10.3 Ransomware Incident and Business Continuity Lab

Incident Scenario: Encryption Spreads Before Payroll Cutoff

A regional healthcare organization discovers ransomware on file servers, several virtual desktops, and one application server that supports appointment scheduling. The attacker claims to have copied patient data and threatens public release. Payroll processing is due in two days. Clinical care is still operating, but some departments have shifted to downtime procedures. Executives ask whether to pay, whether to shut down the network, and when systems will be restored.

The first priority is safety and critical services. In healthcare, patient care and life safety outrank convenience and normal productivity. The incident commander should coordinate with clinical leadership to identify services that must remain available, systems that can be isolated, and manual processes that can continue. Security should not make isolation decisions without understanding patient care impact, but operations should not keep infected systems online without risk review.

Incident response should follow defined phases while allowing emergency judgment. Preparation includes roles, contacts, playbooks, logging, backup design, legal relationships, and communications templates. Detection and analysis confirm scope, affected assets, data exposure indicators, initial access, and active attacker presence. Containment limits spread. Eradication removes malicious access and persistence. Recovery restores trustworthy service. Lessons learned improves controls.

Legal and privacy counsel should be engaged early because the attacker claims data theft. The organization may have breach notification duties, contractual notice requirements, law enforcement considerations, insurance requirements, and preservation obligations. Counsel can help protect privileged communications where appropriate, but legal involvement should not stop technical teams from preserving evidence and restoring critical services.

Evidence preservation matters. Teams should capture logs, affected host images where feasible, ransom notes, indicators of compromise, authentication logs, endpoint alerts, firewall records, and backup status. However, preservation must be balanced with urgent containment and recovery. A CISSP manager should avoid both extremes: destroying evidence casually or delaying critical restoration for perfect forensics when patient care is at risk.

Business continuity and disaster recovery guide recovery priorities. A business impact analysis should have identified critical processes, maximum tolerable downtime, recovery time objectives, recovery point objectives, dependencies, manual workarounds, and communication paths. If the organization has not done that work, the incident team must rapidly build a priority list with executives. Payroll may be important, but patient scheduling, medication systems, and clinical workflows may outrank it.

Backups must be handled carefully. Restoring from a backup that contains malware, stolen credentials, or vulnerable configurations can restart the incident. The team should verify backup integrity, scan restored systems, rebuild critical servers where needed, rotate credentials, close initial access paths, and monitor for reentry. Immutable or offline backups are valuable because ransomware often targets backup systems first.

The pay-or-not-pay question is an executive risk decision, not a purely technical decision. It may involve legal restrictions, ethics, insurance, law enforcement guidance, ability to recover independently, credibility of the attacker, possible data release, and public trust. The security leader should present options and consequences. The leader should not promise that payment will restore systems or prevent disclosure.

Communications must be controlled and honest. Internal staff need instructions about downtime processes, suspicious emails, password changes, and who may speak externally. Customers, patients, regulators, partners, and media may need updates depending on facts and legal duties. Messages should avoid speculation. An update cadence helps reduce rumor and keeps leadership aligned.

Recovery should prioritize trustworthy service over fastest boot. Systems should be rebuilt from known-good media or restored from validated backups. Privileged credentials should be rotated. Service accounts should be reviewed. Vulnerabilities used in the attack should be fixed. Monitoring should be heightened during restoration. A phased return reduces the chance that one missed persistence mechanism compromises the rebuilt environment.

Ransomware Executive Action Register

• Name the incident commander and executive sponsor.
• Confirm safety, critical services, and manual downtime procedures.
• Preserve key evidence while containing active spread.
• Engage legal, privacy, communications, insurance, and law enforcement contacts as appropriate.
• Identify recovery priorities using RTO, RPO, dependencies, and business impact.
• Validate backups before restoration and monitor restored systems.
• Record major decisions, assumptions, owners, and timestamps.
• Conduct lessons learned and assign corrective actions.

After recovery, the organization should not treat the event as closed until root causes and control gaps are addressed. Improvements may include MFA expansion, endpoint hardening, segmentation, privileged access management, email security, vulnerability management, immutable backups, tabletop exercises, and access review. The CISSP view is that resilience is a governance outcome: the organization can absorb, respond, recover, and improve without losing sight of its obligations.