SAMPLE Phase 1 Exercise Sample (Read Only)
Ransomware Infection on an Endpoint

Initial response decisions and Status Report preparation

Scenario
Following the facilitator material "E1-b: Understanding the Situation and Required Response," submit a Status Report. Discuss the situation and the necessary actions and countermeasures, and summarize the results in the "Status Report." For impact and severity, evaluate from the perspectives of customers, operations, and finance based on the "Business Risk Evaluation Criteria," and also consider organizational background and issues — not just technical causes — by referring to "Causes, Factors, Background, and Challenges." Note: there is no single correct answer for the Status Report. Consider what is necessary for each item and complete it accordingly.
CISO's Report

Incident Detail Report: Ransomware Infection on a WFH PC

0. Summary

1. System Overview (GanGan Service)

2. Incident Overview

3. Information Asset Impact Assessment

4. Damage Forecast and Risk Analysis

Impact on Customers / Partners

Impact on Our Organization

Anticipated Secondary Damage

5. Response Structure (RACI Chart)

6. External Response

A:Immediate / B:After Facts Confirmed / C:After Determination / D:Not Required / E:On Hold

7. External Notification / Reporting Plan

A:Immediate / B:After Facts Confirmed / C:After Determination / D:Not Required / E:On Hold

Mandatory Notifications

Business Partners / Users

Media / PR (Contact: Koya, CCO)

8. Financial Damage and Cost Forecast

9. Compliance and Social Impact

10. User Countermeasures (Workarounds)

Stakeholder Evaluation

Sasaki, Executive Managing Director & GanGan Division Head

2.1 Evaluation of the Report

The CISO's report presents an overly optimistic assessment that fundamentally misunderstands the severity and scope of this incident. While the report correctly identifies that the infected PC has been isolated and a replacement issued, it fails to recognize several critical risks inherent to the situation.

First, regarding discrepancies with the situation: the report states "no major issues identified at this stage," yet the facts clearly show that Employee A was working from home without VPN protection while maintaining synchronization with an online storage service. This is a significant point of vulnerability that the report glosses over. The ransomware infection occurred at 12:17, with notification at 12:30—a thirteen-minute window during which the attacker potentially had access to synchronized data.

The assessment is dangerously optimistic in multiple respects. The report categorizes business interruption impact as "C,u" (lowest severity, unknown probability) and financial loss as "L,o" (lowest severity, observed). This fundamentally underestimates risk. The GanGan service generates JPY 2 billion in annual revenue—any operational disruption or data compromise involving customer information could translate to significant financial exposure. The report provides no financial impact estimate beyond the ransom demand itself, which represents a critical analytical gap.

Regarding compliance obligations, the report dismisses notification to the Personal Information Protection Commission as "D: Not Required," yet the situation involves potential exposure of customer confidential information, including private chats. This determination appears premature without forensic confirmation of what data was accessed or exfiltrated.

The RACI structure is inadequate. PR/Communications is marked as "–" when reputational risk is clearly present. Legal/IP is marked as "–" despite potential regulatory obligations. The report lacks clarity on who is actually responsible for forensic investigation and damage assessment.

From a business perspective, I am concerned that this report does not address the revenue implications. If customer data has been compromised, we face potential customer churn, regulatory fines, and operational disruption that could directly impact our 20% revenue growth target. The ransom demand itself—JPY 90,000—is negligible compared to potential losses.

2.2 Instructions to Own Division

As GanGan Division Head, I am issuing the following directives:

To the GanGan Operations Team:

  1. Immediate Confirmation Items:
  2. Obtain forensic analysis results within 24 hours regarding what data was accessed on Employee A's PC prior to infection
  3. Confirm whether the online storage synchronization folder contained any customer data, authentication credentials, or internal systems documentation

  4. Verify the scope of what was synced and whether any data was exfiltrated before the ransom screen appeared

  5. Damage Prevention Instructions:

  6. Audit all remote workers currently using online storage services without VPN protection; identify similar exposure points
  7. Do not pay the ransom under any circumstances without explicit authorization from executive management

  8. Ensure all customer-facing systems (GanGan service frontend, payment systems, customer databases) continue normal operation

  9. Reporting Requirements:

  10. Provide daily status updates to my office until forensic analysis is complete
  11. Escalate any findings indicating customer data compromise immediately to CFO Shimomura and CISO

Himuro, Security & Risk Consultant

2.1 Evaluation of the Report

I must provide a comprehensive assessment of this report, as it contains multiple critical deficiencies that place the organization at substantial risk. While I commend the CISO for prompt isolation of the infected endpoint and issuance of a replacement, the overall incident response strategy reflects insufficient understanding of modern ransomware threats and applicable legal obligations.

