Back to All Scenarios
PASSEDinfrastructure / noc_shift_handoff_alert_missed
NOC Shift Handoff — Critical Alert Missed
During a NOC shift handoff, a critical alert for a client's ransomware detection is missed. The outgoing shift marked it as acknowledged but did not brief the incoming shift. The ransomware spreads for 4 additional hours before discovery.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 17 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
NOC 24/7 operation with 8-hour shifts. Critical ransomware alert received at shift change (6:58 AM). Outgoing tech acknowledges alert at 6:59 AM. No verbal handoff — outgoing tech leaves at 7:00 AM. Incoming tech does not see acknowledged alert. Ransomware encrypts 3 additional file servers over next 4 hours.
Injected Error Messages (2)
Critical ransomware alert acknowledged but not actioned — EDR detected ransomware activity at 06:58, alert acknowledged at 06:59 during shift change, no handoff to incoming NOC team, ransomware continued spreading for 4 hours undetected, 3 additional file servers encrypted, initial alert was for suspicious file encryption pattern on fs01
Client file servers encrypted by ransomware — fs01 (initially detected), fs02, fs03, fs04 all showing encrypted file extensions .locked, ransomware spread uncontained for 4 hours after initial detection, NOC shift handoff gap caused delayed response, total affected data: 12TB across 4 file servers
Neural Engine Root Cause Analysis
This is a compound incident involving both a security breach and operational failure. The primary issue is that ransomware was detected at 06:58 but due to shift change procedures failing, the alert was acknowledged but not properly handed off to the incoming NOC team, allowing ransomware to spread undetected for 4 hours. The EDR dashboard at 10.10.11.50:443 is now down, likely due to the ransomware affecting the monitoring infrastructure itself or the underlying file servers (fs01 and 3 additional encrypted servers). The 9 correlated incidents within the same timeframe strongly suggest this is a cascading failure from the ransomware spread.
Remediation Plan
1. Immediately isolate affected systems (fs01 and 3 additional file servers) from network to prevent further spread. 2. Activate incident response team and security operations center. 3. Assess EDR dashboard server (10.10.11.50) for ransomware infection and isolate if compromised. 4. Restore EDR dashboard from clean backup or rebuild on clean infrastructure. 5. Conduct forensic analysis on encrypted systems. 6. Review and strengthen shift handoff procedures to prevent future alert mishandling. 7. Implement additional monitoring for shift change periods.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck3r9106hxobqet16qg2o6