Hacked! How to handle a Ransomware Attack

All right, thank you very much. Yeah. Hello, my name is Florian Jurgen's. What can you expect within the LA next 20, 25, 30 minutes? First of all, a lot of bad mood, so definitely the mood will be bad after my presentation. Just for the ex, the expectation, the exception management. So it's very good that afterwards you can have some drinks and some alcohol because you will now take over the role of the cso, the person responsible for information security and your company has been hacked. Congratulation. So I will lead you through a ransomware attack, a tabletop simulation. We will do that in three rounds and you have to make decisions after each round you will get additional information and yeah, we will see how you can handle this attack. Just some words for to, for my, my person, like I was already introduced, I'm currently the CSO for the four group, famous for the best kitchen appliance in the world, the TAMO mix and our VA cleaner, serious.
So we will do three rounds due to the time limit. And yeah, I would like to start directly. So first of all, of course we have Sunday evening. Of course it's Sunday evening. It's always Sunday evening. These things don't happen on Monday morning. So the colleagues from your IT department will receive a lot of calls and emails from the employees saying they cannot work any longer. And due to the fact that the amount of incidents is increasing the IT decided, okay, let's declare or let's create a major incident, put all incidents together and then let's call the cso. Let's call you and ask for additional help. What happened? Typical ransomware, a attack, some computers have been encrypted, some customer data have been stolen, or at least they told you that they have this data and they want 2 million US dollars in Bitcoins. In a real scenario, it's not about 2 million US dollar.
You will get an individual price, especially for your company. So they will have a look at your revenue at the size of your company and you will get an individual offer, especially customized for you. So it can be up to 2050, whatever million US dollar. This is just a FIC fictive number. So let's start short and simple with a small interactive question. What are you going to do next? You have three possibilities. First of all, you can call a forensic company to get some additional help, maybe to find out how they came into the company to get an overview what happened, or you can create a Microsoft Teams channel, invite the relevant stakeholders, or number three, you can declare the emergency or the crisis. So please raise your hand if you are for number one, calling a forensic company to get more information. Okay, who's for number two?
Inviting the relevant stakeholder. Communicate, get an overview. Okay, and number three. Okay, that's a majority. All these things are relevant and necessary and depends on the situation, but normally it makes sense to start with a declaration of the emergency of the crisis case because it should be linked to additional resources and additional possibilities for things you maybe need to decide. Round one, let us start. The talk is ticking, so please make your decisions fast. Yeah, it's Monday morning. The co colleagues are starting their computer. So we are now talking about round about 130 PCs, which are infected and people of all around the organization worldwide are complaining. So it might be a global problem. You need to, to face it. Let's guess you have also, or additionally some shops, some of them are also infected due to the fact that the employees started the computers. Some shops are not infected because they're still closed due to a public holiday. What are you going to do now? You are the cso, you are highly paid maybe. So what is your first idea? What are you going to do? Yeah, quitting. Quitting might be an idea. Anything constructive,
An idea? No one Is this what you really would do?
There are no right or wrong answers. There are some ideas, some recommendations. What you can do, first of all to get an, to get an overview together with a security management team. Get them all together, explain the situation, try to get an overview. Containment and defense. This is the thing, when you have a look at the successful ransomware attacks of the last weeks, months, years where most companies failed, they decided too late to disconnect the systems from the rest of the internet because they were thinking about a possible business impact and that they still can handle the situation and so on and so on. But to be honest, it wasn't that bad when they had decided to disconnect the systems earlier. Discuss the possible business impact, of course in informa inform the relevant stakeholder, workers' council, top management, it, data protection, hr. The core team needs to create an action and a communication plan and think about additional resources and additional budget.