Critical Deficiencies:

  1. Inadequate Risk Assessment: The report characterizes the incident as "no major issues identified at this stage," which fundamentally misunderstands the threat landscape. According to the Handa Hospital incident report, ransomware attackers conduct extensive reconnaissance and lateral movement before deploying encryption. The 13-minute window between infection and reporting is sufficient for an attacker to establish persistence, steal credentials, and prepare for network-wide deployment. The report provides no analysis of this scenario.

  2. Online Storage Synchronization Risk: The report mentions that Employee A's PC was synced to online storage but provides minimal risk analysis. This is a critical vulnerability. In the Osaka Acute Care Medical Center incident, attackers leveraged weak credentials on peripheral systems (in that case, the food service contractor's server) to gain access to core systems. Similarly, if Employee A's online storage account credentials were compromised, or if the synchronized folder contained sensitive data, the attacker could exfiltrate customer information or internal credentials without triggering traditional network-based detection.

  3. Incomplete Forensic Scope: The report states "awaiting forensic results" without specifying what forensic analysis will examine. According to the Handa Hospital technical report, proper ransomware forensics must examine: (a) the timeline of malware execution and lateral movement; (b) the scope of privilege escalation; (c) evidence of data exfiltration; (d) the attacker's persistence mechanisms; and (e) the attack vector (email, RDP, supply chain compromise). The current plan appears to focus only on endpoint cleanup.

  4. Premature Downplaying of Compliance Obligations: The report marks notification to the Personal Information Protection Commission as "D: Not Required" without forensic evidence to support this determination. If customer private chat data or payment information was accessed, notification may be mandatory under the Personal Information Protection Act. According to ISO/IEC 27035, incident classification should be based on potential impact, not confirmed impact. The report should classify this as a potential personal data breach pending forensic confirmation.

  5. Inadequate RACI Structure: The report omits critical stakeholders:

  6. PR/Communications should be engaged to prepare messaging in case of customer notification
  7. Legal/IP should assess regulatory obligations and potential liability
  8. Security Consultant (myself) should be engaged for threat assessment and response strategy
  9. External Forensic Firm should be considered given the complexity of the investigation

Analysis of Stakeholder Comments:

  • Sasaki's Concern: Executive Managing Director Sasaki correctly identifies that the report lacks financial impact analysis and underestimates the revenue implications of a customer data breach. His point that "JPY 90,000 is negligible compared to potential losses" is accurate.

  • Shimomura's Concern: CFO Shimomura correctly identifies that the financial damage forecast is incomplete and that legal compliance assessment is inadequate. His experience as IT company president provides valuable perspective that incident response costs typically exceed ransom amounts by 10-100x.

  • Yano's Concern: CIO Yano appropriately requests technical detail on ransomware variant, encryption strength, and forensic methodology. His emphasis on maintaining GanGan service availability is appropriate.

  • Aoshima's Concern: Head of System Operations Aoshima correctly identifies that the risk assessment may be understated and that forensic investigation plans lack clarity. His concern about lateral movement potential is well-founded.

2.2 Instructions to Each Stakeholder

Based on my analysis, I must communicate specific actions required from each stakeholder to properly manage this incident:

To Executive Managing Director Sasaki:

You are correct to identify the financial risk exposure. I recommend: 1. Authorize engagement of an external forensic investigation firm immediately (cost: approximately JPY 2-5 million for comprehensive analysis) 2. Authorize engagement of external legal counsel to assess regulatory notification obligations (cost: approximately JPY 500,000-1 million) 3. Prepare financial scenarios for potential customer data breach, including notification costs, regulatory fines (potentially JPY 100 million+ under the Personal Information Protection Act), and customer churn impact 4. Do not authorize ransom payment without explicit legal and security assessment; according to the Handa Hospital report, ransom payment does not guarantee data recovery and may fund future attacks

To CFO Shimomura:

Your legal and financial assessment is essential. I recommend: 1. Immediately engage external legal counsel specializing in data protection to prepare a memorandum on Personal Information Protection Act notification requirements 2. Contact cyber insurance carrier to report the incident and assess coverage for forensic investigation (typically covered), legal defense (typically covered), and potential liability claims (coverage varies) 3. Establish a cost tracking system for all incident response expenses 4. Prepare financial impact models for three scenarios: (a) no data compromise; (b) data accessed but not exfiltrated; (c) data exfiltrated 5. Assess potential regulatory fines: under the Personal Information Protection Act, fines can reach JPY 100 million for organizations that fail to notify the Commission of personal data breaches

To CIO Yano:

