W28547

MIRCOM TECHNOLOGIES LTD. (A): RESPONDING TO A

RANSOMWARE ATTACK

R. Chandrasekhar and Professors Laurel C. Austin and Robert D. Austin wrote this case solely to provide material for class discussion.
The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised
certain names and other identifying information to protect confidentiality.

This publication may not be transmitted, photocopied, digitized, or otherwise reproduced in any form or by any means without the
permission of the copyright holder. Reproduction of this material is not covered under authorization by any reproduction rights
organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Ivey Business School, Western
University, London, Ontario, Canada, N6G 0N1; (t) 519.661.3208; (e) cases@ivey.ca; www.iveypublishing.ca. Our goal is to publish
materials of the highest quality; submit any errata to publishcases@ivey.ca. i1v2e5y5pubs

Copyright © 2022, Ivey Business School Foundation Version: 2022-09-14

On the morning of Saturday, September 21, 2019, Mark Falbo, the president and chief executive officer of
Mircom Technologies Ltd. (Mircom), stepped out of an offsite meeting to respond to an urgent message
from Mike Yankoo, an information technology (IT) manager at Mircom. Mike had worked for several years
at Mircom, a medium-sized family business based in Ontario, Canada that provided smart building solutions
to its clients. In all the time Mike had worked at Mircom, he had never sent a distress call like this one.
When Mark reached him, Mike said that the company’s network monitoring tools were indicating a possible
intrusion. He had shut down servers, as he had done in the past when intrusion detection tools alarmed, but
now the servers would not reboot.

Mircom had experienced denial of service (DoS) and malware attacks before, so Mark wondered if Mike was
over-reacting. The company’s IT department had been stretched thin since the departure of the chief
information officer (CIO) one week earlier. Mark thought it wise to call a CIO-for-hire who had worked for
Mircom on a part-time basis in the past. He advised contacting a consultant in Ottawa, which Mark did. The
consultant agreed to work with Mike to investigate the problem immediately. Also, most of the company
business operations would be dormant for the rest of the weekend, allowing plenty of time to resolve any
issue. Mark believed that Mircom’s systems would be quickly restored. But he took a moment to call and
brief his brother, Jason Falbo, the company’s Chief Technology Officer, before returning to the meeting.

After being alerted to the problem, Jason—ever the engineer—saw this as a technical challenge to dissect,
one they would solve in short order. His first step was to reach out to his network of contacts who had
experienced IT breaches and recovered from them. By Saturday evening, Jason had shortlisted three cyber-
security experts to interview for engagement on Monday, if necessary.

On Saturday afternoon, Mike and the consultant discovered a message within a system file that they did not
recognize. The message informed them that attackers had encrypted all company files, including backups, and
that Mircom would have to pay a ransom to recover the files and bring its servers back online. The note
provided a ticket number for Mircom representatives to reference in communications with attackers.
Presumably, the reference number was needed so that the attackers would know which attack—of all of their
attacks currently in progress—a communication concerned. It also directed them to use a chat link provided
in the message to communicate with the attackers and told them they had 48 hours to do so (see Exhibit 1).

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 2 W25847

When Mike informed Mark about what they had found, Mark’s heart sank. The problem was more serious
than he had thought. To make matters worse, the company’s fiscal year end was only nine days away, at
the end of what was typically Mircom’s highest sales month. Mircom risked losing its final big sales push
for this fiscal year. This was also the time for getting as many products out the door as possible, preparing
for inventory counts and annual audits, and a variety of other year-end activities—all of which depended
on fully functioning IT systems.

On Saturday night, Mark had one-on-one phone meetings with Mircom’s heads of finance, legal, purchasing,
sales, operations, and human resources, as well as family member co-owners. Email was down, so he called
each of them without forewarning. There was an IT breach, he explained, and it was a larger problem than
initially believed. He asked everyone to convene at the office early the next morning to plan for a path forward.
Mike, who was continuing to examine the problem, would provide an update at that meeting.

