Ransomware Tabletop Exercise PC: TE-5013-1
“In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing” Theodore Roosevelt
Ransomware Tabletop Exercise • Exercise Purpose and Objectives • Background Information • Module 1— Ransomware Attack • Module 2— Backup Tape Procedures Activated…Will We Pay? • Module 3— Missing Data…Pay Ransom? • Wrap-up
Purpose • The purpose of this tabletop exercise will be to stimulate discussion on response processes and procedures due to a ransomware incident that impact Purdue University Northwest.
OBJECTIVES • The tabletop exercise will: • Provide an opportunity for participants to consider essential internal and outward-facing elements of a ransomware incident response, all in a manner consistent with Purdue policies. • Facilitate the foregoing exercise by providing an opportunity for interactive discussion on an appropriate response to, and related communications concerning a ransomware incident.
Why Ransomware? • Education has the highest rate of Ransomware attacks… • 3 Times the National rate compared to businesses, healthcare… • Number of attacks have tripled in last 12 months…
Module 1 • During the holiday break, ITAP technicians detect ransomware in several SAP data bases. The ransomware has encrypted all of the data in the data bases and made SAP unusable. Access to the impacted files can only be gained by paying the ransom or by restoring from the backup. • At this point no one has contacted the University requesting a ransom.
Actions • What actions should your area consider, if any? How will these actions be coordinated with other key partners? • Would the Crisis Management Team be activated? • If yes, who would initiate the activation? • Will the Senior Leadership be notified?
Module 2 • The PNW IT technicians are reviewing their backup tape procedures and determining the impact. The perpetrator (s) have stated that they will “unlock” the encrypted files for $100,000 dollars. The FBI office has been contacted and is assisting University personnel.
Questions • What would your strategy be if we only lose one day’s worth of data? • Would our Cyber Insurance affect the decision?Do we have Cyber Insurance? • Assume the recent backup is also not recoverable. The 6-month backup appears to not be impacted but it may take 1½ weeks to recover the data. Is using a 6 month backup a viable option to pursue? • What would be the strategy to continue business for 1½ weeks?” • Would the Crisis Communications Activation Group be activated? • What actions should non-IT areas consider? How will these actions be coordinated with other key partners?
Module 3 • IT professionals have determined that most of the University’s financial data has been impacted and the 6 month backup tape is also impacted. The 1 year backup tape is not impacted so they can recover data from 1 year ago. The perpetrator (s) now say they want $250,000 to unlock the files.
Questions • Discuss overall strategy for ransomware payout. • Would Cyber Insurance play a part in the various decisions? • Discuss overall business strategy for this type of an incident. • What would our communication strategy be?
Debrief • Action Items?