This document outlines a ransomware tabletop exercise scenario for Purdue University Northwest. The exercise involves three modules that simulate a ransomware attack encrypting university data. In module 1, ransomware encrypts SAP databases during winter break. In module 2, backups are also encrypted and the ransom increases to $100,000. Module 3 finds financial data impacted in backups up to 6 months old, raising the ransom to $250,000. The purpose is to stimulate discussion on response processes, and objectives include facilitating interactive discussion on an appropriate response and communications strategy.

1. Ransomware
Tabletop Exercise
PC: TE-5013-1

2. “In any moment of decision, the
best thing you can do is the right
thing, the next best thing is the
wrong thing, and the worst thing
you can do is nothing”
Theodore Roosevelt

3. •Ransomware Tabletop Exercise
•Exercise Purpose and Objectives
•Background Information
•Module 1— Ransomware Attack
•Module 2— Backup Tape Procedures Activated…Will We Pay?
•Module 3— Missing Data…Pay Ransom?
• Wrap-up
3

4. Purpose
•The purpose of this tabletop
exercise will be to stimulate
discussion on response processes
and procedures due to a
ransomware incident that impact
Purdue University Northwest.
4

5. OBJECTIVES
 The tabletop exercise will:
a.Provide an opportunity for participants to consider essential
internal and outward-facing elements of a ransomware incident
response, all in a manner consistent with Purdue policies.
a.Facilitate the foregoing exercise by providing an opportunity for
interactive discussion on an appropriate response to, and
related communications concerning a ransomware incident.

6. Why Ransomware?
•Education has the highest rate of
Ransomware attacks…
•3 Times the National rate compared to
businesses, healthcare…
•Number of attacks have tripled in last 12
months…

7. Module 1
• During the holiday break, ITAP
technicians detect ransomware in
several SAP data bases. The
ransomware has encrypted all of the
data in the data bases and made SAP
unusable. Access to the impacted files
can only be gained by paying the ransom
or by restoring from the backup.
• At this point no one has contacted the
University requesting a ransom.
7

8. Actions
• What actions should your area consider, if any?
How will these actions be coordinated with other
key partners?
• Would the Crisis Management Team be
activated?
• If yes, who would initiate the activation?
• Will the Senior Leadership be notified?
8

9. Module 2
•The PNW IT technicians are reviewing
their backup tape procedures and
determining the impact. The
perpetrator (s) have stated that they
will “unlock” the encrypted files for
$100,000 dollars. The FBI office has
been contacted and is assisting
University personnel.

10. Questions
• What would your strategy be if we only lose one day’s worth of
data?
• Would our Cyber Insurance affect the decision? Do we have
Cyber Insurance?
• Assume the recent backup is also not recoverable. The 6-month
backup appears to not be impacted but it may take 1½ weeks to
recover the data. Is using a 6 month backup a viable option to
pursue?
• What would be the strategy to continue business for 1½
weeks?”
• Would the Crisis Communications Activation Group be activated?
• What actions should non-IT areas consider? How will these
actions be coordinated with other key partners?
10

11. Module 3
• IT professionals have determined
that most of the University’s
financial data has been impacted
and the 6 month backup tape is
also impacted. The 1 year
backup tape is not impacted so
they can recover data from 1 year
ago. The perpetrator (s) now say
they want $250,000 to unlock the
files.
11

12. Questions
• Discuss overall strategy for ransomware
payout.
• Would Cyber Insurance play a part in the
various decisions?
•
• Discuss overall business strategy for this
type of an incident.
•
• What would our communication strategy
be?
•
12

13. Debrief
•Action Items?
13

14. End Of Exercise
14