Preamble: This exercise is designed to help technical and administrative staff or faculty prepare for a ransomware attack and understand their roles and actions if there was a real event.  The exercise is expected to be at a higher level and not go down to detailed technical actions, but the outcome of the exercise may lead to documenting those specific activities.

Before starting, select people from your unit to take part in this table top exercise who would be present if you suffered a ransomware event.

Expected Outcome:  This exercise will either validate a current incident response plan in relation to a ransomware attack or lead to creating a plan based on any gaps identified.  Note: There are two variations of the scenario at the end of the document that can be used to practice further and improve your response.

Resource: The Incident Response Playbook for Ransomware has more detail and is useful reading ahead of the exercise.

Scenario:

A staff member working in Human Resources just called you in a panic that they can’t open any of their files, and when they looked, they all have ‘.ryk’ appended to their filename. When you get to their desk to help you find a RyukReadMe.txt file is now in every folder. The file contains directions for email contact, further instructions, and an offer to decrypt two files for free. No specific ransom is mentioned, but the note mentions a BTC (BitCoin) address for payment. While you are reviewing the first computer, you get two additional calls from other staff members in Finance and Advancement complaining of the same thing.

Actions:

What are your first actions from this point to contain or minimize the attack?

  • How will you identify the scope of the attack?
  • What methods can you use to contain the attack?
  • How can you ensure the attackers are not still active in your network?

___________________________________________________________________

___________________________________________________________________

What do you need to do to report the attack?

  • Who do you report the incident to?
  • How do you report it?
  • Who reports the incident to other units or departments?

___________________________________________________________________

___________________________________________________________________

Do you have an obligation to notify anyone internally or externally about the attack?

  • How do you decide?
  • Do you need to notify your FOIL or the FIPP office?

___________________________________________________________________

___________________________________________________________________

Once contained (or everything is encrypted), what is your process to recover? 

  • Do you have backups, and are they usable?
  • Is the data worth recovering?
  • Is it worth paying the ransom? (short answer here is NO)

___________________________________________________________________

___________________________________________________________________

How do you figure out how the attack was able to happen and prevent it from happening again?

  • What controls should have stopped the attack?
  • How do you figure out why they didn’t?
  • How can you review the encrypted devices for forensic evidence?

___________________________________________________________________

___________________________________________________________________

 

Additional Notes:

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

Variations:

Scenario 2:

A staff member working in maintenance just called you in a panic that they can’t open any of their files, and when they looked, they all have ‘.ryk’ appended to their filename. When you get to their desk to help you find a RyukReadMe.txt file is now in every folder. The file contains directions for email contact, further instructions, and an offer to decrypt two files for free. No specific ransom is mentioned, but the note mentions a BTC (BitCoin) address for payment.

Scenario 3:

You come into work on a Monday morning, and every workstation has a red Cryptolocker message on the desktop with a timer counting down and a demand for a BitCoin ransom.  With further investigation, every data file on every workstation and all shared files have had a .ecc extension appended to them.