Considerations to Keep in Mind During a Ransomware Incident

While most businesses have security measures in place to protect against cyberattacks, no one is entirely immune. Ransomware is a persistent threat that locks organisations out of their systems and the threat actors demand payment for access, forcing high-pressure decisions with serious consequences. In the event of an attack, knowing how to respond is vital to minimise damage, reduce costs, and protect your reputation. When it comes to ransomware, the best approach is a more holistic one, looking beyond the immediate technical fix to consider broader operational, legal, and reputational impacts, ensuring your business responds in the best possible way.

‍

Planning for a Ransomware Incident

While you hope it won't happen, thinking about how you'd handle ransomware before disaster strikes can make all the difference. By preparing in advance, your business can respond faster, limit damage and recover more smoothly. With that in mind, before you can confidently deal with an incident, it's worth asking yourself a few critical questions:

• ‍What are your business systems Maximum Tolerable Downtimes (MTDs)? If a ransomware attack knocked out your systems, how quickly would you need to recover, and what are the consequences if you don't?‍
• What metrics matter most during a cyber incident? Metrics like Mean Time to Detect (MTTD), Recovery Time Objective (RTO)3, Recovery Point Objective (RPO)4 can then inform an Information System Contingency Plan (ISCP) for business critical systems reducing potential downtime, limiting financial loss, and maintaining the trust of stakeholders. ‍
• What's the worst-case scenario? Ransomware downtime can range from a few days to several weeks. Understanding the different levels of impact helps define the scale of response you'll need. Some impacts to consider include:‍
  
  • Human safety – is there any risk to staff, clients or members of the public posed by impacts to a cyber physical systems5.‍
  • Recoverability - the amount of time and resources that must be spent on recovering from an incident;‍
  • Functional impact – identify and document potential disruption to business operations caused by loss of functionality to systems or information; and‍
  • Information impacts – identify and document the type of data impacted (personal, sensitive, intellectual property) through possible degradation or loss of confidentiality, integrity, or availability.‍
• What internal and external resources do you have in place? When an attack hits, time is everything. Incident response, business continuity and disaster recovery/contingency planning involves defining both internal capabilities and external partners in advance.

• ‍How upstream or downstream dependent systems or suppliers/clients could be impacted? If you rely on suppliers, cloud vendors, or outsourced services, a cyber incident could impact them, too. Define these interdependencies/relationships clearly, and make sure your organisation, clients and vendors are meeting their security commitments.

‍

Triaging a Security Incident

If a ransomware attack strikes, knowing how to identify, prioritise and contain the threat is critical. Triage is the frontline of incident response and outlines the steps to take, in what order, to mitigate damage, recover systems, and protect your data. However, alerts can be overwhelming and often include false positives, which means having a skilled team with the right tools and clear processes is key to effective triage.

Some key triage steps that every business needs to cover include:

• Following your Information System Contingency Plans (ISCP): Whether it's malware, ransomware, failed system update or something else, your team should work from a documented procedure to sustain operations of critical business systems.
• Preserving Forensic Evidence: Before systems are restored or reset, it's vital to capture evidence for investigation.
• Defining Roles and Responsibilities: Everyone should know exactly who is responsible for what, from technical responses to stakeholder communications.
• Updating the Chain of Command: Keep key decision-makers informed and ensure leadership receives real-time updates.
• Cross-Team Collaboration: IT, security, legal, communications, and leadership all have a role to play in addressing a security incident

It's also important to remember that severity levels can shift, both between different events and within a single incident. What starts as a minor disruption can escalate fast. That's why testing your response ahead of time is essential.

‍

The Benefits of Ransomware Simulations

Running a ransomware simulation isn't just a box-ticking exercise; it's a critical step in ensuring your people, processes, and systems hold up when it matters most. A well-run simulation helps reduce the time it takes to detect, contain and recover from a real incident. Moreover, it gives your team a chance to practise under pressure, iron out any confusion, and fine-tune your response across all levels of the business, including:

• Executive level: Leadership understands their role, approves decisions faster and communicates clearly under stress.
• Controls level: You gain a better understanding of how effectively your governance and compliance structures support (or hinder) your response.
• Technical Level: Business system owners, IT application and Infrastructure, IT Security teams can test Cyber IR plans, DR/BCP and ICSP in a safe environment and sharpen the steps needed to respond.

These sessions can cover everything from first response to recovery and reporting, and they're a key part of the wider incident readiness services we offer at Infotrust, including Forensic IT (Digital Forensics and Incident Response), GRC (Governance, Risk and Compliance), Assurance Testing and SOC (Security Operations Centre) Services.

While this may seem overwhelming, it's not about predicting every scenario but rather being ready to act with confidence, no matter how or when ransomware strikes.

‍

Building Resilience Against Ransomware

Even with strong security measures in place, ransomware can still find a way in. However, while you can't always control when or how an attack happens, you can take control of your response, and that starts long before disaster strikes.

Now is the time to review your Business Continuity and Disaster Recovery programs, develop a risk management strategy, and invest in simulations that stress-test your organisation's ability to detect, contain, and recover from incidents. These activities can help you uncover gaps, clarify responsibilities, and ultimately build a stronger, more resilient infrastructure.

At ForensicIT, we help organisations prepare for and respond to ransomware with speed and confidence. Our incident response services combine forensic investigation, elite threat containment, and compliance support to reduce business disruption and maintain stakeholder trust, from first alert to full recovery.

If you want to strengthen your readiness or need support navigating a ransomware incident, connect with ForensicIT's Incident Response team to build your resilience against attack.