The CISO's 6-Step Ransomware Response Plan


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, June 28, 2022

With ransomware attacks doubling in 2021, having a strategic response plan is the best way CISOs can protect their data and minimize the impact of an attack.

Article 6 Minutes
The CISO's 6-Step Ransomware Response Plan

Ransomware attacks continue to blight businesses around the world, with increasingly professional criminal gangs focusing on easy victims through endless waves of automated strikes or taking the time and effort to breach high-value targets using the latest vulnerabilities.

Thanks to the automated nature of ransomware tools, any business is a target and every company must have a response plan in place. So what will you do when your system’s screens start posting sinister messages and you find all your data is encrypted and being held for ransom? 

The need for a strategic and organized response

Ransomware attacks doubled in 2021, and will only continue to rise in volume as most businesses remain unprepared for them and criminals see easy money. Businesses need to be ready with ransomware incident response teams and a detailed response plan to protect the business, its data (typically operational files, customer lists, credit card or financial records) and employees from the worst effects of an attack.

Fortunately, due to the wide-ranging nature of ransomware attacks, there are several helpful ransomware playbooks to help get you prepared for when your data vanishes and criminals start demanding payments in Bitcoin.

Given the daily risk of attack and the growing use of ransomware-as-a-service tactics, a breach for any business is inevitable. While endless failed attacks clutter spam inboxes, are blocked at the firewall or by rules or profiles in your security suite or are thwarted by aware employees, one day the business won’t always be so lucky as a new attack sneaks through.

To be prepared to respond to and mitigate it, businesses need to have well-trained employees, strong data backup policies and the latest protection applications and services in place. All of this starts with strong leadership that isn’t ignoring or avoiding the risk, or is too focused on business results to pay sufficient attention.

The CISO’s first effort should be to ensure the rest of the business leadership and workers understand the risks and exactly how badly things can go wrong. There are plenty of examples you can show them. Having raised awareness, you need to take responsibility for building a response plan that’s well-funded and reaches across the business from every department and office, far beyond just the IT department. The latest tools are equipped with ransomware detection techniques that use AI and analytics techniques to identify the latest threats and variants of existing ones, while training will ensure everyone is aware and alert to the risks.

Even so, with strong security systems in place and well-trained staff who can identify hacking efforts across social media, messaging apps and even well-crafted emails pretending to be from high-level officers within the company, eventually hackers will succeed and you need a ransomware incident response plan.

Creating a ransomware response plan

When a ransomware attack is triggered, either through a member of staff opening a malware-laden file or link or through more direct methods using zero-day IT vulnerabilities, the first human instincts are guilt and panic. Neither of these will help in any ransomware situation, so people need to be aware of the response plan, as well as what not to do.

Fortunately, there are several well-considered response plan templates you can follow, consisting of the following ransomware prevention best practices.

1. Turn off the network

When malware or ransomware strikes or is identified, disconnect the office network, networking devices and turn off WiFi routers to prevent the spread between PCs and other devices. This can save some systems that still have useful data intact, and if the ransomware payload hasn’t not been triggered, it can prevent it from starting, limiting the damage to some disinfection and cleaning up.

2. Identify how far the ransomware has spread

Malware can spread across networks in seconds, so the faster the response the less damage is done. But, even if your IT security team thinks the damage is limited, a thorough investigation is required to identify infected systems, and encrypted files and check how secure your backups are (or the backups of backups, if you’re being thorough).

3. Check if any administrator information was accessed

Hackers love being in control of compromised systems and often extract login and other details to see what they can find. Check access logs and system records to see what data has been copied or moved from business servers.

4. Identify the specific threat and mitigate it

Since most ransomware is automated they follow predictable patterns of actions that you can quickly identify once you know what strain you’re dealing with. Your IT security provider can recommend a safe course of action to remove and repair the infection. Check with legal advisors what your compliance and industry regulations recommend as a course of action if customer or business data is stolen.

5. React to the ransomware

The golden rule is to never pay a ransom to get your data back, as typically most firms never get their data back anyway, or are simply attacked again later for more money. In most cases, businesses with a strong response plan will be able to recover their data with minimal disruption to business data. Alternatively, you can get security experts to help decrypt and rebuild your data. If all else fails, you could pay or negotiate for a lower ransom, but be prepared for the worst.

6. Learn your lessons and improve security

Figure out how the ransomware attack happened, improve IT security to prevent a repeat and improve training where needed. Then, look at regular updates to your ransomware incident response plans, as well as security and data backup applications to minimize the impact of a future breach, and be glad to have survived the episode.

Final thoughts

Ransomware attacks will not go away – they’re a gold mine for individuals or groups of criminals and state-sponsored hackers looking for useful information, and continue to evolve into new forms like extortionware. Therefore, all CISOs and other IT roles need to respect and understand their roles, and understand how notorious ransomware groups like PSYA operate.

Then, learn everything you can about protecting the business, whether by acquiring modern security solutions to replace legal virus and firewall tools, or partnering with security specialists to defend your growing IT perimeter.

Finally, since most ransomware is still triggered by an individual, perhaps new to the business, lacking appropriate training or are simply tired and not paying attention, keep up the lessons and ensure everyone knows the risks and damage that can be caused.

Further reading:


Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...