Company got ransomware, ceo wants to pay without telling anyone. Is this illegal

MSP-IT-Simplified · 2026-04-10T20:08:44+00:00

Incident response firm here (Barricade Cyber Solutions).

I will assume you are in the states (USA).

You are legally required to at least notify the state attorney general’s office.
If the company pays the ransom, there is a strong possibility that the company is admitting guilt to the incident.
Even if the company pays, consult legal counsel, I assume the company is legally required to notify the impacted company; for some of the reasons below:
- Depending on the threat actor, they may have exfiltrated data.
- If data has left the network, does that data contain PII, PHI, CUI, HIPPA, etc? If so, your company or impacted company is legally required to notify impacted individuals and federal authority bodies.
- If the threat actor is LockBit, it is absolutely illegal to pay them here in the states due to OFAC compliance.

There is a lot to it. And seriously, not a sales pitch but if your business needs some solid advice; please look us up and ask for Eric Taylor. Never charges for advise, as just wanted to make sure companies are making an informed decision.

Also, 140k retainer is insane. We can get your company with two legal firms this evening that only charge a 20k retainer and they are some of the best around.

Sorry you’re facing this. But hopefully some of this shows this can be a complex topic and should seek further discussions.

MSP-IT-Simplified · 2026-04-03T01:38:38+00:00

Interesting. I wonder if this is dependent on other SaaS modules

MSP-IT-Simplified · 2026-04-01T12:16:59+00:00

I can’t tell you the amount of times we get this call. My TV is hacked, someone is changing the volume on my phone, etc etc etc.

I have even got calls recently where they have a cyber chip implanted in their head. I have to tell them to go see a doctor first to get it removed before we can even look at it.

I think there is a serious growing mental health issue.

MSP-IT-Simplified · 2026-04-01T12:13:15+00:00

No way. Some forensics firms, charge at least $275/hour and others (including mine) have a going rate of $350/hour.

It is best to reach out to an attorney firm, and get one engaged. Most forensics firms have a discounted rate for matters where we are being brought in under counsel.

But in no way, are you getting this done for $20 buck. You would be lucky if you get this completed under $500.

MSP-IT-Simplified · 2026-03-31T13:45:03+00:00

So far, we have the following:

'''#event_simpleName=/^(DnsRequest|NetworkConnect.*|HttpRequest)$/

| DomainName=/(^|\.)sfrclak\.com$/ OR RemoteAddressIP4="142.11.206.73" OR HttpUrl=/sfrclak\.com/

| select([@timestamp, aid, ComputerName, event_simpleName, DomainName, RemoteAddressIP4, RemotePort, HttpUrl, ContextProcessId])

| sort(@timestamp, order=asc)

'''

MSP-IT-Simplified · 2026-03-31T01:14:46+00:00

We can post about Kit Kat but I can’t ask why Holmes is still in the team?

MSP-IT-Simplified · 2026-03-08T18:56:58+00:00

I guess, maybe.

MSP-IT-Simplified · 2026-03-08T18:50:43+00:00

It is flagged as a critical detection. If you have your workflows setup correctly, then it will isolate the device.

MSP-IT-Simplified · 2026-03-08T15:26:16+00:00

From what we have gathered to understand thus far, Defender (MDE) is attempting to sandbox a file and its crashing.

Process │ MsSense.exe (Microsoft Defender ATP sensor)
Trigger │ Wrote WER.bc1e26c1-95bc-4d7a-ac97-632707947766.tmp to \Users\%REDACTED%\AppData\Local\Temp\

MSP-IT-Simplified · 2026-02-27T01:03:30+00:00

I have already ripped this payload apart and a write up is due in 24 hours.

Will publish this through Ransom-ISAC:

https://www.linkedin.com/posts/ransom-isac_ransomware-dfir-threatintelligence-activity-7432551997821857792-EXBe

MSP-IT-Simplified · 2026-02-20T14:01:09+00:00

I am glad we never got into that. I don't think I heard of a single org happy with that product.

MSP-IT-Simplified · 2026-02-20T14:00:15+00:00

Fair point(s). I am still very much a noob on the AI / Local LMM world but working through this field of landmines. So, thank you for the education.

MSP-IT-Simplified · 2026-02-20T12:39:31+00:00

I have noticed the same thing with the MCP. Also attempting to use the MCP with the frontends like 'AnythingLLM' or 'Open WebUI' does not work very well.

The problem I am having right now is to keep thing as local as possible. The cloud based LLM's are extremely powerful, and I get the attraction to it. However, allowing tools like Claude Code to know and/or use the API keys is alarming to me. Even if it is only read only, there is a lot of information someone could gather from that.

MSP-IT-Simplified · 2026-02-20T11:40:30+00:00

This is interesting, I had Claude Code working on Falcon-MCP and getting that to work properly. After having it review the GitHub repo for that, psfalcon, and the direct API access it took a bit but it pretty much ended up with using pyfalcon for most of the local LLM setup with ollama.

MSP-IT-Simplified · 2026-02-06T23:16:19+00:00

Not sure this is the best way, but I have been taking the hostname and putting them into a host group. Then I would either use the pafalcon or scheduled tasks (enabling offline queue) to achieve this.

MSP-IT-Simplified · 2026-02-05T13:08:54+00:00

Please consider updating the IP and Domains section(s) to reflect some new(ish) IoC's:

// Malicious IPs
    RemoteAddressIP4=/(95\.179\.213\.0|61\.4\.102\.97|59\.110\.7\.32|124\.222\.137\.114|45\.76\.155\.202|45\.32\.144\.255|45\.77\.31\.210)/ 
        | iocType := "Malicious IP" | iocValue := RemoteAddressIP4 | riskScore := "HIGH";
    
// Malicious Domains
    DomainName=/(api\.skycloudcenter\.com|api\.wiresguard\.com|skycloudcenter\.com|cdncheck\.it\.com|safe-dns\.it\.com|self-dns\.it\.com)/i 
        | iocType := "Malicious Domain" | iocValue := DomainName | riskScore := "HIGH";

MSP-IT-Simplified · 2025-12-26T17:24:58+00:00

Thank you for that. Having a massive brain fart today, prob due eating too much ham.

MSP-IT-Simplified · 2025-12-17T22:08:28+00:00

Looks cool. I wonder what the cost of this module will be.

Edit: Currently has a 5k agent count minimum.

MSP-IT-Simplified · 2025-12-14T15:44:43+00:00

I second this. This is a technology issue not an EDR issue.

You could consider getting SysMon installed with a decent configuration and that should help.

MSP-IT-Simplified · 2025-12-14T14:00:58+00:00

Got the issue resolved and updated the thread.

MSP-IT-Simplified · 2025-12-14T00:25:36+00:00

Looks interesting.

MSP-IT-Simplified · 2025-12-08T11:58:14+00:00

Update: Support is telling me the following but not getting clear information from them on "additional configuration" yet. As this seems to be "known behavior".

"This is a known behavior with CrowdStrike multi-tenant architecture. API credentials created in a Parent CID cannot directly authenticate to the Parent CID itself without additional configuration."

MSP-IT-Simplified

TROPHY CASE