Nameless Exploration discover a large and easily accessible deposit of high-grade graphite in South Australia. Such is the demand, international investors line up to participate in a joint venture and soon the company is flush with development funds.

Because the discovery creates news around the world, it comes to the attention of cyber criminals, the Lazarus Gang in North Korea. They create a spear phishing porn email and lure one of the Nameless Exploration employees to click on a link that downloads malware to their computer.

Nameless Exploration has failed to apply basic information risk management practices, uses outdated firmware, hasn’t changed the default router username and password and has enabled remote web admin access and Telnet. As a result, it’s easy for the gang to penetrate the entire computer network, discovering and exfiltrating valuable mining exploration data.

Once the networks are fully compromised, the hackers freeze all the computers and display a ransomware message. In return for $1 million dollars in bitcoin, they will unlock the network.

Because Nameless has neglected to back their data up to an off-network server, they realise they have little choice. They have no plan for this kind of crisis and haven’t prepared in advance.

The Board meets and agrees to pay the ransom, hoping to keep the incident quiet. The gang have other plans, releasing news of the payout.

Now, Nameless spend weeks rebuilding their servers. The disruption to their business and lost productivity is a bitter pill, but nothing like the loss of confidence from their investors. The Nameless brand gets trashed in the marketplace, especially after regulatory fines punish the company for failing to come clean to the Government about the truth behind the attack.

The good news story about their graphite discovery swiftly becomes a nightmare, all because they were unwilling to consider adopting internationally recognised standards in informational management and cybersecurity.