SUNDAY, SEPTEMBER 22: FIRST LINES OF DEFENSE

Mark contacted a close friend with connections at the Royal Canadian Mounted Police (RCMP) and York
Regional Police (YRP) to determine what help might be available from law enforcement authorities. He
learned that while the YRP had an internal group dedicated to cyber-crime, limited resources and
jurisdictional restrictions meant they focused more on collecting information about attacks than on active
remediation. The situation at the federal level, with the RCMP, was similar; an RCMP captain asked Mark
to “keep them in the loop” as Mircom worked to resolve the situation.

At the Sunday morning executive committee meeting, managers struggled with the full implications of the
attack. In addition to the already in-progress year-end sales push and looming year-end closing activities,
Mircom was in the middle of implementing a new Enterprise Resource Planning (ERP) system and in the
middle of redesigning its plant floor. All of these activities were being conducted with a leadership vacuum
in the IT department due to the departure of the CIO one week earlier, after giving just one week’s notice.

In his update at the meeting, Mike listed the company’s downed systems, which included the company’s
servers, all employee desktop and laptop computers, email—pretty much everything. Worse, he said that
backup copies of their files were not usable. Like many mid-market organizations, Mircom had a multi-level
backup system. First, it kept backup copies of files on storage disks connected to the same network partition
as primary data files. Second, it regularly copied all system files onto tapes that were stored off site.

True to their word, the attackers had encrypted the first set of backups, which they were able to access in
the same way that they had accessed primary files. But that was okay, Mircom executives thought, because
they had the offsite tape backups, which were kept offline and not connected to any network. It was at this
exceedingly inconvenient moment that participants at the meeting discovered that the off-site backup
system had stopped working several months earlier. IT had sent a request to replace it, but the request had
gone into a queue with other expenditure requests to await the annual capital expenditures budget review.
As Jason explained, “We knew the malfunctioning archive system was an issue. We were investigating a
more modern solution to replace the tape archives, thinking, ‘if our primary server goes down, we have our
local back up.’ To be honest, the risk of a cyber-attack was beyond the scope of our planning.”

The situation was grave. Jason explained the extent of the damage: “We had no ledgers, no payables or
receivables, no purchase orders, no record of scheduling commitments, and we were unsure of our
inventory. We had no access to our IP (intellectual property). We had lost everything.”

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 3 W25847

Mark further explained what the ramifications were of such an extensive systems loss:

We wouldn’t be able to ship and were largely unable to communicate. We were blind. We had
customers all over the world. If a local office did not have customer information on their cell phone,
how could we reach them? You can think about posting notices on your website but that’s open to
the world, and you don’t know what to say at that point. Really, as you start to unwind that ball of
string, and as you start to examine the layers, every turn opens another bigger issue in terms of
accessing information and communicating information.

Their priority was to get an incident response team together and get them working to find a solution. Mark
and Jason decided to use a social media platform to communicate and coordinate their activities. Jason
completed his interviews with recommended consultants. He decided to engage a cyber-security specialist
located in Israel and sent him a message. Given the time-zone difference, he knew nothing more could
happen before early Monday, the next working day.

BACKGROUND ON MIRCOM’S OPERATIONS AND IT DEPARTMENT

Mircom was a Toronto-based designer, manufacturer, and distributor of “intelligent” building solutions. The
company was originally founded in 1961 by Antonio (Tony) Falbo, an Italian immigrant who manufactured
intercommunication (or intercom) systems. Tony sold the original business three decades later and launched
Mircom in 1991, a company that manufactured fire detection, building automation, and building security
products. The company’s vision was “making buildings worldwide safer, smarter, and more liveable.” Its
stated mission was to “protect lives and property by having a customer centric focus, leveraging a program of
continuous improvement, and delivering cost effective life safety system solutions.”

Over time, Mircom transformed both its manufacturing and sales models. The company’s products evolved
from physical hardware, such as electrical boxes stored in an electrical closet, to software solutions hosted
on the cloud. It also evolved from selling physical products to providing software-as-a-service through a
subscription model. The transition was aligned with the enterprise building solutions industry, which had
also changed over time from supplying hardware to providing integrated software platforms that allowed a
large physical facility to be supervised from a single digital portal. Equipment breakdowns showed up in
graphical displays, making it easy to locate and remedy faults. Such systems were included in most new
constructions but were also retrofitted into older buildings. The building categories included commercial
(e.g., office towers and shopping malls), institutional (e.g., libraries and hospitals), residential (e.g.,
apartment and condo buildings) and industrial facilities (e.g., factories and warehouses).

