Ransomware Response Plan – Crucial for Every Organization

It is crucial to decide beforehand what the organization would do if it has contractual agreements to deliver vendor or client data, but it cannot do so because that data is encrypted. Some additional force majeure type clauses may have to be inserted in all the contracts if possible stating that if the organization is under Ransomware attack and the data is still encrypted; it will not be able to provide it.

This scenario has to be looked at from the legal point of view and also should be compliant with the company incorporation rules and laws. All contracts should be modified appropriately after consulting with the organization’s lawyer, and an external law firm. This process should be part of the RRP.

Cost of downtime, value of data, future financial impact

The cost of downtime, the value of data and future financial impact due to degradation of organization’s reputation should be calculated by the RTC. The cost of downtime and the value of data also depends on if some or all critical assets became encrypted/inaccessible.

How many employees are affected?

What is the average employee’s earning (per hour)?

What are the average overhead costs of affected employees?

How much revenue loss would the organization suffer every hour if employees do not work since they cannot access their data?

Calculations such as Single-Loss Expectancy (SLE) can be used to determine the damage done to organization’s profits.

Estimation of the value of data itself is possible from the black market rate, for credit cards, it is $1 per record, and for healthcare, just a portion of PHI is $50 per record.

The future financial impact is dependent on the organization’s image and reputation in the market, client goodwill, and brand value. If these are affected, there could be a drop in the number of customers and transactions in the future.

Additional costs could include fines and penalties for violating confidentiality and privacy agreements by having possible disclosure of sensitive information during Ransomware attack. HIPAA-covered entities may be subject to steep penalties for violating regulations and wrongful disclosure of PHI.

The RRP should have a worksheet/model/simulation with formulas/algorithms for calculating the cost of downtime, the value of data and the future financial impact. It estimates these costs in dollar per hours or days by plugging in the amount/type of data, and the number of employees and the departments affected. This worksheet gives the total financial impact (TFI) to the organization.

Evaluate data restore from backup

RTC should also evaluate restoring from backup and submit a report to the RRC in a pre-defined time. For this purpose, the backup should be analyzed to determine its current state:

  1. When was the backup taken last?
  2. Is everything backed up, including user/directory information, machine state information, and other required data?
  3. How often are backups done? Every day? Every hour? Every week?
  4. Was there a monthly or quarterly testing schedule for backup/restore?
  5. Has testing been done on recovering from backup in different scenarios to see how long it takes and make sure it works reliably?
  6. Have reports of the last restore test analyzed for success/failure rates.
  7. Is there a 3-2-1 backup strategy that requires three copies of the data in two different locations, one of them at an offsite location?
  8. Was there a mechanism to ensure that some of the backups were offline to reduce the risk of these getting encrypted as well by Ransomware? New variants encrypt unmapped shares as well. Does the backup system use proprietary format on the media that is not assessable by Ransomware?
  9. Is all the data on a SAN/NAS and does it have recovery option?
  10. Is Cloud backup used and does it have recovery option?

All these should be part of RRP.

Restore from backup

After the current state of the backup is known, the RRC should immediately meet and decide to restore data from backup considering the time required to do this. The RRM should make the final decision. If data is restorable from the backup completely and the time to restore is reasonable, then it should be done. The maximum duration to make this decision should be in the RRP.

Pre-allocation of funds for payment of ransom

Getting approvals and authorization for ransom payment may take considerable time depending on the authority required and payment approval process. It is recommended that organizations pre-approve and keep few thousands of dollars in a separate account for ransom payment only.

Buying digital currency in advance

The Ransom has to be paid using digital currency like Bitcoins. An organization can set up its Bitcoin account, or it could use a third-party service. Setting up a Bitcoin or other digital currency account, transferring funds to it and making payment to the attacker can be time-consuming and can take up to a week. Can use a Bitcoin ATM if available but it only accepts cash.

Some companies have already purchased Bitcoins to use in case of a ransomware attack. In the UK thirty-three percent of the companies have a ready stockpile of digital currency. All over the world, seven percent of organizations keep bitcoins in hand.

However, buying and holding bitcoins is also a risk, some Bitcoin exchanges have got hacked, and establishments have lost thousands of dollars.

Some hackers ask you to pay a certain number of dollars in equivalent digital currency. However, Bitcoins fluctuate a lot so you may want to buy additional bitcoins if their price goes down.

The decision to purchase digital currency in advance has to be decided by the RRC and specified in RRP.

Test decryption keys

The RTC should also test decryption of data by paying ransom for one system only and making sure that the decryption key provided works. Also, evaluate the decryption time.

The lead of the RTC should have access to emergency funds and the authority to buy the Bitcoins or other digital currency to get the decryption key for this system only. It would be better to pre-purchase a few bitcoins.

This process also checks if the hackers are sincere, and the keys that they will provide for decryption of the other systems will be legitimate. However, it has happened that the hackers have refused to give the keys on payment of a small amount.

Some hackers are sophisticated enough to offer customer support if required.

The RTC should submit a report to the RRC giving details of the decryption process and the time needed to decrypt a portion of the data.

This SOP should be part of the RRP.

Make the decision; restore or pay ransom

The TFI and the total ransom payable is compared bearing in mind that there could be a reduction in the ransom as much as one-tenth of the original amount after negotiation. Compare the data restoration time with the time required to decrypt all the data. This process can help in making a choice to restore from backup or pay the ransom and decrypt the data. The RRC should meet and decide; RRM should make the final decision. This procedure should be part of the RRP.

