Ransomware Response: Best Practices for Businesses

Becoming the target of a ransomware attack is something no organization likes to think about, but it’s increasing likely for many firms. According to Statista, almost three-quarters of businesses (72.7 percent) were affected by ransomware last year.

This means it’s essential for every company to make a ransomware response plan a key part of its cybersecurity strategy. While ransomware prevention tools to stop attacks in the first place are the best way to deal with the threat, ensuring there are contingencies to fall back on should first lines of defense fail is a must for keeping businesses safe.

The most important factor in an effective ransomware response is to have a clear plan for what to do and what everyone’s responsibilities are. This needs to be carefully drafted and tested long before any incident occurs to ensure it will be effective, and no time is wasted determining next steps if a ransomware attack knocks out critical systems or applications.

A much-cited report from Gartner once put the cost of unplanned downtime at around $5,600 a minute. However, this is now outdated as firms have become far more dependent on digital information and systems. A more recent study by BigPanda estimates that in 2024, the true cost is actually $14,056 per minute. Therefore, if critical data has been encrypted or destroyed by ransomware, even a short delay in recovering assets could quickly become hugely expensive.

Having a ransomware response plan to refer to can minimize these issues and ensure business continuity. A good plan should include the following:

• Steps to identify the ransomware and the scope of the attack
• Details on how to isolate affected systems
• Procedures for restoring data from backups
• Any reporting requirements
• How to outline any lessons learned to prevent future attacks

It’s also important to ensure that all employees are fully trained on how to implement this plan and documentation should not simply be stored away and forgotten about until needed. As well as ensuring IT staff are familiar with procedures, regular testing can help identify any gaps in the plan and where updates need to be made in order to effectively protect against ransomware.

A ransomware incident response plan can be divided into two halves – the immediate response to contain the threat and longer-term measures to aid with recovery and harden defenses against future attacks.

Whether an infection is discovered through internal monitoring systems or receiving a ransom note, the first stage must aim to minimize the impact of the attack. This means shutting down access to data, isolating infected systems and notifying IT and cybersecurity specialists swiftly so they can put the plan into action.

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends the following essential steps to ensure ransomware is contained as early as possible:

• Prioritize isolating critical systems that are essential to daily operations.
• If multiple systems are infected, take the network offline at the switch level. This is because it may not be practical to disconnect systems individually.
• If it is not possible to take the network temporarily offline, unplug affected devices from network cables or remove them from Wi-Fi.

It can be tempting to simply switch off affected systems, but CISA recommends this only if it is not possible to disconnect them from the network. This is because if devices are powered down, it will prevent firms from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. 

There are a number of tools that businesses can turn to in order to assist with ransomware response and recovery. These include automated backups and data restoration solutions, threat hunting software that can analyze the network for any remaining malware and monitoring technology that can block any attempts to exfiltrate data from a network for use in future extortion attempts.

Some of the key solutions that can assist with ransomware detection and response include:

• Endpoint detection and response
• Intrusion detection and prevention systems
• Antimalware
• Email security
• Firewalls
• Threat hunting technology
• Automated backup and recovery tools
• Anti data exfiltration

One of the most important parts of any response is having effective backup and ransomware recovery tools. However, to make the most of these, it’s important to plan ahead. It won’t be feasible to back up entire data assets on a daily or hourly basis, so it’s important for firms to conduct a thorough audit of their data and prioritize it accordingly, with the most mission-critical assets backed up multiple times a day, or even protected using continuous backup, which creates a new record every time a change is made.

Naturally, it’s important that backups are isolated from the rest of the network to avoid becoming infected themselves. Indeed, some ransomware variants aim to specifically target these resources in order to prevent them being used and apply more pressure for a ransom to be paid. They often do this by remaining dormant until the backups are needed, so it’s vital firms have good intrusion prevention and detection systems to spot these threats early.

If data can’t be restored from backups, there are limited options available. If information has been encrypted by cybercriminals who are demanding a ransom in exchange for decryption keys, organizations may be able to turn to commercial decryption solutions or law enforcement agencies that may have already cracked the malware. However, this is far from guaranteed, and if data has also been exfiltrated, there will be little firms can do to retrieve this other than paying the ransom, which is something that firms are strongly advised not to do.

Once an infection is contained and systems are restored to operation, it’s time to pay attention to any legal obligations to report ransomware, especially if sensitive personal data was compromised in the attack. Privacy rules such as GDPR have strict reporting requirements for these scenarios, with organizations usually mandated to inform their local regulator within 72 hours.

Some firms may worry about the potential reputational impact of publicizing a data breach, but the consequences of not doing so can be significant, with large penalties on the table for non-compliance. Therefore, processes for how to do this must be a part of a ransomware response plan. 

Partial solutions are not enough. It is only by having a comprehensive strategy that incorporates all the above elements that businesses stand a chance of recovering from a ransomware attack quickly and keeping any damage to a minimum.