Can you remember the first part of our advent story when Ryuk got up to its mischief at E-Trade AG? In this second part, you will learn what surprises are in store for CEO Peter Fürst and his team on day three. It is now Friday – and Ryuk is probably playing Santa Claus...
Friday, 6 December – ho, ho, ho... but it's not Santa Claus, it's Ryuk!
7:05 a.m.: As always, Mr Fürst is the first one in the office, and he is more than confused. His computer is running, but where have his applications gone? Where is all the data? And who has reset everything to the factory settings? Even if Fürst is not an IT expert, he suspects that this is no ordinary malfunction...
7:40 a.m.: Meanwhile the IT manager Max Grunder is also in Fürst's office – and is looking just as pale as the CEO. "RYUK" is displayed in large letters on the screen, including an e-mail address. Ryuk isn't that...? A short Google search confirms their suspicion. An encryption trojan is hidden behind Ryuk. What now?
As managers, both of them know how to deal with unforeseen situations, but who has any experience with ransomware? They spontaneously set up a new web e-mail address to contact Ryuk: "Hello Ryuk, how can we get our data back?" Three seconds later, the answer comes back: "To unlock your files, you need to pay 70 bitcoins", plus more details about the procedure and even a nice touch with "to confirm that our honest intentions, we will unlock two files for free." "How generous of them", curses Grunder.
Ryuk's business model is now so successful that it is backed by a sizeable, highly professional organisation – it even has a support hotline if there are any problems with payment, so the chances of getting the data back after payment are fairly good. Small consolation, given the misery caused to E-Trade AG... At first 70 bitcoins doesn't sound like much, think Grunder and Fürst, but after a Google search, they soon know better. 70 bitcoins corresponds to about CHF 525,000! And, where can you buy bitcoins anyway? And should you be paying at all...?
As if the technical aspect were not complicated enough, other questions suddenly arise: how will E-Trade AG employees carry on working? How can they keep the operations going? What and how do they communicate internally and externally? And, and, and... The crisis management team, which now also includes some executives and members of the board of directors, draws up a plan for what they call "blackmail management". These include issues like risk assessment regarding payment (or non-payment), negotiation tactics (is it possible to negotiate with Ryuk at all?), preparatory measures in case of payment, etc. At the same time, Fürst informs the police and the reporting and analysis centre for information assurance (MELANI). Their advice is not to pay under any circumstances. But they are not in Fürst's skin either. So it's time for Plan B...
10:10 a.m.: Plan B is quickly declared, to call in other cyber security experts, which brings our company in – InfoGuard. As a reader, you have probably already noticed that in a crisis like this, there is no time to start evaluating a suitable, trustworthy partner. This means that it is all the more important for the appropriate inquiries to have been made in advance and to have an emergency number ready. Or maybe you are lucky and know someone – as in the case of E-Trade AG – who can recommend a suitable partner. Now let's get back to Fürst and his dilemma...
Within a short time, our cyber defence specialists will be on-site at E-Trade AG. Not just Fürst, but also his IT manager Grunder quickly realise that this decision was the right one to take. Grunder quickly notes that after just a few minutes, they know what to do.
12:30 p.m.: Fürst and the crisis staff are glad to hand over part of their load to the experts, although they are not prepared for what happens next. "Pull the plug – immediately and with no exceptions," is the first instruction of the InfoGuard CSIRT (Computer Security Incident Response Team). Fürst swallows hard. That's just not possible! Operations are already constrained enough, and customers need to be able to continue ordering, or at least, be informed. However, the experts also have a pragmatic solution to this problem. A new e-mail address is quickly set up with an external web provider. After that, a final round-robin e-mail is sent to all customers indicating that there are technical problems, and giving a link to an "emergency homepage" where updates will be communicated on an ongoing basis. Customers also need to contact this e-mail address if they have any questions.
Incidentally, many of the employees have been sent home because no work can be done without computers. Conveniently, it is already Friday, so now there's just one thing left to do: pull the plug and get to work. The weekend is on hold!
EDR-as-a-Service: detect security incidents at an early stage, so that it never goes too far
In E-Trade AG's case, not only were Emotet and the well-camouflaged phishing e-mail its downfall, but also the technical aspect. Attacks are becoming more and more complex, so zero-day exploits and agile cyber crime techniques are not easy to detect. That is why our cyber defence experts rely strongly on Tanium – the leading and most innovative provider in the field of Endpoint Detection and Response (EDR). You know the best part? As part of our EDR-as-a-Service, our ISO 27001-certified Cyber Defence Center will take care of it for you. Do you want to detect security incidents at an early stage and be able to react to them before the damage occurs like at E-Trade AG? You can find out more about our EDR-as-a-Service here:
So how will it pan out for E-Trade AG? You'll find out next Friday, 20 December, in the third and fourth part of our advent story.