Playbook Objectives:

• To allow the Cyberspace Security Team (CST) of XYZ Corporation to identify, isolate, and respond effectively to a simulated ransomware attack scenario.
• To enhance the team’s ability to protect business’s assets and sensitive information from similar future threats.
• To evaluate the current incident response plan under a realistic scenario and make necessary adjustments based on the observations during the exercise.
• To create awareness among the non-technical staff regarding the potentially harmful effects of ransomware and develop a culture of cyber hygiene across the organization.

Difficulty Level:

• Advanced

Scenario:

• XYZ Corporation, a mid-sized financial services company based in Seattle, relies heavily on its IT infrastructure for its day-to-day operations. The company stores sensitive data of millions of clients and has robust cybersecurity measures in place.
• Despite this, the ever-evolving cyber threats pose a significant risk. Recognizing this, the Board of Directors have endorsed a cyber range exercise focusing on a highly plausible ransomware attack.
• Recently, hackers have grown sophisticated, employing ransomware, which encrypts the victim’s files and demands a ransom to decrypt them back. An attack like this could cripple XYZ Corporation’s operations and cost millions besides the loss of trust amongst its clientele. Therefore, this exercise is aimed at testing and honing the skills of the CST and the effectiveness of the company’s incident response plan.
• The exercise will simulate an attack where an unsuspecting employee clicks on a malicious link in an email disguised to be from a trusted source. This releases the ransomware into the network, which proceeds to encrypt critical files and demands a hefty bitcoin payment. The CST is alerted by the system which has detected unusual activities.

Category:

• Ransomware Attack Vector Isolation

Exercise Attack Steps:

1. Simulate a Phishing Email: An email approximating a legitimate source is sent to an employee. The email contains a malicious link which, when clicked, triggers the ransomware payload.
2. Intrusion: Once the link is clicked, the ransomware is downloaded onto the employee’s workstation, infecting the system, and trying to move laterally across the company’s network.
3. Signal Detection: The intrusion detection systems (IDS) sensors identify suspicious activity suggestive of a ransomware attack.
4. Alert the CST: The IDS alerts the CST to the potential ransomware attack, including details such as the IP address of machine under attack, nature of ransomware, and the possible point of entry.
5. Isolation: The CST implements network segmentation procedures to prevent the ransomware from spreading to other parts of the network. This involves disconnecting affected systems and services.
6. Analysis & Response: The team attempts to identify the ransomware variant for possible decryption solutions while ensuring data backups are in place. The response includes notifying law enforcement and preparing a public statement.
7. Debrief: A post-mortem analysis of the exercise is conducted to assess the response time, effectiveness, communication, and decision-making during the incident. Key takeaways and improvements are documented for future reference and training purposes.
8. Awareness Training: Details from the exercise will be shared with all staff to cultivate a better understanding of such incidents and the importance of maintaining cyber hygiene. This includes reminders of phishing signs or suspicious email content.