The Ingredients Of A Ransomware Plan

man hacking into a computer

Best Way To Reduce Risk of a Ransomware Attack, Learn The Components of A Ransomware Plan

Let’s face it, 2021 was probably one of the most challenging years for Cybersecurity professionals.  A lot of this was fueled by the extreme and unexpected rise in Ransomware attacks.  Previous articles of ours have mentioned the need to have a rock-solid Incident Response and a Business Continuity & Disaster Recovery (BCDR) plan in place.  

While these are no doubt a must in today’s environment, so is the need to have a Ransomware Plan in place in case you become a victim of one.  So, what are the components of a ransomware attack?  Let’s find out . . . 

The beginnings of a ransomware attack..

Of course, creating the Ransomware Plan will depend largely upon what your own security requirements are, but the bottom line is that you need something in hand that will let you recover in the quickest amount of time possible.  So, the following are the components that must be included, as a baseline:

  1. Create the response team:

You will want to include people from the various departments that you have in your company.  But take careful thought of who should be included.  Obviously, the hourly contractor may not be the best choice, so pick those people who have an understanding of what Ransomware is all about.  These should include folks from the IT Security team, Legal, Human Resources, as well as Finance and Accounting.  Once you have assembled this team, assign specific roles and assignments to each member so they will know what to do in case of a security breach.

2. What the first response should be:

If you are hit with a ransomware attack, you need to create a quick strategy of what will be done first.  It is important to keep in mind that Ransomware consists of Malware, and can spread itself within minutes.  Therefore, your first plan of attack should be to have all employees of the company immediately disconnect any and all devices that are connected to the network, so that they do not become infected.  This alert should be in all forms of communication, such as phone call, text and email.  Once this has been done, then the response team can work on isolating the Malware that has infiltrated your network and mitigating any more damage.  In fact, you should rehearse this kind of activity on a regular basis to see how long it does take for this to happen, and try to shorten that down.

3. Determine how communications will take place:

This is perhaps one of the most crucial pieces of your Ransomware Plan.  You need to create a call tree which will provide the direction as to how the communications process will take place in case you are hit (in a way, this will be like a flowchart).  Information to be put here includes the following:

  • Phone numbers:  This includes landlines and cell numbers;
  • Email addresses:  This includes both work and personal emails.

It is important to keep this information updated at all times.  The people on your response team who are tasked with alerting the company will be primarily responsible for sending out the first round of messages to all employees.  Initially, there could be some doubt if this is all real or not, so put out the same messaging on your company intranet as well.  Do not post anything on Social Media, as this could be a temptation for other Cyberattackers to launch other threat variants while you are dealing with the first attack.

4. Have a data backup plan:

Traditionally, this falls under the realm of the IT Security team to create the backups and to execute them when needed, and the details of this should be included in your overall Security Plan.  So far, with the Ransomware Plan, all of this does not to be repeated, but rather, it should contain the contact information of the people that will be doing this task.  In fact, right after the first-wave communications have gone out, it would be the most optimal time to do this, so that they can get ready with the backups in place.

5. Notify other key stakeholders:

Once you have mitigated the Ransomware breach to the best degree possible, it is important that you quickly notify other stakeholders as well.  This will include the following group of people:

  • Shareholders;
  • External, third-party vendors that you are currently working with;
  • Law enforcement at all levels (this includes federal, state, and local agencies);
  • The appropriate regulatory bodies.

It is important that you do this, and not simply just ignore it.  New laws have come out which now make it a felony for not reporting Ransomware breaches in a timely fashion.

6. Include information about your insurance policy:

While you do not need to include each and every detail of your Cybersecurity Insurance Policy, you should include the key tenets and provisions of it in a Ransomware Plan, as a point of reference.  Also, it is equally important to include the contact information of the people at the insurance company who will you be filing the claim with.  Of course, getting the ultimate payout is going to take some time, and the sooner that you get this ball rolling, the better off your company will be.  


After you have been hit with a Ransomware attack, the next question then is:  Do you pay or not?  There are many differing views on this, and this will be the focal point of a future article.  But keep in mind that with the recent Cybersecurity legislation passed by the Biden Administration, it can now be considered an act of treason if you do pay.

The alternative is to simply ignore the payment and rebuild everything from the data backups that you have.  But this can take some time as well, even if your IT/Network Infrastructure is all Cloud-based, either with the AWS or Microsoft Azure.

But for the purposes of this article, the key mantra here is to develop this plan, and rehearse it on a regular basis, and keep updating this document with new lessons that have been learned after each exercise. If your team needs help with Disaster Recovery planning, get in contact with our team today and learn more about our tailor-made IT solutions.