I will talk about that on the upcoming slides, why this is extremely relevant. There are some additional things which might be a good idea. Engage the forensic company to get an overview. You don't need to take pictures. You will get all the slides. Discuss the potential data protection impact because they told you that they stole some customer data. I don't know if it's true you don't know if it's true, but maybe you should involve the colleagues from data protection on a very early stage. So round two, the time is still clicking, so the infection party is still going on. And let's imagine that you contacted the forensic company or I hope that you already had that done before, that you at least know a forensic company. You can call and you have the numbers saved in your, in your smartphone. And when you receive a security report, there are information typically, typically which are relevant for this kind of scenario.
First of all, they should or they would recommend disconnect the systems from the internet. And this does not mean that you shut should shut down the systems because then you will delete and destroy all forensic evidences which are still within the system. So disconnecting is now the recommendation, but if you think about that, okay, we can disconnect all the systems from the internet, but we still need to work together with the forensic company remote and our external IT supplier. So we still need a way that they can work on our systems. So it's not about, yeah, unplugging the firewall and then you are fine. You need still need a corridor where they can work and they can work with your systems, analyze your environment, and especially if some admin users had been created because it's not that the attackers will install a ransomware and then they are fine with that.
They will try to stay in your system as long as possible. We are then talking about an advanced persistence threat attack. So they will install some back doors, back doors, additional malware to have the possibility to come back maybe in a week, in a month, in a year or something like that. So you also need to look at that. Check the ransomware lateral movement. So how is the infection way of the ransomware through to your network? This is also very important to get an overview. What could be the next possible step? The most important thing, and if you want to take one lessons learned from this presentation with you is make sure that your backups are protected against ransomware. That means first of all, that you have the possibility to make sure that your backups cannot be encrypted and that you don't back up infected files.
And this will, sorry, saying that, save your ass. So this is the most important lessons learned. There are a lot of different suppliers available at the market who can help you convert Rubik, Dell, whatever chooser one you would prefer. But please make sure that your backups are protected against ransomware if you already have that, okay, perfect. But then you need to think about, okay, we can restore the systems, but you still need a new clean environment. You cannot restore the files within your, in your old environment. You still need a new setup, which needs to be built up. Okay? More PCs has been infected and congratulation due to the fact that most of the companies handle that the same way as all other companies. The servers has now been infected too. So we are talking about a, a number of thousands of employees who cannot work any longer.
What could now be the most, yeah, the most worst thing in this scenario, of course it's getting viral and now it's really, really pressure on this topic because now a lot of people will ask you one, when can they work again? The sales manager will call you, CRM is not working any longer. SAP is not working any longer, but he needs to do sales. So when can he work with the system? Again, the press will call your head of communication and ask, okay, we need a statement because we see some rumor on so social media that your devices has been hack, customer, daughter might be stolen. We need something from you to yeah, to to write an article. You have one hour, otherwise we'll write something by our ourself due to the time. Cons, restrictions. I will now went through the important points. Yeah, of course, disconnect the systems from the internet and especially the the shops.
Maybe they have some alternative work scenarios. Ah, we are now talking about business continuity management. The topic we should have done years before, but nobody wants to take over the responsibility for BCM, isolate the infected systems. Request a proposal for emergency operations. I will talk about that on the next slides. Admin users, domain users, yeah, check the unencrypted or hopefully unencrypted backups and the possibility to restore the systems in a new clean environment. If you want to take contact with the hackers, please don't do it by yourself. There are companies available at the market who can help you. And if you want to pay Bitcoins, I will talk about that on the upcoming slides. You should also think about that there's still something very important, how to reach your employees. And maybe you can answer this question for yourself. How can you reach your employees when Microsoft Outlook, Microsoft teams and the internet is not working any longer?
Someone told me, yeah, we can can call them by, by phone. Okay, everyone has a company device. What a great company from in our company. Not everyone has a company device. No, no. But they can install an app and we can send some messages and they can install it on their private devices. Oh, the workers' council will love that idea. Perfect. To install a company related application on the private devices. They will definitely love that. Okay, let's guess the backups have not been encrypted. The computers are still going online, so therefore there will be encrypted. But for the servers, the backups are still available. Now the IT is telling you, okay, we still need some time to restore the systems. For a normal client, it will take eight hours for the shop system. There's less software, five hours for a server. We are talking about two days per system.
