How to Deal with a Ransomware Attack

Published on
April 30, 2023
Hailey Carlson

How to Deal with a Ransomware Attack

The average cost of a ransomware attack in 2022 was $4.54M, according to the IBM Cost of a Data Breach 2022 Report. These brutal attacks – which involve malicious actors gaining illicit access to a company’s data, encrypting it, and holding the decryption tool for ransom until the company pays up – hit any and all businesses without regard for their size, product, or target customer base. When it comes to dealing with a ransomware attack, there are a couple of approaches that we can utilize - preventative and responsive. Of course, the preferred way of handling an attack is to prevent it from ever happening in the first place; while this is ideal, sometimes the prevention measures taken do not hold up to the attacker’s aggressive and complex approaches and an attack breaks through. Due to this fact, it is important to know how to respond to an attack swiftly in order to get your crucial data unencrypted and protected once again.


1. Keep backups up-to-date – One of the major costs associated with a ransomware attack apart from the ransom itself is the cost of lost time caused by a lack of access to crucial data. In order to avoid excessive downtime in your company’s operations, be sure to keep your essential data backed up on a regular basis. To further protect these backups, be sure to keep a copy of these files saved in a separate network; this helps to keep data accessible even in the event of an attack.

2. Develop an incident response team & come up with a plan – One of the most important things to do related to cybersecurity is the development of a response plan in the event an incident arises. There are five fundamentals to consider when it comes to incident response plan creation: preparation, identification, containment, eradication, and recovery. The preparation portion is the preventative element of incident response plans. When developing the plan in pre-attack space, it is important to identify an incident response leader and team; these are the specific folks in the company who are in charge of taking tactful, swift action in order to handle the attack. Define responsibilities for each team member so that they can kick into gear quickly. For the plan itself, it helps to keep language high-level and general, as this will allow the plan to apply to any ransomware attack. 

  • Strengthen your incident response plan by creating playbooks – While an incident response plan provides general guidelines for attacks, a playbook provides more specific steps to take for types of attacks. A company will have an especially strong cybersecurity defense when they develop playbooks for a series of common attack types. Keep in mind that each specific attack will vary and require nuance, but the creation of playbooks helps to have a head start in your response.

3. Conduct a stress test – A cybersecurity stress test is done in order to simulate a real attack safely so that you can see how well or poorly your current cybersecurity defenses stack up without the actual consequences of a malicious attack. This can let a company know where vulnerabilities exist so that they can take action ahead of time to try to patch and strengthen the systems.


1. Utilize your incident response plan – This is where those following four fundamentals of the incident response plan come into play. The identification of an attack in progress kick starts the response team to begin their plan with swift action. The cybersecurity incident response team lead will need to take charge here and get the team up and running. Each team member will need to consult their roles and responsibilities in the plan and specific playbook if applicable.

2. Isolate the affected system(s)Once the attack has been identified and the incident response team gets started, it is important to identify which system or systems have been hit by the attack. The unaffected systems should be separated from the infected in order to limit the access that malicious actors have. Then, eradicate the attack, with the help of local cyber professionals and law enforcement. 

3. Report the attackInform local and federal law enforcement of the attack and utilize these folks as resources. If the ransomware attack is a part of a campaign targeting multiple businesses, which is likely, the law enforcement officials may already have a decryptor to assist with regaining access to the compromised files. If they don’t already have this information, the security researchers may be able to assist you in figuring out how to break the encryption algorithm and this can help them to aid other companies that may be hit by a similar attack.

4. Cultivate a Lessons Learned assessment – To help strengthen your incident response plan, be sure to collect as much relevant data as possible in order to learn from this experience. Information that would be helpful to know includes how the attacker gained access to the company’s systems, what vulnerabilities made it possible for the attack to spread (if applicable), how well/poorly did our incident response plan meet the actual attack, what can the team do differently next time to prevent an attack before it starts, and how can the team better respond to an attack in the future in order to lessen the severity of the ransomware attack. 

Image by kjpargeter for Freepik.