Mircom’s customers consisted of distribution partners and end users in more than 100 countries. The
company’s flagship system, FleX-Net, had been installed worldwide in airports, hospitals, subways, sports
stadiums, military ships, oil and gas refineries, and power generation stations. Preventative maintenance
agreements and subscription-based offerings provided a stable source of revenue. But digitalization of the
industry had made it vulnerable to cyber-attacks and an attractive target for ransomware.

By 2019, Mircom was one of the largest independent fire alarm manufacturers and distributors of building
solutions in North America, and one of the fastest-growing companies in the building solutions sector. It
had earned “Platinum Club” designation as one of Canada’s Best Managed Companies in an annual survey
by Deloitte.1 The company had 650 employees in total, with 450 in Canada, about 60 in the United States,

1
“Canada’s Best Managed Companies: Platinum Club Members,” Deloitte, accessed March 5, 2022,
https://www2.deloitte.com/ca/en/pages/canadas-best-managed-companies/articles/platinum-club-members.html.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 4 W25847

and the rest in various locations around the world. About 250 employees were involved in manufacturing
operations based in in Vaughan, Ontario. Mircom had expanded manufacturing in 2021 by acquiring a new
plant in Montreal, Quebec.

IT was central to Mircom’s operations. Internal and external communications relied on email and on voice-
over-IP (internet protocol) telephones. Furthermore, “the ERP system,” Jason explained, “is basically the
central nervous system of the company. It stores all our material requirements, customer order data,
financial data, active projects’ information like what you’ve delivered and what’s outstanding.”

A PRIMER ON RANSOMWARE ATTACKS

Ransomware was a type of malware (or malicious software) that helped attackers gain access to a
company’s internal systems and encrypt its files to render them inaccessible to anyone but the attacker.
Literally, the malware locked the company’s owners out their own systems and data.2 Decrypting files to
make them accessible again required a key that attackers promised to provide upon being paid a ransom.
The attackers used highly complex encryption that made other approaches to unlocking the files infeasible.
Attackers sought payment in untraceable cryptocurrency (e.g., bitcoin).

Ransomware attacks required infiltrating a company’s systems. Infiltration typically took weeks, or even
months. It took time to find a way in and embed malware. Also, to be effective, attackers needed to learn
about a company’s systems, how its backup systems worked, for example, and where backups were kept.
Attackers often took time to observe a company’s operations, to determine when an attack would generate
the most urgency (at financial year-end, for example).3

Intrusion detection and network monitoring tools helped companies detect and stop infiltration attempts,
but they were not perfect. Attackers used increasingly ingenious methods for penetrating defences,
including exploiting human weaknesses, (e.g., by tricking people into clicking on links in an email, or
talking them out of a password by posing as company employees.)

The damaging effects of ransomware attacks could include the financial loss from paying a ransom, data
recovery costs in the aftermath of the attack, revenue loss due to downtime, productivity loss, and various
other adverse effects depending on the circumstances.4 In recent years, ransom attackers had become
increasingly sophisticated organized criminals that operated like modern transnational businesses, often
with internal hierarchies and revenue and profit goals.5 Supporting business infrastructure had also sprung
up, which allowed attackers to lease sophisticated attack components in “ransomware-as-a-service”
arrangements, where the attackers and their service providers would split the profits.6