SAP, three days per system. And now do the math for your own company. How many clients do you have? How many servers do you have? I'm pretty sure your IT colleagues will won't see in their family this year. Again, and this is a realistic scenario, the IT colleagues have to work 12, 14, 16 hours. Maybe they need to sleep in the office. Who has some beds that they can sleep in, who has a credit card to pay for the pizza that they can eat something. This is a realistic scenario. A friend of mine who is a Caesar, we a ransomware tech, told me that his general manager took a, took a big bus and they went to the media mart in ZA and they bought all the notebooks they could get and they drove around the whole city because they had no other possibility to restore the systems.
I know this sounds a little bit theoretical, but these are questions you need to answer before you went through this kind of attack, okay? Due to the fact that it went viral, it's now in the, in the newspaper, and now you need to involve the law enforcement. I'm a big fan of an early involvement because the colleagues from the police and the borough of investigation, they will definitely help you at this point. The super supervisory board will also ask you, okay, what is going on? We read something in the, in the newspaper, what are we going to do now? You know, the pressure is now really high on this topic, so what needs to be done? Now, if you want or if you decide to pay a ransomware, there are things which might or points for paying a ransomware. And this is only one thing if you don't have any other idea to do that, if your backups have been encrypted and the only solution is to close down the company, but on the other side, there are points where you should not pay a ransom.
First of all, you don't know if you get your data back because you're talking with criminals. They are not that trustworthy. Second thing is you are now on the list of the companies who are willing to pay and everyone knows that. And third, you still need to set up the, the whole infrastructure. You need to rebuild everything. It's not that you will get your key and ryt all your data and then you can get back to work because your infrastructure is compromised. So I would prefer not to pay a ransom. If you want to make contact with the hackers, maybe they should deliver an example of the customer data. Then like I said, use an special company for that. And now coming to an to the end, we had done this together with an external company for forward for four hours. We did that in nine rounds, and we had some participants of the top management like the C-O-O-C-I-O-C-F-O, and we achieved two benefits.
First of all, to make sure that this crisis emergency scenario, something where everyone is involved, it's not that a ransomware attack is managed by IT or security. Everyone has to do something. HR needs to inform the employees. The CFO has to do something, communication has to talk to the press, and so on and so on. And the second thing is, I've always been asked, okay, what about budget? I still have three minutes left. Have four questions for no, no, no, no questions. No, I, I will take my time for that. And I see Max. And the second thing is I'm always been asked Careflow and how do you get budget for security? And we changed our communication to the top management. We are now using a FIC fictive or a fictional KPI. It's not a real KPI way you can calculate. It's just for the communication part.
And our benefit is in the return on the damages not incurred. That means that we have a preventive function. We are helping the company and our benefit is that we prevent in the, yeah, damages from from incurring. I had done something similar in the last company I've worked for lengthy. We had an indicator of compromise of one of our services, whatnot, a ransomware. It was a Trojan software, but the colleagues from IT needed to rebuild all the systems and it took them round about seven to to eight months. Okay, last slide. I know that there are now a lot of questions where you need to find answers, and therefore I created a short handout. If you want to send out, just send me a short LinkedIn message. If we are not already connected, you can click on the three dots connect, and then please send me the message that you want the handout and you will get it today.
There are seven pages only questions. There's not a single answer in that. There are questions like, okay, if we want to pay Bitcoins, how do we get Bitcoins? Who has the access to the wallet? Who has the binds account? And what about tax? Who will pay for the food when the people are sleeping in the office, how can we reach the employees? And so on and so on. And sorry for that. But unfortunately, you need to develop the answers for all these questions for yourself within your company. I'm just giving you the questions and I hope that you will find answers for all these questions. So thank you very much.