Ransomware is a type of malware designed to disrupt and damage an organization. It exfiltrates and encrypts a company’s sensitive data, putting the business at risk of losing customers, incurring legal or regulatory penalties, and suffering reputational damage. In 2024, 59% of organizations were hit by ransomware attacks, with high-profile incidents like the Mother of All Breaches. Businesses must be prepared with practical strategies for handling ransomware attacks to minimize the impact on their operations and protect their valuable assets.Â
In this article, we will discuss how companies should handle ransomware threats so they can mitigate the risks associated with such attacks.
How should a company handle ransomware?
Successfully handling a ransomware attack requires a comprehensive approach that combines prevention, rapid response, and strategic recovery. Organizations must maintain updated incident response plans (IPR) and ensure all stakeholders understand their roles in preventing and responding to attacks.
Immediate response protocol
To mitigate ransomware attacks, the first step is to apply your incident response plan or reach out to your incident response retainer. This should include detailed instructions on the steps the incident response team must take when they detect suspicious activity. It also establishes who to contact within the organization if an incident requires immediate attention.
After the ransomware is discovered, you must take the following steps:
1. Isolation and containment
Disconnect infected systems from the network immediately and disable wireless connections. Make sure to document all actions taken
2. Assessment and documentation:
Identify compromised systems and document the scope of the attack. Preserve evidence for investigation and create an incident timeline.
Technical response steps
Once you have determined that the ransomware is contained, you can remove it and start the recovery process. First, you must identify which ransomware infected your machine and if it has a free decryptor (you can check the NoMoreRansom portal). You can use a free ransomware ID tool to determine the strain.Â
While assessing the scope of the attack, you must analyze how much data has been encrypted or stolen and determine what needs to be done to recover lost data. For this, you can request a ransomware forensics service. Specialists like Proven Data offer 24/7 forensic analysis. Once you learn where your company stands, you can begin taking steps to contain further damage and protect the digital assets. Take the following steps:
1. Systems analysis
Determine ransomware variants and assess encryption spread. Check data exfiltration risk. Identify attack vectors.
2. Recovery preparation
Verify backup integrity and prepare clean systems for recovery. You can also test decryption tools if they are available. Start the plan restoration sequence.
3. System Restoration
Deploy anti-malware solutions. Reset all system passwords and verify system integrity.
Stakeholder communication
Organizations must also establish protocols for communicating with internal stakeholders and external entities such as law enforcement agencies, legal counsel, and insurance companies.
It is also imperative to be aware of any changes in state laws on cybersecurity issues. This includes breach notification requirements and penalties for failure to follow these regulations. Companies should consult with qualified legal professionals to ensure they comply with all relevant cyber security laws.Â
Make sure all the personnel and stakeholders are aware of the attack. The communication should follow a specific order pre-determined at the IRP.
Internal communication
Internal stakeholders are individuals or groups within an organization who have a direct interest in its operations and success. Examples of internal stakeholders include employees, managers, and business owners or shareholders who invest in the company.
After any incident, you must alert internal stakeholders to ensure everyone can take pre-established steps to contain the damage.
- Brief executive leadership
- Update affected employees
- Coordinate with IT teams
- Document all communications
External communication
External stakeholders are individuals or groups outside the organization. While they do not participate in daily operations, their actions and opinions can significantly influence the organization. Examples include customers, suppliers, and regulatory bodies.
It’s critical to inform external stakeholders of cyber incidents to ensure transparency and to seek assistance if necessary.
- Notify law enforcement
- Contact insurance providers (if it is the case)
- Alert affected customers
- Inform regulatory bodies
- Engage legal counsel
The cost of ransomware
The cost of ransomware to businesses goes beyond financial loss. After the attack, your business reputation can decrease. At the same time, downtime can prevent new customers or users from accessing your page to buy or subscribe to your services.
The consequences of a ransomware attack extend far beyond the immediate operational disruption:
- Direct financial losses from business interruption
- Regulatory compliance violations and potential fines
- Legal liabilities and litigation costs
- Reputational damage affecting customer trust
- Supply chain disruptions
- Long-term customer relationship impacts
Equifax is a good example of the cost of ransomware to companies. In 2012, the multinational suffered a massive data breach that affected nearly 150 million individuals due to an unpatched vulnerability in its Apache Struts framework. The company neglected to address this vulnerability despite a patch being available months prior.Â
Furthermore, Equifax delayed notifying the public about the breach for weeks after its discovery. Because of its failure to secure its network adequately, the credit agency reached a settlement in July 2019, agreeing to pay at least $575 million—potentially rising to $700 million—to the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories.
Preventing ransomware
The first step to prevent ransomware attacks is to ensure that systems and networks are regularly updated with the latest security patches and antivirus software.Â
Additionally, companies should restrict user access privileges to reduce the chances of malicious actors gaining access to sensitive data.Â
Finally, companies need to train their staff on proper security practices. This includes not opening suspicious attachments or clicking on malicious links, which can lead to ransomware infection.Â
Ransomware data recovery
Paying the ransom is not recommended as it only encourages cybercriminals to target other organizations. The FBI also advises against paying, as it does not guarantee data recovery and may fund further criminal activity.Â
Instead, companies should focus on restoring their systems from backup files or contacting specialized ransomware recovery services. Companies must also ensure that they have solid security protocols in place to prevent future ransomware attacks. These protocols should include rigorous password protection policies, secure file access permissions, and regular vulnerability scans of their network infrastructure.