2
“What Is Ransomware?” McAfee, accessed March 5, 2022, https://www.mcafee.com/enterprise/en-us/security-
awareness/ransomware.html.
3
Dave Chatterjee and Art Ehuan, “A Deep Dive into Ransomware Attacks and Negotiations,” Cybersecurity Readiness,
podcast, March 2, 2022, https://the-cybersecurity-readi.captivate.fm/episode/a-deep-dive-into-ransomware-attacks-and-
negotiations.
4
Aaron Zimba, Zhaoshun Wang, and Mumbi Chishimba, “Addressing Crypto-Ransomware Attacks: Before You Decide
whether To-Pay or Not-To,” Journal of Computer Information Systems 61, no. 1 (2021): 53–63.
5
Gerrit De Vynck, Rachel Lerman, Ellen Nakashima, and Chris Alcantara, “The Anatomy of a Ransomware Attack,” The
Washington Post, July 9, 2021, https://www.washingtonpost.com/technology/2021/07/09/how-ransomware-attack-works.
6
Alissa Valentina Knight, Ransomware Inc: The Rise of Targeted Ransomware Crime Syndicates, white paper sponsored by Illusive
Networks, December 2020, https://go.illusivenetworks.com/hubfs/The%20Rise%20of%20Targeted%20Ransomware%20eBook.pdf.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 5 W25847

Ransomware attackers concentrated on sectors with minimum tolerance for disruption and timed attacks to
coincide with critical operational periods. Some attackers focused on so-called “big-game hunting”
focusing on organizations known to have ‘deep pockets.’ In recent years, there had been a shift away from
high-volume, indiscriminate “spray-and-pray” attack strategies toward more targeted “stay-and-play”
strategies, in which operators carefully selected victims and took time to study them and understand their
businesses and systems, before moving in with surgical precision.7

The cyber security consultant explained what this all meant to Mircom executives: “The attackers are
motivated by money. They are not emotional. If you negotiate, you have got to give them a reasonable play.
Time is the enemy for both parties.”

MONDAY, SEPTEMBER 23: ALL HANDS ON DECK

By Monday morning, Mark and Jason realized they were facing an all-hands-on-deck situation in which
every possible mode of assistance would be welcome. They divided up responsibilities. Mark, who was a
lawyer and an MBA graduate, would concentrate on managing the business and interacting with internal
and external stakeholders. Jason, who was a professional engineer and an MBA graduate, would focus on
restoring internal operations.

Jason gathered the company’s IT staff to coordinate a recovery plan. “I literally picked up my laptop and
moved my office over to the IT department,” he explained. “We started with a ‘this is war’ mentality and
prioritized what we needed to do.” The immediate priority was to restore the basic infrastructure for the
business. This meant restoration of system files, but it seemed like a dead end without viable backups. Jason
assigned small teams to specific pressing issues (see Exhibit 2: Areas of Action and Exhibit 3: Areas of
Responsibility). One priority was to restore Active Directory and the email server; that would at least
recover email, which was the primary means of communication with employees.

Jason quickly familiarized himself with the company’s IT team and infrastructure. He realized that no single
employee was responsible for cyber-security, and that only one document described the company’s network
architecture (see Exhibit 4). The document showed that, in addition to systems at the head office, there were
21 remote servers that needed to be rebuilt to restore company operations.

Management Communication

Responding to the executive decision to use social media to communicate while email was disabled, the IT
team recommended and set up a WhatsApp group called “Business Continuity.” The group consisted of
departmental heads, functional managers, and branch managers. The idea was to control the rumour mill
and bring people at the branches closer to what was happening at the head office. Soon, members of the
business continuity group were collaborating on potential solutions.

Meeting with a Cyber-Security Expert

One of the first questions Mark and Jason asked the cyber-security consultant they had retained was, “Who
is behind the attack, and where are they?” The consultant said the identity and location were likely to remain

7
“Ransomware Threat Report 2021,” Unit 42, Palo Alto Networks, April 20, 2021,
https://www.paloaltonetworks.com/resources/research/unit42-ransomware-threat-report-2021.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 6 W25847

unknown. It was most likely, he speculated, a criminal gang based somewhere in Eastern Europe. Answers
like this led Mark to another uncomfortable realization about dealing with a problem like this: No one can
give you a simple answer.

The consultant explained the three-pronged service his organization could provide. First, they would determine
what happened, which unfortunately required not making any changes to Mircom’s systems in order to allow a
proper diagnosis on exactly how the attack occurred. This requirement caused some frustration because it
prevented any efforts to begin restoring the company’s systems—at least for the immediate period. Second, after
the consultants had assessed and understood the situation, they would help compartmentalize, protect, and restore
the company’s systems. Third, they would advise in negotiations with the attackers.

