Part of:

How Should Businesses Respond to a Ransomware Attack?


Ransomware can devastate a company, but maintaining backups and educating your employees can make a huge difference.

Ransomware continues to plague enterprises around the world, which is prompting many organizations to shore up their digital defenses with state-of-the-art security software and increasingly complex networking and storage architectures.

But most security experts warn that protecting data is only half the battle, and an increasingly marginal one at that given the sophistication of emerging threats, many of which are backed by state-sponsored entities with access to cutting-edge tools like artificial intelligence and quantum computing. Equally important as a strong defense is a strong recovery operation that can quickly restore systems and re-establish trust among customers, partners and other stakeholders.

According to NetDiligence, the average ransomware event hits small businesses with about $150,000 in direct costs, plus another $261,000 in lost income. For larger organizations, these numbers can jump into the millions, in many cases exacerbated by regulatory fines and civil penalties that inevitably follow an attack. (Read also: The Top 5 Cyber Threats from 2020.)

Ransomware Attack Response

These ramifications are why enterprises of all sizes and across all business sectors need to establish an incident response plan (IRP). Not only should this cover the ways to protect critical systems and data, but the myriad steps that must be taken to minimize damage and restore normal operating conditions as quickly as possible. These plans often require careful coordination among multiple entities, which is why the correct procedures need to be worked out ahead of time rather than cobbled together ad hoc in the midst of a crisis.

Ransomware Recovery

Fortunately, there is no shortage of advice as to what to do once a ransomware attack is underway, and by and large most of these recommendations are in sync. The Cyber Readiness Institute recently updated its Ransomware Playbook to adapt to changing tactics and technologies on the part of cybercriminals. Its three-pronged approach of Prepare-Respond-Recover provides a checklist of steps to take both before and after an attack.

In the prepare portion of the plan, there is a raft of recommendations regarding data storage and backup, along with prioritization, protection and other actions. But it is the Respond and Recover sections where things get a bit more complicated.


The response, after all, must be implemented as quickly as possible and across a broad array of systems and personnel. The initial assessment of the threat must determine if it is real or a hoax, for example. If real, it then leads to additional determinations as to the extent of the breach, including:

  • What systems are affected?
  • What is the nature of the data at risk?
  • Can the affected environment be restored, and to what extent?

Ultimately, the enterprise may have to make a determination as to whether it should simply pay the ransom – taking into consideration the future repercussions of this, such as the chances of additional attacks – or perhaps rely on insurance companies to make good on the loss.

Once the attack has been neutralized, the recover phase kicks in, which will also involve a thorough assessment as to the vulnerabilities that were exploited, the impact on business operations, the steps to return to business as usual and any and all changes to policy, organization, reporting and other factors needed to heighten protection and awareness in the future. (Read also: The Best Way to Combat Ransomware Attacks in 2021.)

NIST Framework for Dealing with Ransomware

The National Institute of Standards and Technology (NIST) has a similar framework for dealing with ransomware. They have developed a four step outline applicable for both on-premises and Cloud-based scenarios. The four phases are:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

How Should Companies Respond to Ransomware?

It is also important to keep in mind that you are not alone in your fight against ransomware, says Sharon Shea of IT analytics firm H-11 Digital Forensics. In the U.S., agencies like the FBI, the Internet Crime Complaint Center and the Multi-State Information Sharing and Analysis Center provide a wealth of tools and guidance to both combat ransomware and help victims through the various stages of recovery.

As well, private companies exist across the globe who specialize in combating ransomware and other forms of cybercrime. While many organizations are loath to bring in outsiders to what is considered a private, internal matter, in many cases government regulations require reporting of significant breaches, so there is not much downside to bringing in the authorities after a significant event. All will eventually be revealed, one way or another.

Even for smaller attacks, information-sharing can be one of the most effective tools to combating cybercrime, provided this can be done without compromising user data or other protected information. (Read also: Data Breach Notification: The Regulatory Environment.)

Perhaps the worst thing to do in the event of a ransomware attack is panic, says risk management consulting firm Marsh LLC. Panic often leads to paralysis in complex organizations, and paralysis produces the worst outcomes.

The best way to avoid this is with adequate preparation, with key players knowing exactly what to do when a ransom message is received. In most cases, this will require rapid coordination between multiple stakeholders, including IT, legal, communications, policy and finance, so it is worth putting in the effort ahead of time to ensure that a clear flow of information and responsibility determination is in place. At the same time, beware of becoming too rigid regarding the plan as written. Every attack is likely to be different, requiring different actions at key points in the response and recovery phases.

Final Thoughts

Thwarting attempted ransomware attacks will continue to be a top priorities for the enterprise going forward.

Having an infrastructure in place that has been designed with security at its core, incorporating strategies such as:

  • Hardened Operating systems.
  • Strategic defenses in place, such as EndPoint protection against ransomware.
  • Email protection against phishing emails.
  • Perimeter defenses such as Intrusion Detection and Intrusion Protection Systems.
  • Behavioral Analytics to detect and protect file storage systems.
  • Event-driven security protection that acts automatically to protect, following policy-based detection.
  • Least privilege access management for all users across the enterprise, including zero access to data that you don’t need to see.

These are all part of a layered defense that either stops ransomware from encrypting data altogether or limits the damage to which its reach can extend – in other words limiting the damage potential, isolating its impact. In addition, if you don’t possess the required skill to implement any of these protections, seek help. This is all part of a solid Preparation phase that is vital if you want to avoid a Ransomware attack and to protect your bottom line and priceless reputation.

But increasingly, victory over this and other forms of cybercrime will come down to how well you respond and recover, not how strong you build your digital castle.

As with any other form of crime, the best way to overcome ransomware is to take away the means to profit from it.


Related Reading

Related Terms