Does your Business Continuity Plan really handle Ransomware?

Your business continuity plan already includes the complete destruction of your office. Surely the destruction of your IT department's computers is already covered?

Jolly Roger

A very bad morning…

It's before dawn on a Tuesday morning when you get the first indication that something has gone wrong. It's the day after the long weekend and somebody is ringing you from the office. That can't be good. Apparently the computer network is down and nothing is working. You don't know the person who called. Your phone number is on the business continuity plan, so they figured they should call you.

By the time you get to the office it's becoming clear what has happened. The company network has been penetrated, and someone has launched a ransomware attack. There's a handy note on the root directory of all the office computers (including the servers) explaining what has happened. All the files on each computer have been encrypted, and for "a very reasonable fee of 10 bitcoins" the hacking organization Jolly Rogers will help you recover all you data. If you don't pay within the next 24 hours, the price will go up. And if you don't act at all, well, they might just publish all those documents and emails so that people who do care about your data will be able to read them.

You assemble your incident response team, and together you start figuring out what to do.

The obvious solution is to re-use part of your business continuity plan. If it covers the possibility that the office burns down and destroys everything, surely it should cover what would happen if you lost all your computers and the offices were miraculously saved. You can just leave out all the bits about working from alternative locations while new office accommodation is found.

Would that work? You ask the head of the IT department. She says she will go and find out.

You're still trying to think this through when you get a phone call from an irate customer. You don't know how or why they've got your personal phone number, but they claim to have just received an email containing some private and personal details along with a claim that that your systems have been hacked. The email says that you are personally responsible and that if you don't pay a ransom their personal information will be published on the internet. "What are you going to do about it?", they ask. You try to reassure them, and promise to call them back.

Shortly after you get a phone call from a computer security company you've never heard of. Apparently they've received an email inquiry with your name on it requesting help fixing a security problem. You make it clear that you didn't make the inquiry and hang up. Was that the extortionists trying to figure out what you were going to do? Or an attempt to apply additional pressure.

Your head of IT calls. Apparently the question should have asked her isn't "how quickly can we recover from backups?" but "do we actually have any recent backups to recover from?". They're not sure, but it looks like the last set of backups were of an unusually small size. They're not sure what's on the backups: the backup encryption key was kept on the network and has been encrypted. There's a paper copy which is kept off site. At least, that's what the plan from five years ago says. They're going to get that and see if still works.

What about our cloud backups, you ask? The system that replicated the server data to another data center? Apparently there's a problem. The replication system replicated all the encrypted files.

The Good News, the Bad News, and the Really Bad News

IT calls back. There's good news, bad news and really bad news.

The good news: they have backups from the previous week which look like they are intact, and the paper copy of the encryption key works. (Apparently they were worried that it might have been changed in the last five years, but lax password rotation has saved the day.)

The bad news is that they are incremental backups. To get to the state you were last Thursday you will have to restore a backup from the previous month, apply a differential backup from the previous week, then apply four days of incremental backups. That's going to take a while. Perhaps 48 hours. And the machines will need to be wiped and reconfigured before you can start the restore process in case there is any malware on them.

That's for the servers.

More good news. The desktops and laptops used a cloud backup system. It looks like the data on all of these can be restored. But before data can be restored the systems will need to be re-imaged with a new copy of Windows, some application software will need to be re-installed, and the latest software patches applied.

How long will it take? That's the bad news. IT think they can get the servers up and running in less than a week. They could take on some contractors to help with the desktops and laptops if they can get authorization for the expense. And then they will need to make some decisions about which computers are recovered first. It will take a few days to get everything running smoothly, but then they can probably manage 25-50 systems a day. Allowing for recruitment of contractors and system testing, perhaps a month to get everything back to normal.

The really bad news? Of course, IT need to figure out how the ransomware was introduced to the network first and make sure it has been eliminated: otherwise everything will be re-encrypted. IT are looking for clues, but many log files are either encrypted or missing. They could proceed on the assumption that re-imaging all the machines will eliminate the ransomware, but that's not an assumption they would like to make. What if there's an unpatched network vulnerability?

At this point you start calling for outside help.

Perhaps law enforcement can do something? It takes a while, but finally you find the right department. "Is it a matter of life and death?", they ask. You're rather surprised by the question. "No", you reply. Ok, they say, we will add you to the list and get back to you next week. There are more cases than they can handle at the moment, so they are prioritizing the important ones. You aren't that important.

Although they couldn't help, they did supply you with a list of Incident Response companies that might be able to help. You start calling companies on the list. They are all sound sympathetic but, as you are not an existing customer, they will have to see if they can fit you in. They're all very busy right now. Apparently there's been a lot of ransomware attacks recently. They say they will call you back when they have time, but it doesn't sound like it will be any time soon.

Just then you get a phone call from marketing. Marketing? Apparently the social media people are reporting tweets from irate customers. And there's a journalist called Brian who would like to confirm some information for a story.

It's beginning to look like paying the ransom might be worth considering. At least it would give you time to think.

Perhaps your business interruption insurance will lessen the blow. Do you have business interruption insurance? Do you have cyber-insurance? Where are the policies and what does do they say? Time to make more phone calls.

Should you pay the ransom? If nobody paid a ransom, there wouldn't be ransomware and everyone would benefit. But ransomware exists and you have a duty to your shareholders and employees, not to the shareholders and employees of other companies… The ransom demand might be large, but it's less than the cost of all the computer systems being down.

Is it even legal to pay the ransom? What does the company's lawyer say? You make the call. He tells you that you should have called earlier. Apparently there are important liability issues to consider as well as mandatory disclosure rules if customer data is exposed. He is in a meeting at the moment, but will call you back.

And who would approve a ransom if you did pay it? Would that be the CEO? Somebody else you need to talk to.

If only this was all a terrible dream…

But it wasn't. It was a desktop exercise designed to help your company understand what might happen during a ransomware incident, what decisions might need to be made, and what procedures need to be in place to minimize the impact of a ransomware attack if it does happen..

Ransomware is very different from other business continuity scenarios. Ransomware isn't an event that strikes at random where simple replication will save the day. It's an attack which may have been carefully planned by an adversary. They might even be one of the few people who has studied your business continuity plan in detail.

You can prepare too. Here's how:

  • Consider how a ransomware incident might occur and what your response would be.
  • Run a desktop exercise with the people likely to be involved to determine how realistic your planned response is.
  • Take what you learn from the exercise to update and improve your planned response.

You need an outsider…

If you test a scenario that you wrote on your own, you are only testing that what you thought would happen is what you thought would happen. It's like trying to play a game of poker against yourself: you know too much for it to be anything like the real thing. That limits what can be achieved.

An external facilitator solves this problem by:

  • asking questions,
  • helping you develop your scenario,
  • introducing unexpected events,
  • simulating outside agencies,
  • and directing the desktop exercise in ways that maximize the learning outcome.

And this is where we can help. As external facilitators we can help you make your desktop exercise a valuable learning experience. Please contact us for more information.

23 September 2021

If you found this article interesting, please consider please consider subscribing to the Risky Thinking Newsletter to get notified when new articles appear. Recently published articles can be found here.

Do you have any comments? I'd like to hear them. Please use the contact form to get in touch.