The consultant also spelled out three potential paths forward. The first was to ignore the ransom demand
and go right to backups, restart the business, and move on. Of course, this option was only possible if an
organization had accessible backups, which was not the case for Mircom. For the second path, he explained
that if Mircom was completely dependent on the decryption keys, they must obviously engage in
negotiation. The third path forward was a “middle path” where Mircom could start negotiations to buy some
time until they did a further assessment of their ability to recover the data on their own.

The consultant then provided an estimated amount of ransom that the attackers might ask Mircom to pay.
Mark said, “So we were kind of thinking, okay at a reasonable level we might just play ball with them.” He
then conducted a cost–benefit analysis to decide what a “reasonable” ransom demand might be. Mark and
Jason also asked how they could be sure that the attackers would provide a decryption key, as they claimed
they would, after being paid the ransom. Surprisingly, the consultant assured them that the attackers would
very likely provide a decryption key because they had a “code of honour.” Also, if the word got out that
they had not provided a decryption key, it was unlikely that the next victim would pay.

Communications

Mark wondered who to inform about the attack, and what to say. He notified the company’s bankers that
his team was working to bring things under control. He also consulted external legal counsel and the
auditors who were to conduct the year-end audit.

He was unsure who among the company’s vendors and customers he should confide in. The situation was
likely to remain fluid for some time, making it hard to know exactly what to say. He wanted to be
transparent. That would mean conveying that there was a problem, that things were not ‘all okay,’ but he
also wanted to be able to say truthfully, that the company could continue running its business. He felt caught
between a rock and a hard place.

Even internally, he was unsure who could be taken into confidence and how much to tell them. Despite
considering himself to be an objective and rational manager with a clinical approach to business issues,
Mark was beginning to feel something resembling paranoia. For example, fearing that his calls could be
monitored by the attackers, he and found himself hesitant to even send text messages.

Hiring Additional IT Support

Jason decided to hire IT contractors to help with the recovery process:

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 7 W25847

We had to bring in a networking consultant, a Microsoft Azure consultant, a cyber-security

specialist, as well as a number of others. And since, as owners, we were closely involved, we made
those choices very quickly. We didn’t have to go through a long procurement process. For example,
we saw that we didn’t have enough internal resources for the recovery—a major problem—and
immediately dealt with it.

Each IT consultant cost CA$1508 to $300 per hour, which made it an expensive undertaking.

Mounting Problems

As Monday progressed, managers at various levels reported more surprises and difficulties related to the
attack. The company did not have enough software licences to set up new computers. Some of the old
hardware was incompatible with newer versions of desktop operating software. Malware protection
software was overdue for renewal on some computers.

TUESDAY SEPTEMBER 24: TIME TO NEGOTIATE

Mircom’s Israel-based cyber-security consultant began negotiations on Tuesday, September 24. The
process required accessing a portal on the dark web using a specialized browser, then entering the reference
number the attackers had provided. The ransom demand they received back was almost 10 times the amount
Mark had expected. According to his cost–benefit analysis, the ransom amount was too much to pay. The
attackers threatened that they would delete of all the company’s encrypted data unless they received
payment within a couple of days. Mark and Jason decided to pursue the third option the consultant had
presented—negotiate to buy time and find another solution to the problem.

The attacker’s negotiator signalled a willingness to be reasonable. However, communication with the
attackers took place over an exotic email system that was fraught with technical difficulty. It was sometimes
difficult to connect, and the attackers often did not respond right away. Their interactions lacked emotive
elements—there were no threats or ominous predictions. It was all very business-like—Mark would
negotiate low, the attacker would renegotiate high, and the two sides would spar for a while.

Dire Options

Jason now had a better appreciation for the long and difficult uphill battle Mircom was facing. He assessed what
the company still possessed: its goodwill, core capabilities, specialized knowledge of products and processes,
talented employees, and business relationships. The market needed what Mircom could deliver. But of course,
its intellectual property, source code, and digital assets were not accessible, which made the operational situation
untenable. Without data, the company had no record of what was owed to vendors or what was due from
customers. Jason couldn’t imagine asking, “Hey, Mr. Big Customer, can you please honestly tell me what you
owe me because I don’t have a record of what I have delivered to you?” The engineer in Jason urged him to find
a practical solution. In conversations, Mark, Jason, and another brother Rick, also an owner, were able to reassure
themselves that they would find a solution. Failure was not an option.

