by Charlotte Trueman, Christina Mercer-Myers

How to respond to a ransomware attack

Mar 05, 2019
CyberattacksData BreachSecurity

The worst has happened, you’ve fallen victim to a ransomware attack. Now what do you do?

Credit: Thinkstock

Protecting your organisation’s critical data is a costly endeavour, with security budgets continually being squeezed to mitigate against the ever-expanding threat landscape.

Ransomware is undoubtedly one of the most crippling cyberattacks, catching victims unaware and ultimately causing long-term consequences for the companies that become infected.

Although ransomware attacks have started to stabilise, now is not the time to get complacent with your security strategy.

Ransomware attacks are still happening and just because your organisation might not be individually targeted, if you fail to patch properly there’s a very real chance you’ll become the victim of a wider attack, designed to infiltrate any system that has been left vulnerable.

Here, we provide a brief overview of ransomware alongside a list of steps security professionals advise you take in the event of a ransomware attack alongside a couple of things you should aim to avoid.

What is ransomware?

Ransomware first came to prominence in 2005 and since then, it has become the most pervasive cyberattacks across the world. Since day one, its purpose has been to generate revenue from its unsuspecting victims and recent calculations from Cybersecurity Ventures put the estimated cost of ransomware attacks around $11.5 billion.

There are two major types of ransomware; crypto and locker. Once a malicious link has been clicked on or a misleading application has been opened, crypto-ransomware will encrypt all the files, folders and hard drives on the infected device, promising to reinstate once a ransom has been paid to the attacker. By comparison, locker-                ransomware simply locks users out of their devices.

Unfortunately, ransomware attackers aren’t fussy when it comes to who they target. Attacking a business might see them do the most damage but regular end-users who aren’t necessarily clued-up on cybersecurity are more likely to pay the ransom in an attempt to retrieve their files.

As a result, cybercriminals launching this type of attack usually take a scattergun approach, as even if only a small minority of the victims pay out, ransomware is so cheap to deploy the attackers are guaranteed a profit.

Falling foul of a ransomware attack can be damaging enough however, if you handle the aftermath badly the reputational damage could be catastrophic; causing you to lose much more than just your files.

What should you do in the event of an attack?

Trace the attack

The most common way ransomware makes it into your system is through a malicious link or email attachment. If you’re lucky, the malware will only affect the machine it was opened on however, if you’ve failed to patch your entire network (hello WannaCry) your entire system will end up becoming infected.

First you need to locate the machine that was initially infected and find out if they’ve opened any suspicious emails or noticed any irregular activity on their machine.

The sooner you find the source, the quicker you can act. Ransomware attacks tend to have a time limit on them before files are erased.


Once it has initially infiltrated a machine, ransomware spreads via your network connection, meaning the sooner you remove the infected machine from your office network, the less likely other machines are to become infected.

When notifying employees about the need to unplug devices from the network, don’t forget to reach out to any remote workers you might have. Just because someone isn’t physically in the office, if they’re connected to the network they can still fall victim to the attack.

In the perfect world, your security team or equivalent should already have a plan for situations like this, so it might be the case that you just hand over to them and allow them to mitigate the damage as best they can.

In the instance that a plan doesn’t exist, a meeting should be held to outline what needs to happen next. It’s important to let everyone know exactly what is expected of them.

Notify your IT security team or helpdesk

It’s not uncommon for bigger organisations to have an IT security team and even a dedicated Chief Information Security Officer who will be the one to execute your plan of action and handle protocol in the aftermath of an attack.

However, for some smaller companies, budgetary restraints often mean having these experts in-house just isn’t feasible. In that instance, it’s important that the CIO is fully briefed on all security issues and can take the reins in the event of a crisis. 

It’s also helpful to map out a timeline of the breach. This should help for future attacks and help you learn about your current security systems.

Often cyberattacks leave clues in the metadata, so a full search of that will be necessary in most cases.

Notify the authorities

If your company handles data that belongs to citizens inside the European Union, GDPR now requires you to inform the ICO within 72 hours of a breach having occurred. Failure to do means your organisation is non-compliant with legislation and with potential fines of 4% of annual global turnover or €20 million, that’s something you cannot afford to do – literally!

If the data stored has numerous identifiers, you should alert a data protection officer or equivalent.

Inform all employees and customers

Transparency is key in situations like this. When it comes to cyber-attacks, your weakest link is often your employees and despite our best efforts, we can all easily make mistakes that can jeopardise company data.

Rather than pointing fingers, inform your staff that there has been a breach, what this means and what action you plan on taking. You should also let them know of any expected system downtime which will impact their work.

It’s also important your upfront with your customers who might have had their data compromised in a ransomware attack. Obviously, there’s no point putting out a statement the minute you discover the breach as at this point you won’t know all of the facts surrounding the attack.

Once you’ve had a bit more time to establish exactly what went wrong, that’s when you need to inform them. It’s important your customers hear the bad news from your company, not a media report.

Update all of your security systems

Patch, update, invest and repeat. After the incident is over, you’ll need to perform a total security audit and update all systems.

This may take some time, and even cost some money, but if you value your data and your company’s reputation, you’ll do it.

What you definitely shouldn’t do


While we would always to advice you have a plan in place before you fall victim to a ransomware attack, if the worst happens and you don’t have a strategy it’s important you try not to panic. Impromptu decisions won’t help your situation, if you need help, ask for it.

Any obvious disorder could potentially be exploited by cyber criminals, leaving you vulnerable to further attacks.

Pay the ransom

Ransomware attacks saw a significant spike a few years ago because criminals realised they can make relatively large amounts of money for a small upfront cost.

Most alarmingly, research has shown that one third of companies admit that it’s actually more cost effective to just pay the ransom each time than invest in a proper security system.

Unfortunately, this has created a vicious circle where businesses continue to pay the ransom meaning ransomware will continue to be a popular money-making tactic, serving only to perpetuate the problem.

Generally, cybercrime experts and authorities advise against paying the ransom for many reasons. Firstly, just because you’ve paid the ransom, it doesn’t mean that you’ll receive an encryption key to unlock your data. Secondly, it might encourage the hackers to request larger amounts of money from future victims.

Ultimately, only you can assess if your data is worth the cost.