Multi Day Destructive Ransomware Exercise For a UK Bank

As part of the client's Operational Resilience programme, Beyond Blue delivered a two-day ransomware exercise. The first day focused on the technical recovery from the scenario, whilst the second day focused on the business impact and recovery and mitigation of customer harm. The scenario was destructive ransomware that simulated a worst-case scenario for the client, encrypting Windows-based servers and endpoints, requiring a rebuild. 

The Beyond Blue team worked with the client’s SMEs in the month leading up to the exercise to:

• Define the objectives of the exercise
• Tailor the scenario
• Identify appropriate business and technology stakeholders from across the organisation
• Prepare pre-briefing packs for all participants
• Develop exercise desks for both sessions across the two days

The exercise was split across two days, facilitated by Beyond Blue Directors, to allow objectives and the audience to be focused and productive: 

• Day 1 - Technical Recovery: The first session focused on the end-to-end technical recovery of the client’s core foundational infrastructure, specifically the recovery order and dependencies of the applications and systems that supported the important business services.
• Day 2 - Business Response: The second session focused on the recovery order of the client’s important business services, informed by the recovery order and timeline developed on the first day. The key objectives were to identify the financial impacts to the client, the impacts to customers and the possible customer treatment strategies that could be adopted during the recovery period.

Following the exercise, the team produced a post exercise report that identified a set of technical and operational recommendations. The team socialised the report with a range of senior stakeholders due to the range of recommendations identified across the two days. A dedicated workstream within the wider Operational Resilience programme was set up to address the recommendations detailed in the report. Some of the key areas of the newly established workstream included: 

• the introduction of a prioritised and logical recovery order for the critical foundational technology infrastructure, including the resolution of circular dependencies, which could have prevented the client from being able to recover from the most severe version of the scenario; 
• the spin out of a new programme focused on introducing immutable backup and restore functionality for technology applications, including the adoption of a Vault; and 
• increased technical testing to evidence the implementation of recommendations and increased confidence in the accuracy of scenario re-testing.