MIRCOM

TECHNOLOGIES LTD.

RESPONDING TO
A R A N S O M WA R E
AT TA C K
 CEO receives message regarding possible intrusion on the IT infrastructure

IT department stretched
- New ERP implementation
- Fiscal year end, highest sales month
- Departure of CIO

21 Sept.
Sat - Discovery of unknown file in the system with all data and
backup encrypted. Ransom demand for recovery.
- Chat link to communicate over Darkweb

The Attack

One on one meeting with HOD's & board members and explains
the gravity of the situation.
 Mircom contacts Royal Canadian Mounted Police(RCMP)
and York regional police(YRP)

22 Sept. Mircom's multilevel backup system

1st: Backup copies on storage disks connected to
same network as primary files.

Sun 2nd: copied files onto tapes and stored offsite

however stopped working several months earlier.

First Line of
Defence CEO gathers incident response team, start working on a
solution meanwhile social media network used as
comm. channel.
Cyber-security specialist based in Israel contacted.
 History
Originally Estd 1961 Fire Detection

22 Sept.
by Antonio Falbo to Building Automation
manufacture Intercomm Building Security
systems Facility Supervision SaaS

Sun
Org Customers

Background
Users in 100+ Airports Commercial
countries Hospitals Residential
Stadiums Industrial
 Malicious software encrypting files, rendering
them inaccessible

22 Sept. Infiltration over weeks or months, observation

of company operations

Sun
To decrypt files, attackers demand 'ransom' which is
generally paid in cryptocurrency to avoid traceability

Ransomware

Infiltrate Recce Exploit

Time-consuming process Attackers study company Tactics such as phishing emails
involving finding point of systems and operations to and social engineering to gain
weaknesses and maximize the access
embedding malware attack’s effectiveness
 Mark and Jason quickly assess the
Urgent cyberattack situation and allocate
Response responsibilities to manage the crisis
effectively.

23 Sept. Focused
Efforts
Jason leads IT recovery efforts,
prioritizing restoration of critical systems
like Active Directory and email servers.

Mon Communication
A WhatsApp group "Business

All Hands
Continuity" is established for stakeholder
Channels communication, ensuring transparency
and collaboration.

on Deck Mark and Jason engage a cyber security

Expert consultant to understand the attack,
Consultation evaluate ransom options, and strategize
recovery.
 Key stakeholders are informed about the
Stakeholder situation, reassured about business
Engagement continuity, and managed with
transparency.

23 Sept. Resource
Allocation
Additional IT support is hired promptly to
expedite recovery, addressing resource
shortages and emerging challenges.

Mon Problem
Ongoing efforts focus on promptly

All Hands Resolution

addressing emerging challenges
and ensuring smooth operations amidst the
crisis.

on Deck
Urgent Response Focused Communication Channels Expert Stakeholder Resource Allocation Problem
Efforts Consultation Engagement Resolution
 Where to negotiate?

24 Sept. Dark Web

Specialized
Browser
Reference
Number

Tue
Time to Negotiations

Negotiate 10x
Expected Option 3 Reasonable &
Ransom Negotiate to Business-Like
buy time Negotiations
 Plus
Accessible

24 Sept. Goodwill Core Specialized

Capabilities Knowledge of
products &
Talented
Employees
Business
Relationship

Tue processes

Time to Minus
Inaccessible

Negotiate
IP Source Code Digital Assets Data
 CLEANING HARDWARE BACKEND UPGRADATION
800 machines

25 Sept. Boxed and Shipped at head

office
Fortified and segmented
network was built

Wed  Restored to factory settings Firewalls reprogrammed

Signs of  Loaded with new application

software

Progress Enhanced intrusion detection

and enterprise- wide logging
Sent back to wherever they came
from
 Mircom Gets a Break

Contractor who had been working on ERP upgradation project had

a complete and usable copy of the company’s ERP database

25 Sept. Next Step

Assess what could be retrieved to restore the core systems

Wed
Signs of A Business Decision – CUSTOMER FIRST

Progress Problem
Customer sites are down

 Delay what can be delayed

 Get shipment going
 Paper book inventory accounting
Solution
 REBUILDING

Internal IT Team

25 Sept. Rebuilt server infrastructure

Microsoft Team & Internal Applications Team

Rebuilt EPR functionality

Wed
Signs of BUSINESS-WITHIN-A-BUSINESS

Progress Get a few dozen people working on a new clean network with clean
equipment

Single room operation with 25 people around

Perform necessary activities to run the business

28 & 30 Data recovery and Management
Sept. • ERP data found to be functional but outdated.

Sat
• Manual entry of last two weeks' transactions by staff.

• 50 new laptops purchased for data entry.

Good News • Six weeks to digitize one week of paper records.

• Email restored on 30th Sept.

for a Change
Next Overcoming the Aftermath
• Full operations by Oct 7, including ancillary functions.

Several • Slow, ceased negotiations with attackers by mid-Oct.

• Help desk tool implemented for IT recovery task prioritization.

Weeks
 Reflection

Human toll Financial impact Risk Management

THANK YOU
Group 10
Roll No. Name
2311474 V SACHIVENDRA YASKA
2311479 NALAWADE MANJEET ABHIJEET
2311493 ANU JOSEPH
2311495 MANAN SAMDANI
2311510 BRIJESH TAMANG