Ransomware Data Recovery and Continuity Planning Playbook

December 16, 20235 min read

Playbook Objectives

  • Objective 1: To successfully identify and isolate a ransomware infection in the company’s network.
  • Objective 2: To execute a data recovery process from backups without paying the ransom.
  • Objective 3: To minimize downtime and maintain business continuity during and after the ransomware attack.
  • Objective 4: To review and improve the incident response and business continuity plans based on exercise findings.

Difficulty Level

  • Expert – This exercise is designed for cybersecurity teams with advanced knowledge of incident response, forensics, and business continuity strategy.


Company Name: Quantum Financial Services

Background: Quantum Financial Services (QFS) is a leading provider of digital financial solutions. The company houses sensitive financial data for millions of customers worldwide. 

Key People:

  • Alice Johnson: Chief Information Security Officer (CISO)
  • Bob Smith: Head of IT Operations
  • Carol Lee: Incident Response Team Lead
  • Dave Brown: Database Administrator

Network Description:

  • Multiple subnets segregating various departments: Human Resources, Finance, Customer Support, IT, and Development.
  • Primary data center located on-premises with a disaster recovery site in a remote location.
  • Critical systems include customer-facing web applications, a core banking system, intranet servers, and email servers.
  • Both Windows and Linux servers in use, with the majority of financial data processed and stored on Linux machines.
  • Employees connect through a VPN for remote access with two-factor authentication.

Cybersecurity Category

  • Ransomware Incident Response and Mitigation
  • Data Recovery and Business Continuity Planning

Attack Steps

  1. Initial Compromise:
    • An advanced persistent threat (APT) group spear-phishes Carol, the Incident Response Team Lead, using a zero-day vulnerability hidden in a PDF that appears as a security conference itinerary.
    • The PDF payload deploys a backdoor upon being opened, establishing a foothold in Carol’s system who has elevated privileges.
  2. Lateral Movement:
    • The attacker leverages the initial foothold to perform reconnaissance within the IT subnet, identifying critical systems and data backup procedures.
    • They exploit misconfigured network shares to move laterally to the data center management console and the active directory server.
  3. Privilege Escalation:
    • Using harvested credentials, the attacker escalates their privileges to those of a system administrator, gaining full control over critical servers.
  4. Delivery & Execution:
    • The ransomware payload, masked as a routine software update from an internal update server, is pushed to all endpoints, encrypting data files and system backups on connected storage.
  5. Command & Control (C2) Communication:
    • The ransomware establishes C2 communication with the APT group’s server, sending system information and encryption keys.
  6. Impact:
    • Encrypted data across the network renders financial operations inoperable. Ransom notes appear on systems demanding cryptocurrency for data decryption.
  7. Detection & Analysis:
    • Anomaly detection systems flag unusual network traffic and high CPU usage on multiple machines. The IT team initiates the incident response protocol.
  8. Containment:
    • Quantum Financial’s Incident Response Team, led by Carol, immediately disconnects infected segments of the network, preserving uninfected systems and preventing further encryption.
  9. Eradication:
    • Dave, the Database Administrator, following the pre-established playbook, wipes and reimages infected servers after ensuring they have complete and untainted backups.
  10. Recovery:
    • IT Operations, headed by Bob, begins restoring data from off-site backups, prioritizing critical systems for financial operations and customer-facing services.
  11. Post-Incident Handling:
    • Alice, the CISO, conducts a post-analysis briefing with the Incident Response Team to review actions taken, effectiveness of the response, and areas requiring improvement.
    • The playbook is updated to reflect lessons learned and training sessions are scheduled to reinforce incident handling procedures and awareness.
  12. Business Continuity:
    • The team activates the previously tested business continuity plan, shifting critical operations to the disaster recovery site. – Customer-facing staff are instructed on contingency procedures for maintaining customer relations and services through alternative means. – PR statements are prepared and disseminated to inform stakeholders of the issue with assurances that their data is secure and services will be restored.

By conducting this detailed Cyber Range exercise, Quantum Financial Services aims not only to test and refine their incident response and recovery strategies but also to strengthen their overall cybersecurity posture against sophisticated ransomware attacks. Continuous learning and adaptation from such exercises are crucial for the resilience of any organization in today’s threat landscape.