Dan’s Doughnuts, a fictional retail business with 12,900 stores worldwide and a $1.3 billion annual turnover, was hit by a ransomware attack. The attackers encrypted files, exposed staff identities, and disrupted critical IT operations, including finance, product distribution, and billing. The company faced a ransom demand of over $1 million in Bitcoin, with a 48-hour deadline. The attack left management blindfolded, unable to access the datacenter or monitor operations remotely. The lack of a ransomware response plan led to chaos, with no clear recovery order for IT systems. Immutable backups were compromised, requiring restoration in a clean room, and the board became involved, expressing anger over the impact on stock prices. The simulation highlighted the need for a well-defined attack response playbook and ongoing employee training.
TPRM report: https://www.rankiteo.com/company/dansmanagement-dunkin
"id": "dan910080725",
"linkid": "dansmanagement-dunkin",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail',
'location': 'Worldwide',
'name': "Dan's Doughnuts",
'size': '12,900 stores',
'type': 'Retail business'}],
'attack_vector': 'Phishing',
'data_breach': {'data_encryption': 'Files encrypted',
'personally_identifiable_information': 'Staff identity',
'type_of_data_compromised': 'Staff identity and system '
'monitoring facilities'},
'description': 'A simulated ransomware attack on a fictional retail business, '
"Dan's Doughnuts, during a Cohesity Ransomware Resilience "
'Workshop. The attack encrypted files, exposed staff identity '
'and system monitoring facilities, and demanded a ransom of '
'over $1 million in Bitcoin. The workshop highlighted the lack '
'of a ransomware attack response plan and the need for attack '
'response playbooks and insulated clean room recovery '
'facilities.',
'impact': {'brand_reputation_impact': 'Damaged reputation',
'data_compromised': 'Staff identity and system monitoring '
'facilities',
'identity_theft_risk': 'Staff identity exposed',
'legal_liabilities': 'Legal risks in paying Bitcoin to a '
'potentially sanctioned country',
'operational_impact': 'Most business IT operations were down',
'systems_affected': ['NOC SharePoint server',
'Domain controllers',
'Computer-controlled entry system',
'Remote monitoring application',
'Finance systems',
'Product distribution systems',
'Billing systems']},
'lessons_learned': 'The need for a ransomware attack response plan, attack '
'response playbooks, insulated clean room recovery '
'facilities, and ongoing employee phishing attack '
'training.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Develop a ransomware attack '
'playbook, conduct simulated '
'attacks, involve board '
'members in planning, and '
'provide ongoing phishing '
'attack training',
'root_causes': 'Lack of a ransomware attack '
'response plan and insufficient '
'employee training'},
'ransomware': {'data_encryption': 'Files encrypted',
'ransom_demanded': '$1 million in Bitcoin'},
'recommendations': 'Develop a ransomware attack playbook, conduct simulated '
'attacks, involve board members in planning, and provide '
'ongoing phishing attack training.',
'references': [{'source': 'Cohesity Ransomware Resilience Workshop'}],
'response': {'incident_response_plan_activated': 'No pre-existing ransomware '
'attack response plan',
'recovery_measures': 'Restore immutable backups to a clean room '
'and check before releasing to production'},
'threat_actor': 'Igor',
'title': "Simulated Ransomware Attack on Dan's Doughnuts",
'type': 'Ransomware'}