The risk of ransomware is no secret to any company. In 2020, roughly $350 million in ransom was paid to cybercriminals, a more than 300 percent increase from the previous year, according to data shared by the Department of Homeland Security in July.

It is with this modern threat environment in mind that Compliance Week case study author Aly McDevitt has taken a unique approach to her latest in-depth report. Her third case study offers a 360-degree view of a ransomware attack, from detection to containment to eradication to recovery. She concludes the report with lessons learned, providing readers ample opportunities for benchmarking their own cyber incident response programs along the way.

Unlike Aly’s acclaimed case studies featuring Carnival and Volkswagen, there is no one real-life subject at the center of her latest work. Instead, we learn through the eyes of the C-suite at Vulnerable Electric (VE), a fictional private utility company with close to 600 employees that generates about $250 million in annual revenue. When one of VE’s most dedicated employees falls victim to a social engineering hack, a malicious actor obtains the personal information of the company’s workers and demands $5 million in the form of Bitcoin not to publish it on the dark web. VE’s leadership team is faced with a series of tough choices to make on a 72-hour timeline, with each business concern and legal issue raised plausible and based on realistic cases.

The case study features insight from more than a dozen professionals, including a head of threat intelligence; a digital forensics examiner; a chief compliance officer of a management consulting firm; a CCO of an insurance company; two former agents of the Federal Bureau of Investigation’s Cyber Division; a former Department of Justice attorney; a chief information security officer; an information security expert; a strategic communications crisis manager; a chief communications and marketing officer; a cyberpsychologist; a line-level employee; and an ethical hacker.

Other supplementary research includes resources and guidance released by the Cybersecurity and Infrastructure Security Agency, the FBI, the DOJ, the American Public Power Association, and more.

As you read the case study and grasp the situation VE is facing, you’ll be prompted to choose whether to pay the ransom. From there, you’ll be presented the gravity of your choice—one real-life companies are forced to make on an all-too-often basis.

Further, compliance practitioners reading the case study can expect to learn multiple lessons specific to the profession, including the following:

  • What to advise employees to do when they are the victim of a cyberattack.
  • The role of the CCO and other C-suite members as part of a cyber incident response team.
  • The compliance implications of paying a ransom to a cybercriminal.
  • The benefits and pitfalls of cyber insurance and what might or might not be covered as a ransomware situation develops.

Aly’s ransomware case study is our most relatable yet. The crisis VE faces could happen to any company, and the way in which it is handled will prove educational to readers of all industries.

Read on—Chapter 1, Part 1: Betsy’s human error triggers ransomware crisis