A gift, you wouldn't wish even on your worst enemy [Part 3]

We have already reached the third part of our advent story. Time is running out – and not just till Christmas, but also at E-Trade AG. We stopped at the end of the second part when the InfoGuard CSIRT came in and pulled the plug, so they could get to work in the fight against Ryuk!

Saturday, 7 December

9:50 a.m.: The InfoGuard CSIRT has news and informs the team about the current status together with Grunder, E-Trade AG's IT Manager. Without going into the technical details, it's still not looking good – only a few systems are still available or accessible. Luckily, despite everything, the order management program is still working.

Nevertheless, Ryuk has got a firm grip on E-Trade AG. What next? Once again all the options are discussed: a) pay or b) rebuild all systems (which would take weeks – death for any online trader). Fürst is unable to decide either way, and the other parties involved are unable to accept the existing options.
To cut a long story short, it was decided to keep fighting and resume operations as best as possible, as the ordering system was still working. Laptops are organised, set up and communications with customers and suppliers are improvised via the e-mail address. But don't assume that Fürst, Grunder and the other participants are in any way reassuring. The room is still filled with fear, despair and anger, a lot of anger. The good thing about this is that anger generates adrenaline and drives you forward, but it also causes despair – and that would really not be helpful right now.

Sunday, 8 December

9:30 a.m.: A small glimmer of hope – the InfoGuard CSIRT has detected an error in the attacker's encryption. Could this be the eagerly awaited turning point? The experts have managed to restore a backup that was not properly encrypted. Plan c) is born!

1:30 p.m.: Filled with hope and energy, the next steps and responsibilities are defined, requiring several employees to get down to work. Fürst is happy to be able to count on his loyal employees, who show up at the office immediately.

The purchasing department takes care of upgrading and updating the still functioning ordering system, the marketing department, in coordination with the crisis team, ensures that web updates are communicated, gets ready for any media inquiries and takes care of the physical well-being of the IT team, HR and the finance department are now also supporting the IT department. In any case, there is no shortage of work to be done.

10:00 p.m.: The new plan, drawn up at short notice, works like a charm and right up until late in the evening all the teams are still working hard. But now there is a new problem: what to tell the other employees who come to work on Monday morning and how on what and with what should they work?

Monday, 9 December

8:00 a.m.: On Sunday evening, all employees are contacted and asked to assemble in the canteen before starting work. There was some cause for hope, but they were still far from getting into the Christmas spirit. Fürst and Grunder now inform everyone about the incident – honestly, transparently and in a clear manner. This is because Fürst is aware that especially in a crisis, internal communication is the most important thing. It is also important to give employees a task to do so that they do not become frustrated, angry or afraid. As on the previous day, the departmental heads take care of this. For example, admin is responsible for contacting all customers by telephone – every single one of them.

1:30 p.m.: It was only to be expected that good luck would not last forever. There are new problems, but at least "only" with the infrastructure which is currently being worked on. Fortunately, improvising is no longer a problem. Employees continue to work on their personal laptops, and the internet is available via mobile phone hotspots.

Tuesday, 10 December

9:20 a.m.: So good so far. All teams are still working at full speed and InfoGuard's CSIRT and E-Trade AG's IT staffs are gradually rebuilding the systems and online store. This makes purchasing and ordering possible without any significant constraints, and the year-end business can still be transacted. A company that had only recently been doomed to die has been resurrected. Or is it still too early to be celebrating?

11:00 a.m.: Once again there is uproar. The management system is down! Is it another virus? A short time later, the IT team gives the all-clear – it's just a technical breakdown that can be easily fixed. Something that would normally have caused no more than annoyance is now generating massive beads of sweat. Everyone’s nerves are in shreds...

2:10 p.m.: The first shock wave is over for the employees and this gives way to unresolved questions and worries. Do we have to worry about our jobs? Will we even get paid? And there is also a lot to be clarified on the business side. Should or must we inform the banks and insurers? Could our partners also be infected? All the questions from the staff are neatly listed on a flipchart and dealt with as soon as nerves allow.

Security incident – that's why you also need a reliable partner

You have probably noticed that in such a hectic situation, it is essential to have a reliable, experienced partner. On one hand, there is usually a lack of internal expertise and resources to manage such a situation, and on the other hand, there are plenty of other jobs that you need to be taking care of – probably a lot more than in the case described above. But as long as you are not affected, you don't have to worry about it. Right? Wrong!

Even the best security measures cannot protect a company from cyber attacks these days. That's why you need to be able to act quickly, professionally, and with a plan. The only thing is, how? Our Incident Response Retainer is the most effective solution! Our Joint Onboarding Workshop we will prepare you for an emergency. And if it happens that way, we can react together with you: rapidly, competently and with plenty of experience – 24/7. Find out more about our Incident Response Retainer here:

Incident Response Retainer

The last part of our advent story about the Ryuk cyber attack on E-Trade AG will be available soon – so don't miss it!

<< >>

Security Awareness , Cyber Defence , Cyber Risks

Michelle Gehri
About the author / Michelle Gehri

InfoGuard AG - Michelle Gehri, Senior Marketing & Communication Manager

More articles from Michelle Gehri

Related articles
A gift, you wouldn't wish even on your worst enemy [Part 1]
A gift, you wouldn't wish even on your worst enemy [Part 1]

Ryuk, Trickbot, Emotet & Co. – these are all the names of ransomware that made their mark in 2019 and are [...]
A gift, you wouldn't wish even on your worst enemy [Part 2]
A gift, you wouldn't wish even on your worst enemy [Part 2]

Can you remember the first part of our advent story when Ryuk got up to its mischief at E-Trade AG? In this [...]
Capture The Flag – InfoGuard steps on to the podium at HackIstanbul 2019
Capture The Flag – InfoGuard steps on to the podium at HackIstanbul 2019

Thousands of "hackers" from over 130 countries around the world recently competed in the Capture The Flag [...]
Cyber Security Blog

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media