So our main web server got ransomware'd.

By some miracle only a shared directory was compromised and not the whole server.

The server is on an end-of-life OS (Win Server 2008r2), no antivirus solution, no WAF, no log hardening or aggregation, so basically our Security MSP told us "lol good luck finding the attack origin, nuke it and rebuild it correctly this time"

Thing is IT leadership is like "Eh, no harm done, everything is fine" and want to sweep it under the rug and not report it to senior management.

How do i go about convincing them that this is actually important and for once in their life, they should give a fuck ? (This web server is the main moneymaker, it goes tits up and heads are gonna roll).

If they aren't convinced that they should invest a bit to keep their main source of income afloat, you probably won't convince them either.

You can either leave the shitshow, or report it to senior management yourself - in which case either their heads or yours will roll, depending on whether senior management are also idiots or not.

I think if you tell seniors their money is on the line, they will listen

quit that shit show before it blows up

Hack it yourself.

Hacking yourself is a bad idea.

Especially as it is illegal.

Depending on your country, certain agencies exist that take anonymous complaints when a company does "baaaaad insecure stuff".

Last resort, as when an audit happens, it will most likely end up in a lot of money loss, maybe even bankruptcy. Depending on state, the fines and the audits are "ouch".

What management usually likes is a no-brainer excel sheet listing the possible attack vectors, the cost of downtime and the estimate of profit.

Profit as in "if it runs faster, we can do more stuff".

Keep this simple. Layman terms.

Do you need to comply with the GDPR? If yes, an anonymous information to one of the agencies should help. I recommend the german if you can choose, they do not fear to make companies pay.

My mentor told wednesday a story that happened to a client something like 5 years ago. The client was a very small society, and its whole business was on a server that got ransomware'd. No backup existed. The hacker was asking for 800€ to get the key (in bitcoins of course).

My mentor told them that they had two choices: either start from scratch (and probably declare bankruptcy a few days later) or pay the 800€ and hope that the hackers are honest (as honest as hackers can be at least).

Luckily for them, as soon as the transaction was validated, they got a file containing the key... and a whole bunch of links on how to do automated and regular backups.
I don't know who were those hackers, but I think I love them a bit.

If you told them that not caring about it and sweeping it under the rug will lead to a financial loss for them, then you have the following options:
- escalate it to the higher management
- Get Tae Fuck outa of there (I'll recommend doing that only after the above option failed and if HR is entirely useless).