It's common for companies to discover too late that it's not a matter of "if" but "when" they'll be hit by a malware attack. It's also too common for companies to find themselves unprepared when it does happen. But how do you prepare for a worst case scenario?
On Monday morning, the help desk receives a call from Chad in marketing that his workstation is displaying a suspicious message and that he is unable to access any of his files. Over the next hour, additional calls begin pouring in about locked workstations, all displaying the same message.
The message demands $1 million USD in Bitcoin to get the private key to unlock the workstations, and that they have three hours to comply before personally identifiable information (PII) from the company's database will be posted on the web.
The help desk alerts the cybersecurity team, who immediately meet via web conference to discuss what action to take first. Albert suggests that the first step should be to alert the helpdesk to tell anyone who's called in to report the message that they should unplug their computers.
Sandra suggests that the entire company should power down their machines. Jose shakes his head. "We can't just shut the whole company down. We must alert upper management," he says.
"Do you know how long it could take to get a response?" asks Sandra. "We may be toast by the time they make a decision."
Albert recalls that he was part of a project to write up a cybersecurity response plan several years ago, and he begins searching for it. But he finds that the shared drive where the plan is kept was already encrypted. "It will take me some time to restore the backup to an offline machine so we can get that," he says. "Does anyone have it printed out?" No one does.
"How do we know this isn't just a bluff?" asks Albert.
As news of the malware attack spreads through the company, a similar scenario plays out. Each department that's affected or that should be responsible for handling some aspect of a ransomware attack wings it to some degree or another.
By the time the whole company is on the same page, news of the attack has hit social media. In the end, the company will either decide to 1) pay the ransom, or 2) spend a similar amount of money in downtime and consultant fees to restore its systems from backups and deal with fallout from PII being released.
This being the first time the company has dealt with a ransomware attack, the chances of the outcome being good are slim to none. In the weeks that follow the attack, new policies will be written, and a complete audit will be done to discover how the company's systems were infected in the first place and how to prevent future attacks. In the end, everyone will wish they'd known what to do and that they were better prepared.
One tool for preparing for a malware attack is tabletop exercises. Ransomware tabletop exercises help you prepare for a malware attack by using realistic scenarios that test the ability of your team to respond. Over the next few blog posts, we'll show you how to set up and conduct tabletop exercises, who should be involved, and what a successful tabletop exercise should look like.