Welcome to RanSim
An interactive ransomware simulation

Scan The QR Above

RanSim Video 1

56:40:57
2.402 M

What Are The First Two Things You Do (Choose Up To 2)

  1. Notify internal stakeholders of an active event: email company leaders and/or employees
  2. Work With Experienced Accounting Firm Who Offered Immediate Help
  3. Shut down systems and production to then start scanning and restoring
  4. Call Managed Service Provider or Managed Security Service Provider
  5. Call Breach Counselor (external lawyer)
  6. Call Insurance Carrier
  7. Roll out EDR (endpoint detection) tool to contrain attack and help with forensics
  8. Turn off all internet connectivity
77:56:21
3.268 M

What are the first two things you do?

}
98:46:05
4.134 M

Fast Decisions Have Big Consequences

Best Options:

Turn off Internet (+0) – Stops TA ability to command and control, do further damage

Call Breach Counselor (+0) – But pick them carefully. If they build best team, great option.

Next Best:

Notify Internal Stakeholders (+2) – Bad guys are often listening and tracking response

Call Carrier (+4) – Carriers don’t give you IR plans. They can help direct you best resources.

Roll out EDR (+4) – Restore remote access first, or stuck manual and slow

Work with Accounting firm (+5) – Do they have experience? Do they know where to send You?

Worst Options:

Shutdown Systems (+8) – Can cause more damage and delay restoration by weeks

Call MSP (+16) – Don’t have expertise, maybe part of the problem.

RanSim Video 2

141:20:25
5.866 M

How do you Handle The Situation?

Do You Start Immediately With Your In-House Team And Do What Outside Lawyer And Forensics Team Need – To Get Access To Forensics Data ?

1. Yes, Start Immediately

2. No, Wait

141:20:25
5.866 M

How do you Handle The Situation?

Start immediately with your in-house team:

Yes – start manually deploying the forensic tool

Add

14 days

14 Million

No – demand the lawyer/forensic folks find outside restoration expert to establish remote access and can do this right/quick.

Add

0 days

0 Million

141:20:25
5.866 M

How do you Handle The Situation?

If You Are Getting Outside Help Of Folks You Don’t Know/Trust, Do You Want Them Where Your Infrastructure Actually Resides (Onsite) And So You Can See Them And Manage Them

1. Yes, Demand Onsite

2. No, Allow Remote

141:20:25
5.866 M

How do you Handle The Situation?

Demand Onsite or Allow Remote?

Yes – Demand Onsite – Expensive, Inelastic, And Almost Always Unnecessary Technically.

Add

30 days

30 Million

No – Allow Remote – Flexible, Cheaper, Dynamic Staffing, Elastic

Add

0 days

0 Million

141:20:25
5.866 M

How do you Handle The Situation?

New Environment Or Not: Bad Guys Had Free Reign In Your Environment, Do You Insist On Waiting For A Clean/Secure Environment

1. “Greenfield”?

2. “Brownfield”?

141:20:25
5.866 M

How do you Handle The Situation?

Wait for clean environment or start immediately in existing environment?

Greenfield (clean)

Add

25 days

25 million PLUS 15 million for Tech Costs

Brownfield (existing) – experienced responders can manage the risk

Add

0 days

0 Million

141:20:25
5.866 M

How do you Handle The Situation?

Insider Or Outsider: Given Your Knowledge Of Your Infrastructure (And Your Teams) Do You Leverage The Outside Experts By Guiding What They Do?

1. Keep Strategy Lead Inside

2. Let Outside Lead Engagement

141:20:25
5.866 M

How do you Handle The Situation?

Guide outside experts or let them lead?

Guide them

Add

40 days

40 million

Let them lead

Add

0 days

0 Million

FACTS

  1. Ransomware Attacks are expensive, and often Business Interruption is the largest single expense (average 68%)
  2. The Early Decisions Drive the Business Interruption costs, and those decisions are not “intuitive.”
  3. Approximately 85% of Ransomware events have no professional help for making or implementing those critical early decisions.
  4. As an industry, we are leaving too much to chance when it comes to Business Interruption costs from the early decisions to the execution of bringing critical systems back online.