Organizations invest in technology because it improves efficiency, communications, data storage, and business growth opportunities. With increased use of technology comes an increased attack exposure from threat actors, so it is important to evaluate and manage cyber risk related to new and existing technologies.

In recent years, many organizations have faced an increased risk of a specific type of destructive malware called "ransomware." Having a plan in place to prevent, detect, and respond to ransomware is a key part of your incident management program and the security of your organization.

What is Ransomware?

According to CISA Security Tip 19-001, ransomware is a "type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid." When this occurs, it can disrupt operations and even destroy the organization's systems and data.

Why is Ransomware Effective?

There are multiple reasons for the effectiveness of ransomware.

  • It is ever evolving. From its earliest forms (e.g., CryptoLocker in 2013) to more recent variants (e.g., DarkSide in 2021), malicious actors continue to find new ways to modernize their technology, accelerate encryption, and exploit vulnerabilities using ransomware.

  • It exploits human nature. Unlike other forms of malicious activity, ransomware does not depend only on advanced technical exploits, and can be introduced to your environment through something as simple as a phishing email.

  • Organizations are unprepared. Many organizations have not taken the necessary precautions to safeguard their teams, systems, or data for this type of attack, allowing ransomware to infect and rapidly spread.

  • It is hard to remove. Lightning may never strike the same place twice, but ransomware certainly can. If the root vulnerability is not addressed, or if the malicious code is not fully removed from systems, it can recur, causing even more damage.

  • It is a proven business model. Since many organizations are unprepared, paying the ransom can seem like the only option. Unfortunately, it has turned this criminal activity into a nefarious industry which makes hundreds of millions of dollars each year.

While these are some common reasons behind the effectiveness of this type of malware, it is certainly not an exhaustive list. As long as ransomware continues to be effective, malicious actors will continue using it to exploit unprepared organizations.

So, let's get prepared.

Reducing the Risk of Ransomware

The organizations that are most drastically affected by ransomware are the ones who are the least equipped. Reducing the risk of any kind of information security threats always comes down to the question, what can you do to reduce the likelihood and limit the potential damage of this threat?

As with any type of malware, two of the primary keys you will need to reduce the risk of ransomware include:

  • User Awareness and Education: Ransomware is often introduced to an organization's environment through employee negligence. By providing regular and relevant security awareness, phishing, and incident management training, employees should know how to prevent, detect, and respond to all kinds of malware.

  • Data Backups: When ransomware infects your network, four options are available.

    1. Shut down the business. (Very unfortunate.)
    2. Pay the ransom and cross your fingers. (Not ideal, but used by some unprepared victims.)
    3. Wipe the infected systems clean and start from scratch. (Better, but costly and painful.)
    4. Wipe the infected systems clean and start from a recent data backup following well thought-out and documented restoration procedures. (Do this one.)

To achieve option 4, an air gapped backup needs to exist from a reasonably short amount of time before the ransomware infected your systems. Backups should also be disconnected from the infected areas and be tested beforehand to ensure you can restore necessary data.

While the previous two controls are going to have a significant impact on reducing the likelihood and potential impact of a ransomware attack, some additional controls to consider include:

  • Patch Management: Address vulnerabilities which could be exploited by ransomware.
  • Web and Email Filtering: Prevent malicious websites and files from inadvertently making it to employee web browsers or email inboxes.
  • Access Control: Implement the principle of least privilege by only granting employees the access necessary to do their job.
  • Network Segmentation: If the worst should happen, confine the malicious code to a certain segment of the network to make it difficult for the ransomware to spread.
  • Anti-Malware: Use anti-malware solutions to detect and prevent unauthorized encryption, when possible.

For additional security recommendations designed to reduce the risk of ransomware, check out:

Managing Ransomware

In spite of our best efforts, sometimes phishing emails get through the filters, employees click links they shouldn't, and ransomware gets onto our systems. To truly manage the effects of ransomware, a robust Incident Response Plan is a must.

The NIST Computer Security Incident Handling Guide outlines a six-stage incident response process.

  • Detection: The detection stage is when you find out about the ransomware. Whether notice came from a system, an employee, or a message popped up on your screen demanding payment to decrypt your files, the organization's first steps should be to identify the lead incident handler and document as much information as you know about the incident.

  • Analysis: The analysis stage is when you do what you can to identify the scope, origins, and occurrence patterns of the ransomware. In other words, how bad is it, where did it come from, and how fast is it spreading? Determine what files were encrypted and if there is a known decryption key.

  • Containment: The containment stage is all about stopping the ransomware in its tracks. Key elements of a ransomware containment strategy likely include isolating compromised systems, ensuring backup data is secure, resetting passwords, and killing or disabling the execution of known malicious processes.

  • Eradication: The eradication stage is when you remove all traces of the ransomware. Exercise great caution, as any residuals could reinfect systems. As part of eradication, you should not only focus on removing the malware, but also blocking known malicious domains and IP addresses to reduce the likelihood of the attack happening again.

  • Recovery: The recovery stage is when you return systems to normal operation. Reset passwords again (just to be safe), mitigate all exploited vulnerabilities, and restore affected systems, preferably with data from a secure backup.

  • Postmortem: The postmortem stage is when you document lessons learned from the incident response process and use the information to update your plan. As part of this conversation, you would want to determine if your backup strategies were effective and what you can do to prevent future recurrences. If information about the ransomware variant is limited publicly, consider sharing information about the attack with information sharing agencies (e.g., CISA, ISACs, etc.).

For an easy to follow and detailed list of steps in a PDF, download our Ransomware Incident Checklist.


An organization's security is only as strong as its weakest element, and ransomware is a threat that exploits vulnerabilities to their fullest extent. As such, having a plan for responding to ransomware is key to an organization's cyber resilience.

For more information about managing incidents, check out Tandem Incident Management. Featuring supplemental checklists (e.g., data breach, fraud, third party, etc.), a robust framework based on the NIST Computer Security Incident Handling Guide, and integration with other Tandem products, Tandem can help put your organization ahead of the curve for managing ransomware incidents.