8
All currency amounts are in CA$ unless otherwise specified.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 8 W25847

WEDNESDAY, SEPTEMBER 25: SIGNS OF PROGRESS

Cleaning Existing Hardware

Jason assembled a group of employees to start cleaning every piece of computer hardware company-wide,
about 800 machines in total. Each machine was packed in a box and shipped to a central room at the
company’s head office. There it was restored to factory settings, loaded with new application software,
including malware detection, and put back in boxes to be sent back to wherever it came from. Outside staff
were hired to work after hours on this process. The team prioritized cleaning a few computers for each
branch rather than all the computers for a branch at once. Though everyone agreed this was a sensible
approach, employees whose computers were not included in an early cleaning round grew frustrated with
not being able to do their jobs. At the same time, the IT team worked on restoring generic functionality of
Mircom’s backend operations. A newly fortified and segmented network was built, with reprogrammed
firewalls, enhanced intrusion detection, and enterprise-wide logging.

However, generic functionality was of little use while the company’s data remained encrypted and
inaccessible. This meant that any system that was back in operation could only access new data. For example,
Mircom’s email server could allow new emails to be sent and received, but no past emails could be accessed.
The same was true for all data in the company’s various transactional systems. The IT team was able to restore
the company’s “brain function,” but without access to the encrypted data, the company had no “memory.”

Mircom Gets a Break

Efforts to recover and restore data from the encrypted files had been ineffective. But a lucky break finally
surfaced on Wednesday. A contractor who had been working on the company’s ERP upgrade project
informed Mircom executives that he believed he had a complete and usable copy of the company’s ERP
database stored at his location. He had been given permission to take the data offsite because he felt that
would allow him to work more productively. No one remembered that he had done this, but everyone was
delighted to hear the news. The backup was not completely up to date, but it was an accessible and recent
copy of many of Mircom’s most important files. The IT team started assessing what could be retrieved from
the contractor’s offsite backup to help restore the core systems.

Customers First

Mark was growing increasingly concerned about customers. He explained their solution.

We are a life and safety property protection business, and there may be customer sites down. There
may be things that need to be done. And so, we said, the stuff that can be delayed can be delayed.
But let us keep the shipments going. Start scribbling on the back of napkins to record whatever
inventory you take off the shelves for shipment. Let’s be customer centric first.

That was an expensive decision. I’m sure hundreds of thousands—potentially, millions—of dollars
of inventory went out the door without proper tracking. What went out? Did we ever bill it? Did
we not bill it? Was it in the right place? But you’re making these time-pressured decisions to make
sure that things go as needed.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 9 W25847

Rebuilding

Starting on Wednesday, cyber-security consultants and Mircom’s internal IT team effectively rebuilt
Mircom’s server infrastructure. A team from Microsoft Corporation worked with the internal applications
team to rebuild its ERP functionality. Everyone in the company wanted their specific problem investigated
quickly, but there were a limited number of people to do the vast amount of work. This caused a
considerable amount of stress and anger. People were calling IT, saying their computer did not work, and
demanding that IT fix it immediately. Jason stationed someone at the door to IT to screen people who
arrived. A quick triage process was implemented to determine who was allowed into the room to describe
their problem in more detail.

Business-within-a-Business Approach

Mircom implemented a business-within-a-business approach to stay up and running (see Exhibit 5). Jason
explained:

We used to have a company of 600 people, 80+ servers, 5,000 products, a tonne of services. Our first
corporate recovery objective was figuring out how to get a few dozen people working on a new clean
network with clean equipment, doing the basic activities needed to run our business. Enter the order,
pick, pack, ship, and repeat. How do we bootstrap a core team of people and the minimal set of
equipment that we have available to create the kernel of “New Mircom” that we can then expand and
grow? And when I say micro company, we shrank to a single room operation with 25 people around
the table. That was the new “business within the business.” And we built up from there.

SATURDAY, SEPTEMBER 28: GOOD NEWS FOR A CHANGE

Backup Success!

