With more than 4,000 occurring every day, ransomware attacks are no longer a question of if, but when. Don’t let your business get caught off guard and make sure you have a clear ransomware response plan in place.

What Is a Ransomware Attack?

The term ransomware has become a cybersecurity buzzword but what is it, precisely? What happens when ransomware infects your systems and networks?

Put briefly, ransomware is a form of malware that will take your data, or your entire system, hostage. With the goal of extorting money from you, the ransomware won’t release your data until you pay a ransom.

Despite the damage these attacks can cause, many businesses don’t have a response plan in place and freeze up in the face of an attack—often causing additional damage that could have been avoided. To avoid the same fate, you need to put together a plan of action before an attack occurs.

The Critical Components of a Ransomware Response Plan


The first step is to assess your assets, systems, data, capabilities, and more to gain a complete understanding of how the seizure of a particular system or dataset would impact your organization. Many businesses choose to carry out various assessments and training procedures, such as employee security awareness training and risk analyses, to ensure their people and technology aren’t just minimizing the risk of an attack but ready to effectively respond to any that occur.


One of the most critical components of your plan is the policies and procedures that detail how ransomware infections will be detected and investigated. This includes defining who is on the incident response team, what everyone’s individual responsibilities are, and how the team will communicate and make decisions, so you can more effectively hunt and validate the ransomware attack.

The goal is to swiftly identify the scope of the incident and gather critical data that will inform the next step of your response plan, including the incident origin, the strain of ransomware, and whether the incident is ongoing.


If not done earlier, disconnect all infected devices from the network. Once you’re sure the attack is no longer spreading, your response team can begin conducting thorough investigations that will inform your eradication and recovery strategy.

In the case of a widespread or serious incident, companies often choose to bring in a third-party provider, like AccountabilIT, who has the cybersecurity solutions that help you answer critical questions: Why were the systems attacked? Was it targeted or random? Why did prevention tools fail to stop the attack? How did the bad actor get into the system?

By understanding exactly what occurred, and why, you can make more effective decisions on how to eradicate the threat.


Once you’ve contained the ransomware, identified the root cause, and eradicated the infection, you can begin the process of recovering any lost data and returning to business as usual. Depending on the details of the attack, you might need to take one of the following approaches:

Restore from backups: Ideally, you’re able to wipe or remove any infected systems and restore the lost data from prior backups. To do so successfully with minimal downtime, you should have a disaster recovery plan already in place.

Decryption: Sometimes, restoring from backups might be impossible. If the ransomware used weak encryption, there might be an available decryption mechanism that a trained cybersecurity expert can leverage to help you recover your data. However, this approach is not nearly as reliable or successful as having a thorough data backup plan.


Once the data has been restored, it may feel like the process is over, but post-incident activities are a critical component of any ransomware response plan. No matter the size of the incident, you should bring in relevant stakeholders and conduct an analysis to determine what worked, what didn’t, and what steps you need to take to make improvements.

Take a Proactive & Personalized Approach to Ransomware Response

With over 150 years of combined experience, we have the cybersecurity incident response expertise your business needs to respond and recover faster. Want to learn more about how our industry-leading solutions and customer-centric philosophy protect your business? Contact us today.