Back To The Blog

How to Build a Ransomware Incident Response Plan

Incident Response / June 30 , 2020

Ransomware is the number one cause of cyber claims and lost business income for small and medium enterprises (SMEs), and remains one of the biggest threats to businesses around the world. According to a study we conducted here at NetDiligence, the average ransomware event costs SMEs $150k, while the resulting lost-business income averages $261K. For larger enterprises, the financial consequences can be much greater, running into the millions of dollars for mitigation and recovery efforts.

To manage the potential consequences for such an event, ransomware needs to be part of your incident response plan (IRP).

Ransomware: Preparation and Prevention

Being denied access to your data or systems can cause swift and lasting damage—and unfortunately, ransomware threats are constantly evolving and are difficult to prevent. Your organization needs an effective incident response plan to guide you through measures to boost cyber readiness and manage the risk of a ransomware event.

Threat actors often take advantage of human error or vulnerabilities, which is why your first line of defense needs to be a well-informed workforce aware of best cyber practices. Employee training should include:

  • How to identify phishing emails and suspicious links
  • Best practices for storing company and personal data
  • Best practices for software updates and security patches
  • How to set and maintain secure passwords
  • How to run and maintain security solutions

In addition to preparing your workforce, there are measures that can be taken to improve your IT environment security. This should include a comprehensive approach to set up and secure networks, manage data, and user access control and permissions. Here are some specific security steps you can take:

  • Antivirus and endpoint protection can help block bad payloads and flag malicious behavior before your system is compromised. Trusted anti-malware solutions include Crowdstrike Falcon Prevent and Carbon Black.
  • Segment your data backups both on separate networks and offline. This can be done using a cloud backup service and periodically backing up vital data to devices disconnected from main corporate networks.
  • Segment networks so that critical groups of users, applications, and systems are isolated to prevent the spread of malware in case of an attack. Turn off network sharing where possible.
  • Control access permissions so that admin-access is only granted on an as-needed basis, use multi-factor authentication, and disable remote desktop protocols.

Getting ahead of the ransomware risk should also include mock breach exercises to prepare your team to act. Mock scenarios should simulate the series of events that could occur and potential decisions that need to be made affecting system restoration, negotiation and payment, legal ramifications, public relations, and breach notification.

NetDiligence clients benefit from a ransomware simulation game hosted on our eRiskHub to prepare for the possibility of an attack.

Even with the best preparation, at times an attack can not be averted— but your incident response plan can ensure you are ready to take the appropriate remediation measures.

An Incident Response Plan for Ransomware

Close up of cybersecurity team working at their computers taking calls.In the event of a ransomware attack, swift and decisive action needs to be taken. The event needs to be triaged to pinpoint the source of the attack, its scope, and the resources that will be needed for recovery. Incident response teams will be entrusted to make a number of pivotal decisions including:

  • How to coordinate an organization-wide response
  • Which experts to reach out to
  • Whether or not to contact authorities
  • Whether the ransom should be paid or not
  • How to notify affected users

To avoid a clumsy shoot-from-the-hip response at the moment of crisis, your incident response plan should include a detailed framework that can be followed for ransomware containment. That framework should include instructions and contingency plans for communication, impact analysis, containment, eradication, and recovery.

  • Communication

    When an attack occurs, normal channels of communication may be cut off. Contact info for internal and external incident response teams should be prepared in advance and stored on a separate network or offline. Communication preparation should also include instructions on when and how to contact a breach coach lawyer, a forensics investigation professional, a public relations partner, and other experts needed for incident recovery.

  • Impact Analysis

    An effective ransomware response guide also has set procedures to analyze the business interruption and information impact of the event. There should be both manual and automated mechanisms to detect the source and scope of the attack, including which machines, networks, and applications have been affected.

  • Containment, Eradication, and Recovery

    With an effective impact analysis, response teams can make informed decisions about how to contain the event. This includes taking certain machines or networks offline, identifying and eliminating malware, or disabling breached accounts.

Incident Response Planning with NetDiligence

Especially for small and mid-size enterprises that face the majority of attacks, a well-prepared incident response plan will be key to recover from a ransomware event.

At NetDiligence, we leverage nearly 20 years of cyber-readiness expertise and a network of industry experts to help clients build and maintain an effective incident response plan. Our Breach Plan Connect® service empowers customers to not only customize a practical step-by-step plan for managing data breach and ransomware events, but we also provide access to the experts that will help guide you through such an event. These experts are on-hand to help you take action on recovery-oriented questions like:

  • What is the extent of our business interruption exposure?
  • What resources do we need, and which steps should we take next?
  • Should we pay the ransom or rebuild from a system backup?
  • What is our estimated return to normal operations?

With a team of experts at your disposal and a customized response guide, a ransomware event doesn’t have to cripple your business. If you are ready to better manage the risk of ransomware and other cyber events, get in touch with NetDiligence today.

Mark Greisiger

Mark Greisiger


Related Blog Posts

Download 2022 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.


© 2023 NetDiligence All Rights Reserved.