Your technical direction is critical. I recommend: 1. Immediately engage an external forensic investigation firm with expertise in ransomware analysis (firms such as Mandiant, CrowdStrike, or Japanese equivalents) 2. Preserve all forensic evidence on the infected PC; do not attempt recovery or cleanup 3. Conduct a comprehensive audit of all remote worker endpoints to identify others using online storage synchronization without VPN protection 4. Prepare a technical assessment of whether the GanGan service infrastructure could be accessed through Employee A's credentials or the online storage account 5. Within 48 hours, obtain detailed forensic results including: ransomware variant, encryption algorithm, file access logs, network connections, and timeline of attacker activity

To Head of System Operations Aoshima:

Your operational perspective is essential for service continuity. I recommend: 1. Verify the integrity of all backup systems; confirm they are isolated from the infected endpoint 2. Audit all system logs for the 24-hour period before detection to identify any lateral movement or credential theft 3. Prepare contingency plans for potential service restoration in case forensic investigation reveals widespread compromise 4. Maintain normal GanGan service availability; do not perform risky maintenance during the investigation 5. Escalate any findings of additional infected systems or lateral movement immediately to the CISO and executive management

To All Executives (Sasaki, Shimomura, Yano, Aoshima):

According to ISO/IEC 27035 and NIST SP 800-61 Rev. 2, incident response requires coordination across multiple functions. I recommend: 1. Establish an Incident Command Structure with clear authority and responsibility 2. Conduct daily incident response coordination meetings (recommend 9:00 AM and 4:00 PM) 3. Do not communicate with the attacker or pay the ransom without explicit authorization from executive leadership and legal counsel 4. Prepare for potential customer notification if forensic investigation confirms data compromise 5. Document all incident response decisions and their rationale for post-incident review

Critical Gap Identification:

The CISO's report fails to adequately address several essential elements of incident response:

  1. Threat Intelligence: No assessment of the ransomware variant's known characteristics, decryption key availability, or attacker profile
  2. Incident Classification: The report should classify this as a "Potential Personal Data Breach" pending forensic confirmation, not downplay the risk
  3. External Engagement: No recommendation for external forensic firm, legal counsel, or security expertise
  4. Communication Strategy: No plan for potential customer notification or media response
  5. Recovery Strategy: No clear plan for data recovery, system restoration, or business continuity

2.3 Requests to the CISO

As Security & Risk Consultant, I must request that you, the CISO, take the following actions:

  1. Immediately Engage External Expertise:
  2. Retain a forensic investigation firm with ransomware expertise to conduct comprehensive analysis within 48 hours
  3. Retain external legal counsel to assess Personal Information Protection Act notification obligations

  4. Provide me with daily briefings on forensic findings and legal assessments

  5. Revise Incident Classification:

  6. Reclassify this incident from "no major issues" to "Potential Personal Data Breach – High Priority"

  7. Prepare incident response plan based on assumption that data may have been exfiltrated until forensic investigation proves otherwise

  8. Expand RACI Structure:

  9. Add PR/Communications, Legal/IP, and Security Consultant to the response structure
  10. Clarify roles and responsibilities for each stakeholder

  11. Establish incident command structure with clear authority chain

  12. Prepare for Regulatory Notification:

  13. Prepare draft notification to Personal Information Protection Commission (to be finalized based on forensic results)
  14. Prepare draft notification to affected customers (if data compromise is confirmed)

  15. Prepare draft police report (if data exfiltration is confirmed)

  16. Establish Financial Controls:

  17. Authorize budget for external forensic investigation (estimated JPY 2-5 million)
  18. Authorize budget for external legal counsel (estimated JPY 500,000-1 million)

  19. Establish cost tracking system for all incident response expenses

  20. Provide Executive Leadership:

  21. Brief Executive Managing Director Sasaki daily on incident status and financial implications
  22. Prepare financial impact scenarios for CFO Shimomura
  23. Coordinate with CIO Yano on technical response strategy
  24. Support Head of System Operations Aoshima with clear operational directives

In conclusion, while the initial response (isolating the infected PC and issuing a replacement) was appropriate, the overall incident response strategy requires significant enhancement to address the potential severity of this incident, the applicable legal obligations, and the financial risk exposure. According to NIST Cybersecurity Framework and COSO ERM principles, organizations must respond to potential incidents with a level of rigor proportional to their potential impact—not their confirmed impact. This incident involves potential compromise of customer data for a service generating JPY 2 billion in annual revenue, which justifies comprehensive forensic investigation, legal assessment, and executive oversight.

END OF STAKEHOLDER EVALUATIONS

Hint

✅ Strengths

💡 Points to Review