Restore from backup

If RRM decides to restore the data from the backup:

  1. The RRP should have all the SOPs to do this process. The recovery is executed in phases unless the backup system is very sophisticated that restores all the data in one go quickly. If done in segments, essential data and directory information required for operation of the system followed by Emergency Room (ER) data of a hospital, for example, could be restored then data of other departments.
  2. RTC should meet and finalize the restoration from backup as a project specifying timelines, completion time, also allocate appropriate resources which would do this project.
  3. Work on data restoration project should start as soon as possible and get completed within the specified time.
  4. There should be a monitoring mechanism to report the status at predefined intervals to the RTC and the RRC, also to the top management.

This process should be part of the RRP.

Pay ransom and get decryption keys

Paying the ransom to retrieve files should be the last resort for anyone. It is important to note at least that by paying a hacker, an organization reinforces the profitability of ransomware to cyber criminals. As more organizations affected by ransomware pay to receive their decryption key, more individuals will distribute ransomware to get easy ransom money.

However, Ransomware has become so sophisticated that FBI advises people to pay the ransom. Only fifty percent of hospitals polled by Healthcare IT News and HIMSS Analytics said that they would not pay the ransom. Sixty-four percent of end users in the US who got ransomware paid the ransom.

Even if the organization does not have any non-encrypted backups of the data, double-check the following options before proceeding further:

  1. Is there any way you can recreate the encrypted data?
  2. Do you have an older version of the data that can be updated quickly?
  3. Does non-encrypted data exist somewhere else, such as on a system at another location or in your DR site?

If RRM decides to pay the ransom and get the decryption keys, the RRP should have all details:

  1. Who is going to negotiate the final price for all the keys? Someone from purchase department who has excellent negotiation skills could be nominated.
  2. Will the keys to all the data be obtained by paying total ransom or for each system one by one? Buying for each system ensures that each key is verified and decrypts the data. If the key does not work, there won’t be a significant loss, but the total payment may be higher as compared to when paying to get the keys for all the data. However, the risks are greater in the latter if keys do not work and nothing can be done to recover the amount already paid for non-working keys. Some hackers may only agree to give the keys on full payment. Another risk is that particular type of ransomware gets shut down by authorities, in this case, it is impossible to get the keys.
  3. Does the organization already have sufficient Bitcoins or other required digital currency?
  4. If not, funds are pre-allocated and available?
  5. If not, who in Finance will authorize the purchase and how long will it take?
  6. If Bitcoins have not been pre-purchased, who will buy them and from where?
  7. Who is going to lead the decryption as a project from the RTC?
  8. RTC should meet and finalize this decryption as a project specifying timelines, completion time, also allocate appropriate resources which would do this project.
  9. Work on decryption project should start as soon as possible and get completed within the completion time.
  10. There should be a monitoring mechanism to report the status at predefined intervals to the RTC and the RRC, also to the top management.

This process should be part of the RRP.

Ransomware attack post-incident review

The RRC/RTC should do a post-attack analysis sharing the report with management and relevant stakeholders:

  1. How well did RRC, RTC, IT department, incident response team, other staff, and management perform in dealing with the incident?
  2. Were the documented procedures followed? Were they adequate?
  3. If the data got restored from backup, did it complete within the estimated time?
  4. Were there any files that did not restore from backup due to any reason?
  5. If the ransom got paid and the data got decrypted, was the decryption done within the estimated time?
  6. Did all the decryption keys work and were able to decrypt the data?
  7. Were there any files that did not decrypt for any reason?
  8. Was there any information that was not available?
  9. Were any steps or actions taken that might have delayed the recovery?
  10. Could any unforeseen events be prevented?
  11. What would the RRC, RTC, IT, other staff, and management do differently the next time a Ransomware attack occurs?
  12. How could information sharing with other organizations be improved?
  13. How can corrective actions prevent similar attacks in the future?
  14. What indicators should be monitored in the future to detect attacks?
  15. Should other new cybersecurity products/services be deployed to prevent Ransomware attacks?
  16. What lessons were learned?
  17. How can these results improve the procedures further?
  18. All critical discussions and decisions conducted were recorded during the recovery?


Ransomware is the fastest growing malware threat, in 2016 the total losses estimated were US$1 billion by the FBI. Disruptions due to Ransomware are enormous; more than fifty percent of the organizations became the victim of a ransomware attack and more than forty percent mark ransom as the greatest cyber threat facing their organization all over the world. Every organization should thus have prepared a Ransomware Response Plan (RRP), so it recovers quickly after a Ransomware attack.

Netspective Opsfolio helps identify ransomware prone systems in your network so that you can apply the necessary patches and upgrade your system so that your systems are not taken hostage through ransomware.

Share this article

Adil started his career as a techie engineer, and after so many years he is still one of the finest techies. He has a solid technical background which he keeps updated by researching and reading; this is his passion. Adil implemented numerous complex projects, web conferencing, e-learning, remote access, Internet gateway, cybersecurity, enterprise search, helpdesk, surveillance, monitoring, and management systems. Also managed deployment of patient care, teleradiology, CR, PACX, radiotherapy, ERP, asset management and data warehousing/data analytics. His experience includes more than 30 years of hands-on knowledge of operating systems, networking, connectivity, internet engineering, cybersecurity, and infrastructure. Adil holds Computer Engineering degrees from one of the top institutions of the world, the University of Southern California.