Conducting a Ransomware Exercise for an Engineering Firm

In a new report, Ransomware Threat Landscape 2023: Ransomware Resurgence, Black Kite provides analysis of 2,708 ransomware victims with insights into attacks from April 2022 to March 2023. The findings reveal a ransomware resurgence in early 2023, with the number of victims in March—410—nearly double that of last April—208—and 1.6 times higher than the peak month in 2022. Furthermore, the United States was the top targeted country, accounting for 43 percent of victim organizations.

Walter P Moore (WPM) Technology, a subsidiary of Walter P Moore, was recently engaged by an engineering firm with approximately 150 employees to conduct a tabletop exercise (TTX) to evaluate their response to a potential ransomware attack. The engineering firm had limited emergency response plans and no cyber incident response plan in place. As a result, they wanted to assess their current status and take steps to improve their readiness to address a threat, such as ransomware, which they were informed about from other case studies conducted within peer firms in the engineering industry.

Response and Planning

As the exercise progressed, it was apparent that the engineering firm did not have pre-planned actions in place to respond to a rapidly evolving situation like the ransomware attack TTX scenario.

“The lack of training, preplanning, and situational guidance made it challenging for the firm to make informed decisions and respond as quickly as they would have preferred to the scenario,” says Michael Brown, Cyber Security Analyst at WPM Technology.

The Lessons Learned portion of the exercise allowed the company to identify and prioritize gaps in their response and initiate a plan to address those gaps.

Solutions Delivered

After the TTX, the engineering firm asked WPM Technology to assist them in creating a more comprehensive Emergency Response Plan (ERP), as well as a new Cyber Incident Response Plan (CIRP) that could be used to aid decision makers in future emergency response training exercises.

“Our consulting team worked with the company to create the documents, which provided a framework for their response in case of multiple scenarios including cyber-attacks,” Brown says.

The documents outlined the roles and responsibilities of each team member, communication protocols, and key steps to follow.

Actionable Results

Following the creation of the ERP and CIRP, another TTX was conducted that focused on a business email compromise. The engineering firm’s response was a complete turnaround from the first exercise.

“After the firm’s leadership had reviewed and commented on the response plans during their creation, they were already familiar with who should do what and how the company should initially react as they gathered additional information and brought the appropriate resources together to address the situation,” Brown says.

The firm quickly referred to their response plans to verify important steps were not overlooked and the combination of training and pre-planning had the desired effect of reducing confusion and speeding decision making. Lessons learned were noted and tasks assigned for follow-up and documentation.

Readiness and Reaction

This exercise highlighted the importance of having an ERP and CIRP in place and conducting regular TTXs to evaluate a firm’s readiness to a ransomware attack. Crisis response is no different from any skill in that preparation and training can improve a firm’s performance.

During the initial TTX, the engineering firm was not pleased with their level of preparedness. However, by working together to create an ERP and CIRP, they  improved their readiness to respond to many types of emergencies, including a cyber-attack. The second TTX provided an opportunity to test their response and highlight areas for continuous improvement and now the company has much higher confidence in their ability to respond.

—
For more information,