By Saturday—one week after the attack on Mircom’s systems—the IT team reported to Mark and Jason that
the copy of the data provided by the ERP contractor was fully functionable, although it had not been updated
for two weeks, since September 14. This meant that employees would have to figure out a way to re-enter all
transactional data created between September 14 and September 28. Senior managers in each customer facing
department (e.g., finance, manufacturing, operations, sales, logistics, service) took charge. Every employee
was asked to retrieve manual copies of whatever transactions they had completed since September 14.

Branch administrators were flown in from Montreal, Edmonton, and other Canadaian cities to help with the
process. Using paper copies as source data, the administrators worked on re-entering all transactions needed
to fill the two-week gap. A new problem surfaced when the team ran out of available refreshed computers
to input the data. Several employees were sent out to five different retail stores in the Toronto area to buy
50 new laptops. In the end, reconstructing one week of transactions from paper sources to proper digital
format took six full weeks of painstaking effort.

MONDAY SEPTEMBER 30: EMAIL COMES BACK ONLINE

Nine days after the attack, Mircom’s email system was up and running on a newly designed cloud instance
of Microsoft Office 365 server.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 10 W25847

THE NEXT SEVERAL WEEKS

Up and Running

Mircom was largely up and running again by October 7. But it took at least another three weeks to get all
the ancillary functions, like the print shop, up and running. The company was close to fully functioning by
November. However, it took several more weeks to implement additional upgrades and changes, and to
input some of the lower priority data recorded on paper ledgers during the system down-time.

Continuing Negotiations

Mircom continued exchanging messages with the attackers, with variable waiting times for each response—
often six to ten hours, sometimes several days, and once, an entire week. The slow process was maddening,
but it gave Mark time to strategize his responses. The negotiations continued until mid-October when the
attackers simply stopped responding. In the end, he felt confident that Mircom’s own recovery process had
sufficiently advanced to the point where getting the old data back would be nice to have, but it was no
longer critical. The Mircom team had rebuilt significantly from available backups and had new
infrastructure and modernized IT systems up and running.

Prioritizing Post-Recovery

Even though systems were mostly recovered, there were still many requests coming into IT from across the
company. In early October, Mircom subscribed to a help desk management tool that assigned a service
ticket to each request. The new tool allowed the IT team to properly track and prioritize all work requests
according to urgency. The list of requests was reviewed four times per day.

How the Attackers Got In

While Mark and Jason never questioned the integrity of Mircom’s former chief information officer, some
at Mircom wondered aloud if it was more than coincidence that the attack happened just one week after the
previous CIO left. The cyber security firm Mircom had hired was able to provide a firm ‘no’ in answer to
this speculation. They determined that a virus had come into the company through a branch server that had
not been updated with a patch to address a known security issue. The initial breach had occurred much
earlier that year. The attackers had then spent several weeks monitoring Mircom’s systems, gathering
intelligence, and figuring out the best time to launch the attack.

REFLECTIONS ON THE IMPACT OF A RANSOM-WARE ATTACK

Reflections on the Human Toll

Mark reflected on the attack’s impact on the people at Mircom:

As the days wore on, I would find myself getting into the office at 7:00 a.m. You would stay in the
office until about midnight or 1:00 a.m. You’d be eating high-carb [carbohydrate] pizza and
sandwiches all day long. You’d be stressed about all the conversations and discussions. You’d
collapse in your bed and fall asleep immediately, but at 2:00 a.m. or 3:00 a.m. you jump out of bed

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 11 W25847

and say, “I forgot this, I didn’t think about that, I’ve got to do something.” And then you don’t fall
asleep again until 4:00 or 4:30 and you’re back up again at 6:00 to get into the office. And as the
days wore on and you’re not taking care of your eating, you’re not taking care of your exercise,
you’re not taking care of your sleep, you’re grinding. Although we were telling people to take a
measured approach to it, in the early days—the first week or 10 days—there was a high sense of
urgency.

