[TRITLA] Ransomeware Response Plan Template

[Gary Steeley]

Same here.

Gary Steeley, CGCIO
Piedmont Triad Regional Council
336.904.0300 | www.ptrc.org
[Piedmont Triad Regional Council]<https://www.ptrc.org/>

From: Kevin Taylor <ktaylor at edennc.us>
Sent: Friday, June 21, 2019 9:33 AM
To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com>
Subject: Re: [TRITLA] Ransomeware Response Plan Template

CAUTION:This email originated from outside of the PTRC. Do not click on links or open attachments unless you recognize the sender and know the content is safe.
Check your cyberinsurance policy. Ours provides counsel and remediation services as part of the policy.

Thanks,

[cid:image003.jpg at 01D52814.79800E30]Kevin Taylor, CGCIO
Director of Information Technology
City of Eden
336-612-3793 office
336-613-8341 cell

________________________________
This email message, and any attachment(s), as well as any email message(s) that may be sent in response to it, may be considered Public Record per NC General Statute §132, and may be released to third parties without prior notice.

From: Nickles, Jane <Jane.Nickles at greensboro-nc.gov<mailto:Jane.Nickles at greensboro-nc.gov>>
Sent: Thursday, June 20, 2019 10:42 AM
To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com<mailto:tritlg at listserv.toknc.com>>
Subject: Re: [TRITLA] Ransomeware Response Plan Template

CAUTION: *** This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ***
This is a great template Randy!  We have more detail about recovering systems and services in our DR plan but I really like the way you have the roles and responsibilities detailed for each phase.

As far as pay vs no pay threshold – it would probably be a combination of insurance coverage limit, severity of the attack, time to recover, and Mayor/City Manager decision to pay or not.

Just saw this one today:  https://www.cnn.com/2019/06/20/us/riviera-beach-to-pay-hacker/index.html

Another thing for everyone to consider is if you think you might contract for services to help get things back up – Go ahead and get contracts in place now!  This includes legal counsel.

Thanks for sharing!

Jane Nickles, CIO
Information Technology Department
City of Greensboro
Phone: 336-373-2490
PO Box 3136, Greensboro, NC 27402-3136
www.greensboro-nc.gov<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.greensboro-nc.gov%2f&c=E,1,rIX8VKZjwIIZ_9n0mKjEFdC_55SChaIVKOdP1SCobpZqc1Eo9vO5xTZY_7yyvkZwiA2VJzltRK7bA51b5waBm0Ma4BvVlAsLsvjiqEVmNGouf8OU5mHG&typo=1>

“Alexa, what’s my City of Greensboro Flash Briefing?”

Facebook<http://www.facebook.com/cityofgreensboro>
Twitter<https://twitter.com/greensborocity>
YouTube<http://www.youtube.com/CityofGreensboroNC>

From: Cress, Randy J. <randy.cress at rowancountync.gov<mailto:randy.cress at rowancountync.gov>>
Sent: Monday, June 17, 2019 6:23 AM
To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com<mailto:tritlg at listserv.toknc.com>>
Subject: Re: [TRITLA] Ransomeware Response Plan Template

Jane, you have a great one-pager and has all of the needed contact info.  One question I have is the decision tree for bitcoin payment, is this just for formality or does your management actually have a threshold where a decision to pay would be considered?

Please find the attached state IRP, I’m working on getting the runbooks as well for re-distribution.

Thanks,

[ForEmail]
Randy J. Cress | Chief Information Officer
Rowan County Information Technology
130 West Innes Street, Salisbury, NC 28144
[p] 704-216-8116   [c] 704-245-8640
www.rowancountync.gov<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.rowancountync.gov%2f&c=E,1,vP3yCKufXH-VQPX0vC80cv8edm2bjA-hQadVSrGSs8mqPSJCyQuVyNL5HHRC40eVxGHOgELv3bW1fRN_s-7weQmZlXMRz-gXSI8Yy85Tk-nt9LKlCe1odQ,,&typo=1>





From: "Jane Nickles, PMP, ITIL, CGCIO" <Jane.Nickles at greensboro-nc.gov<mailto:Jane.Nickles at greensboro-nc.gov>>
Reply-To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com<mailto:tritlg at listserv.toknc.com>>
Date: Thursday, June 13, 2019 at 3:52 PM
To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com<mailto:tritlg at listserv.toknc.com>>
Subject: Re: [TRITLA] Ransomeware Response Plan Template

WARNING: The sender of this email could not be validated and may not match the person in the "From" field.

