Ransomware is a Business Crisis: What To Do When an Attack Hits
Key Highlights
- Ransomware attacks combine encryption, data theft and AI-driven tactics, creating shutdowns, legal exposure and reputation damage that threaten business value.
- Speed in the first hours is critical to limiting damage, meeting legal obligations, and unlocking insurance, forensic and law-enforcement support.
- Downtime, recovery and remediation, regulatory penalties and lost customer trust often cost more than the ransom demand itself.
- Pre-established incident response plans are essential to contain attacks, manage extortion decisions and recover operations.
Ransomware attacks are a nightmare for businesses because they cause devastating consequences across operations, finances and reputation. These attacks have evolved far beyond simply encrypting data, often using multiple extortion methods to maximize pressure. And they’re using artificial intelligence (AI) to up their game.
As a result, the critical first response relies on speed, discipline and containment. And prompt incident reporting isn’t just a crucial step for meeting potential legal obligations; it also provides access to vital resources and helps law enforcement track down the threat actors responsible.
And the effects can be severe and long-lasting.
Enormous Financial Impact
The massive financial costs of a ransomware attack extend beyond the ransom demand itself, which can range from thousands to millions of dollars. Many factors contribute to the true cost of a ransomware attack.
Business Downtime and Lost Revenue. Once systems are locked or encrypted, day-to-day operations grind to a halt for days or weeks. The cost of downtime can be greater than the ransom.
Recovery and Remediation Expenses. These include the cost of hiring specialized cybersecurity experts, replacing compromised hardware and software, rebuilding systems, and strengthening security infrastructure to prevent future breaches.
Legal and Regulatory Fines. If sensitive data is stolen and exposed, the business can face massive fines under regulations such as the General Data Protection Regulation (GDPR), HIPAA, or the Gramm-Leach-Bliley Act, and incur significant legal fees.
Operational Paralysis and Disruption
The core function of the business is severely compromised, which can lead to a complete breakdown of services.
First, it can make critical systems inaccessible. Ransomware locks access to vital information systems, from customer management and accounting software to entire manufacturing production lines.
Ransomware can also cause supply chain disruption, creating a ripple effect that stalls operations for other companies in the chain.
It's important to know where the actual intrusion began. And there’s no single-entry point for ransomware attacks—there can be a combination of ways to penetrate vulnerabilities.
- —Recorded Future Intelligence Analyst
Data Loss and Extortion
Ransomware often employs double and even triple extortion tactics, turning data recovery into a complex nightmare.
- Encryption: The primary goal of ransomware is to encrypt all critical files and data, making them unusable.
- Double extortion (data theft): Attackers often steal a copy of sensitive data like intellectual property, customer data or trade secrets, before encrypting it. They then threaten to publicly leak or sell this data if the ransom isn’t paid.
- Uncertainty of recovery: Even if a company pays the ransom, there is no guarantee the attacker will provide a working decryption key or that the data hasn’t been copied and sold.
A Recorded Future Intelligence Analyst says he believes it’s important not to pay the ransom. “It’s just not a good idea. It’s not an official policy, but it’s a recommendation from the FBI as well as a majority of law enforcement agencies around the world.”
Reputational Damage
A successful attack can cause a profound and lasting erosion of trust. It can tarnish a brand’s reputation and shatter trust a business has built, possibly leading customers to migrate to competitors.
In addition, business partners, suppliers and investors might question the company's security posture and reliability, leading to lost contract renewals or a competitive disadvantage.
What If You’re Hit by Ransomware?
So, what do you do if you’re the victim of a ransomware attack?
“The first thing the IT team needs to do is to isolate the affected systems,” says Recorded Future’s Intelligence Analyst. “It's important to know where the actual intrusion began. And there’s no single entry point for ransomware attacks — there can be a combination of ways to penetrate vulnerabilities.”
Here are some key steps, drawing from best practices established by cybersecurity experts and government agencies. Of course, IT teams should coordinate with their cybersecurity platform provider, suppliers, law enforcement, and even their cyber insurance carrier.
Containment and Assessment
The first and most critical steps are to stop the attack from spreading and to begin gathering information. Coordinating with cybersecurity experts for a comprehensive plan of action, take the following steps:
- Isolate affected systems immediately.
o Disconnect infected or potentially infected computers and devices from the network. If many systems are affected, consider taking the entire network offline at the switch level.
o Disconnect and lock down all backup systems and media immediately to prevent ransomware from infecting them.
o Do not restart infected devices, because that could wipe valuable clues stored in the volatile memory needed for forensic investigation. - Activate the incident response team and notify stakeholders.
o Initiate your organization's pre-established communication plan using out-of-band communication, such as personal phones or pre-arranged external channels, to avoid tipping off the attackers if they’re monitoring your network.
o Notify key internal parties, such as executive management, legal counsel and security teams.
o Notify your cyber insurance carrier; they often provide access to specialized legal and forensic resources. - Identify the threat. Determine the scope of the attack — which systems, applications and data were impacted, and whether data theft also occurred.
