Jun 7, 2020 | Articles, Cyber Security

Responding to a ransomware attack

Howard Freeman

Howard Freeman

You have become the victim of a ransomware attack. What is your plan for responding to a ransomware attack?

The challenge is to protect your valuable data whilst managing the budget for doing so. With threats rising and budgets falling, this is not an easy task.

Ransomware is undoubtedly one of the most crippling cyberattacks. The attacks catch victims unaware and ultimately cause long-term consequences for the companies that become infected.

Although ransomware attacks have started to stabilise, now is not the time to get complacent with your security strategy.

Ransomware attacks are still happening and your organisation might not be individually targeted. However, if you fail to patch properly there’s a very real chance you’ll become the victim of a wider attack, An attack designed to infiltrate any system that has been left vulnerable.

Here, is an overview of what ransomer is and tea you can take plus a fe things you might not want to do.

What is Ransomware?

Ransomware first came to prominence in 2005. Since then, it has become the most pervasive cyberattacks across the world. Since day one, its purpose has been to generate revenue from its unsuspecting victims. Recent calculations from Cybersecurity Ventures put the estimated cost of ransomware attacks around $11.5 billion.

There are two major types of ransomware; crypto and locker. Once a malicious link has been clicked on or a misleading application has been opened the attack begins. Crypto ransomware will encrypt all the files, folders and hard drives on the infected device. This is down with a promise to reinstate once a ransom has been paid to the attacker. By comparison, locker ransomware simply locks users out of their devices.

Unfortunately, ransomware attackers aren’t fussy when it comes to who they target. Attacking a business might see them do the most damage. However, regular end-users who aren’t necessarily clued-up on cybersecurity are more likely to pay the ransom in an attempt to retrieve their files.

As a result, cybercriminals launching this type of attack usually take a scattergun approach If only a small minority of the victims pay out, ransomware is so cheap to deploy that the attackers are guaranteed a profit.

Falling foul of a ransomware attack can be damaging enough. However, if you handle the aftermath badly the damage to your reputation could be huge. You could lose much more than just your files.

Responding to a ransomware attack
Recent calculations from Cybersecurity Ventures put the estimated cost of ransomware attacks around $11.5 billion.

Responding to a ransomware attack

1. Trace the Attack

The most common way ransomware makes it into your system is through a malicious link or email attachment. If you’re lucky, the malware will only affect the machine it was opened on. However, if you’ve failed to patch your entire network (remember WannaCry) then your entire system will end up becoming infected.

First you need to locate the machine that was initially infected. Then find out if the user has opened any suspicious emails or noticed any irregular activity on their machine.

The sooner you find the source, the quicker you can act. Ransomware attacks tend to have a time limit on them before files are erased.

2. Unplug

Once it has initially infiltrated a machine, ransomware spreads via your network connection This means the sooner you remove the infected machine from your office network, the less likely other machines are to become infected.

When notifying employees about the need to unplug devices from the network, don’t forget to reach out to any remote workers you might have. Just because someone isn’t physically in the office, if they’re connected to the network, they can still fall victim to the attack.

In the perfect world, your security team or equivalent should already have a plan for situations like this Therefore, it might be the case that you just hand over to them and allow them to mitigate the damage as best they can.

In the instance that a plan doesn’t exist, a meeting should be held to outline what needs to happen next. It’s important to let everyone know exactly what is expected of them. This is key to responding to a ransomware attack

3. Notify your IT security team or helpdesk

It’s not uncommon for bigger organisations to have an IT security team. Some will have a dedicated Information Security Officer who will be the one to execute your plan and handle protocol in the aftermath of an attack.

However, for some smaller companies, budgetary restraints often mean having these experts in-house just isn’t feasible. In that instance, it’s important that the CIO is fully briefed on all security issues. The CIO can take the reins in the event of a crisis. 

It’s also helpful to map out a timeline of the breach. This should help for future attacks and help you learn about your current security systems.

Often cyberattacks leave clues in the metadata, so a full search of that will be necessary in most cases.

4. Notify the authorities

Be aware of data belonging to EU citizens. If your business processes this data then the GDPR applies. You are obliged to inform the ICO within 72 hours of you becoming aware, that a breach has occurred. Failure to do could result in a fine and legal action.

If the data stored has numerous identifiers, you should alert a data protection officer or equivalent. This should be part of your plan for responding to a ransomware attack

5. Inform all employees and customers

Be transparent in situations like this. When it comes to cyber-attacks, your weakest link is often your employees. Despite best endeavours, we can all easily make mistakes that can jeopardise company data.

Don’t apportion blame, this won’t achieve anything. Inform your staff that there has been a breach. Explain what this means and what action you are taking. Also let them know of any expected system downtime which will impact their work.

Be honest with your customers who might have had their data compromised in a ransomware attack. Obviously, there’s no point putting out a statement the minute you discover the breach. Wait until you know all of the facts surrounding the attack.

So, what happened? Now is the time to tell your customers. It is important your customers hear the bad news from you, not the press.

6. Update all of your security systems

Patch, update, invest and repeat. Once the incident is over, you’ll will need to perform a total security audit and update all of your systems.

This will take some time, and even cost some money. However, if you value your data and your company’s reputation, you will do it. You will then be better equipped in responding to a ransomware attack.

What you definitely shouldn’t do


Have a plan in place before you fall victim to a ransomware attack. If the worst happens and you don’t have a strategy, it’s important you try not to panic. Impromptu decisions won’t help your situation. If you need help, ask for it.

Any obvious disorder could potentially be exploited by cyber criminals This will leave you vulnerable to further attacks.

Pay the ransom

Ransomware attacks saw a significant spike a few years ago. This was because criminals realised that they could make relatively large amounts of money for a small upfront cost.

It is quote alarming that one third of companies admit that it’s actually more cost effective to just pay the ransom. The alternative is to invest in a proper security system and avoid ransomware attacks altogether.

Unfortunately, this has created a vicious circle where businesses continue to pay the ransom. Ransomware is a popular money-making tactic and will become worse the more business pay.

Generally, cybercrime experts and authorities advise against paying the ransom for many reasons. Pay the ransom? If you do, this doesn’t mean that you’ll receive an encryption key to unlock your data. Secondly, it might encourage the hackers to request larger amounts of money from future victims, including you!

You must assess if your data is worth the cost.

Why not try to prevent his from happening? Call us and see how we can help you with your security infrastructure through the Cyber Essentials scheme. The government backed scheme is proven to help reduce attacks and their severity.

Ransomware attack
Pay the ransom? If you do, this doesn’t mean that you’ll receive an encryption key to unlock your data. Secondly, it might encourage the hackers to request larger amounts of money from future victims, including you!


Can we help?