Reflections on the Financial Cost

Mark reflected on the extensive financial impact of the attack on the company:

I think the stats [on the average cost and time to recover from a ransomware attack] are probably
pretty accurate. They say something like, “It takes on average 90 days to remediate an average
company and is going to be about $2.5 million in costs.” At first, I said, “No way, it’s not going to
take that long and there’s no way it’s going to cost that much money.” Now, I think those stats are
understating the costs. Our company spent millions—not just for remediation. But as you invest in
the platform and you go forward—you know, some of the ancillary fallout from the collateral
damage, like the inventory going out and not being tracked—it’s in the millions of dollars.

Reflections on Managing Risk

Finally, Mark reflected on the critical need for a company to manage risk: “When you’re designing for
cyber-security, it’s not ‘can you or can’t you do it.’ It’s how much money do you want to throw at that risk.
It’s a risk assessment like anything else.”

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 12 W25847

EXHIBIT 1: MESSAGE FROM THE RANSOMWARE ATTACKERS (EXCERPTS)

Respective Mircom, your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted, or backup disks were formatted.
No working decryption software is available from other sources.
Do not rename the encrypted or informational text files.
Do not move the encrypted or informational text files.
Doing this may lead to the impossibility of recovery of certain files.

• Your reference ID is [ID Number] (we recommend putting the reference ID in the
subject line of messages when contacting us)
• Use the Chat Link at the bottom of this page to contact us to negotiate the price you
will need to pay to obtain your decryption keys. You have 48 hours to contact us.

This link and the decryption key will expire in 14 days after your systems were infected.
Sharing this link will lead to the irreversible removal of the decryption keys.

01 days 06h:07m:55s remains for special price.

Source: Company documents.

EXHIBIT 2: AREAS OF ACTION

Source: Company documents.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 13 W25847

EXHIBIT 3: AREAS OF RESPONSIBILITY

Source: Company documents.

EXHIBIT 4: SYSTEM ARCHITECTURE (PRE-ATTACK)

Mircom Quebec Head Office: New

Map 17 Map 15 Terago Ottawa London Branch EX
Victoria BC MGOC2 IP (deleted) IP (deleted) IP (deleted) New Terago
New Terego Int (deleted) GW: (deleted) Changed Aug 16, 2012 IP (deleted)
IP (deleted) (F) New IP (deleted)
DGW (deleted) Changed Sept 15, 2011
GW (deleted) IP (deleted)
Int (deleted) GW (deleted) DGW (deleted)
Changed May 12, 2012 New IP (deleted)
IP (deleted)
Montreal EX
New Terego
Oshawa EX (MGOC7) Cisco 181 W Router
Changed Aug 16, 2012 New Terago
New IP(deleted) IP (deleted)
Int (deleted) DGW (deleted)

Kelowan (BC) Map 16

Edmonton MGOC19
CISCO WRV
CISCO WRVS4400N Wireless
New IP (deleted)
New Terego
IP(deleted) Internal (deleted)
GW (deleted)
Int (deleted)
California [EX]
Changed on Jan 03, 2012
IP (deleted)
IP (deleted)
Int (deleted)
Niagara EX (Map 1)
IP (deleted)
GW (deleted)
Int (deleted) New Terago
Hamilton (MGC05)
Old IP (deleted)
Halifax (Map 14) New IP (deleted)
BC MGOC2 Changed Sept 21, 2012
IP (deleted)
New Terego Calgary Chicago [EX]
IP (deleted) July 03, 2013 (Map 20)
MDI (EX) (MGOC3) (RDP – s) New Comcast
(RDP-S) Cisco ASA5505
IP (deleted) CISCO WRVS400N Wireless Aug 28, 2013 Moved New IP
Int (deleted) New Terego Mircom Florida New IP (deleted)
IP (deleted) A1Fire GW (deleted)
IP (deleted) Internal (deleted)

Note: GW = gateway; Int = Internet; IP = Internet protocol; IP addresses and other confidential info deleted for confidentiality
reasons.
Source: Adapted by the case authors from company documents.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.
Page 14 W25847

EXHIBIT 5: “BUSINESS WITHIN A BUSINESS” CORE TEAM

Source: Company documents.

This document is authorized for use only in Manoj Kumar's AWS IoT and Cyber Security at Goa Institute of Management from Sep 2023 to Mar 2024.