Himachal Pradesh
• Jammu and Kashmir
• Madhya Pradesh
• Maharashtra
• Uttar Pradesh
• Uttarakhand
• West Bengal
• Movie Reviews
• DC Comments
• Sunday Chronicle
• Hyderabad Chronicle
• Editor Pick
• Special Story

MP: Man who shot video of Ujjain rape incident held

Latest News

Unauthorized Request

Unauthorized activity detected.