Next Steps
After containing the problem and assessing the damage, more actions are needed to help mitigate the situation.
- Contact incident-response experts. If you don’t have an in-house incident response team, contact firms that can help, such as digital forensics and incident response (DFIR) firms, managed detection and response (MDR) providers, or ransomware-negotiation specialists (if not provided by your cyber insurance carrier).
- Preserve evidence. To support forensics, insurance claims and potential legal requirements, preserve evidence such as logs, backups, snapshots and network traffic. Don’t overwrite system images or begin reinstallation.
- Evaluate ransom demands. Do not engage directly with attackers. Coordinate with legal professionals and cyber insurance carriers. They’ll help assess whether payment is legal, the likelihood of getting a working decryption key, risks if data is exfiltrated, and the impact on business continuity.
- Begin eradication and recovery. Once the environment is secure, remove malware and persistence mechanisms, reset credentials and revoke tokens, patch exploited vulnerabilities, restore systems from backups, and take other actions recommended by the IT team and cybersecurity experts.
- Notify affected parties. Depending on data affected and jurisdiction, you might need to notify customers, employees, regulators, partners, suppliers and law enforcement — including the FBI and Cybersecurity and Infrastructure Security Agency (CISA). Legal counsel guides this.
- Conduct a post-incident review. Analyze what happened so you can improve cybersecurity measures, including root cause, gaps in detection, how the attacker moved and which defenses failed.
Who Is Doing This?
“People think extortion sites are simply reserved just for ransomware groups, but that’s not true,” says the Intelligence Analyst. “You have groups that just do extortion but don’t do ransomware, and ransomware groups that also will do extortion. And then some of the threat actors are just selling data.”
He adds that many attacks come from Russia or Asian nations where there are no extradition treaties with the United States, so it’s almost impossible to capture them. ”You can name and shame these people, but you’re not going to be able to arrest them. Some of the attackers are behind the Russian ‘wall’ and under the protection, to a certain extent, of the Russian government.”
He says sometimes attackers are disgruntled about not being paid promptly or in full, so they leak their source code that other criminals can modify to create new forms of ransomware, called “variants” of the original code. “We see over 20 new variants in a 30-day period,” he says.
Recorded Future produces reports and guides explaining what’s happening in the cybersecurity world and ways to deal with it.
Coordinate with Experts
The measures reviewed here are general guidelines providing an overview of actions to take if a ransomware attack happens. Leaders should coordinate with vendors, cybersecurity platform suppliers, legal counsel and other key stakeholders.
A ransomware attack is frightening because it simultaneously attacks an organization’s bank account, operational stability and public credibility. Fortifying security measures is the first step in helping to prevent a breach.
About the Author
Theresa Houck
Contributor
Theresa Houck is an award-winning B2B journalist with more than 35 years of experience covering industrial markets, strategy, policy, and economic trends. As Senior Editor at EndeavorB2B, she writes about IT, OT, AI, manufacturing, industrial automation, cybersecurity, energy, data centers, healthcare, and more. In her previous role, she served for 20 years as Executive Editor of The Journal From Rockwell Automation magazine, leading editorial strategy, content development, and multimedia production including videos, webinars, eBooks, newsletters, and the award-winning podcast “Automation Chat.” She also collaborated with teams on social media strategy, sales initiatives, and new product development.
Before joining EndeavorB2B, she was an Industry Analyst at Wolters Kluwer in its human resources book publishing operation. Before that, she spent 14 years with the Fabricators & Manufacturers Association, Intl., serving as Executive Editor of four magazines in the sheet metal forming and fabricating sector, where she managed and executed editorial strategy, budgets, marketing, book publishing, and circulation operations, and negotiated vendor contracts.
Houck holds a Master of Arts in Communications from the University of Illinois Springfield and a Bachelor of Arts in English from Western Illinois University.
Resources
Quiz
Your Competitive Edge, DeliveredStay ahead of the curve with weekly insights into emerging technologies, cybersecurity, and digital transformation. TechEDGE brings you expert perspectives, real-world applications, and the innovations driving tomorrow’s breakthroughs, so you’re always equipped to lead the next wave of change.