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Report suspicious emails by clicking the “Report Phish” button.

Gary,

This is what we have on Cyber Response.   If we have to restore systems we would initiate our Disaster Recovery Plan.

Jane Nickles, CIO
Information Technology Department
City of Greensboro
Phone: 336-373-2490
PO Box 3136, Greensboro, NC 27402-3136
www.greensboro-nc.gov<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.greensboro-nc.gov%2F&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593368554&sdata=grS47EXsZXw69BZBc7QC30064SWb7gO6jP0Mz4cN1KI%3D&reserved=0>

“Alexa, what’s my City of Greensboro Flash Briefing?”

Facebook<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Fcityofgreensboro&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593378556&sdata=lo%2BPZxwJ%2FBCN8AfBcbDLGkC%2BPGp9rhLplnjqPhyofqk%3D&reserved=0>
Twitter<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fgreensborocity&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593378556&sdata=%2FaOLM2RGSwJfaSI1577X69A%2B25DPVccm5ABBQcw31BM%3D&reserved=0>
YouTube<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2FCityofGreensboroNC&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593388543&sdata=gmkav%2FrFmT7YYp5xEGozfkwwoB9IPPG0VYqzAuHklZc%3D&reserved=0>

From: Gary Steeley <gsteeley at ptrc.org<mailto:gsteeley at ptrc.org>>
Sent: Wednesday, June 12, 2019 7:03 AM
To: Triad Regional IT Leadership Group <tritlg at listserv.toknc.com<mailto:tritlg at listserv.toknc.com>>
Subject: [TRITLA] Ransomeware Response Plan Template

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Report suspicious emails by clicking the “Phishing Alert” button.


I hope everyone is doing well?  I’m working on my response plan to a ransomeware attack and was wondering if someone had a template they would share?

Thanks.

Gary

Gary Steeley,  CGCIO
Information Technology Manager
Piedmont Triad Regional Council
1398 Carrollton Crossing Drive | Kernersville, NC 27284
Phone:  336.904.0300 | Fax:  336.904.0301
[Image removed by sender. Piedmont Triad Regional Council Logo]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ptrc.org%2F&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593388543&sdata=3WCflxSmQZYYvI87VfUF7oXOZYhHVmhkYHTi%2BGu1%2Fvs%3D&reserved=0>
gsteeley at ptrc.org<mailto:gsteeley at ptrc.org> | www.ptrc.org<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ptrc.org&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593388543&sdata=5F9I2fE1Yz5o9cZMiDaSGaruQwSC6C7Ptd2UMu%2FRBY0%3D&reserved=0> |
[Image removed by sender. Twitter]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FPTRC_NC&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593398537&sdata=KbGTZdgIQs6B5AisvAP0iDsUrg6XWavq27jds0iTQW8%3D&reserved=0>
[Image removed by sender. Facebook]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FPiedmontTriadRegionalCouncil&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593398537&sdata=y4MqTmWStYarXDxsWF3AKxBkx2KrjRWFACGnJpTNURo%3D&reserved=0>
[Image removed by sender. LinkedIn]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2F5004193%3Ftrk%3Dcompany_search&data=02%7C01%7Crandy.cress%40rowancountync.gov%7Ca26be61a35fb43a8897b08d6f038afc1%7C977b42ab7737455286e7b09ed296213d%7C0%7C0%7C636960523593408528&sdata=CKAH5cbOp2vcJ6OCmyDXihzce1GNQ5ZnrfkHvxKwG7E%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.toknc.com/pipermail/tritlg/attachments/20190621/31441f4a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 16205 bytes
Desc: image002.jpg
URL: <http://listserv.toknc.com/pipermail/tritlg/attachments/20190621/31441f4a/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 3590 bytes
Desc: image003.jpg
URL: <http://listserv.toknc.com/pipermail/tritlg/attachments/20190621/31441f4a/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 4441 bytes
Desc: image004.jpg
URL: <http://listserv.toknc.com/pipermail/tritlg/attachments/20190621/31441f4a/attachment-0005.jpg>