Ransomware incident response: Planning for the worst-case scenario

Ransomware is not just a minor irritant to UK businesses. According to the National Crime Agency, it’s “the most significant, serious and organised cybercrime threat faced by the UK.” And thanks to growing use of malicious AI tools, threat levels are expected to increase further still over the coming two years.

Moreover, although breaches of large enterprises and big-name brands tend to make the headlines, it is the mid-market that is most likely to be victimised. According to one study, the median size of breached organisation was just 200 employees back in Q2. For some, such as one unlucky Kettering-based logistics firm, it can even be an existential threat.

But what happens when you’re caught in the crosshairs? In the previous part of this two-part blog series, we took a look at the emotional impact a ransomware attack can have on business leaders in the immediate aftermath of an incident. Now we’ll look at the proactive steps you can take to prevent, or at least minimise the impact of, a breach.

Start with prevention

There are three main threat vectors that ransomware actors turn to time and again: RDP compromise, email-borne phishing and exploitation of software vulnerabilities. To harden systems against such tactics, consider best practice cyber-hygiene such as:

• Multi-factor authentication and strong, unique passwords (stored in a password manager) for all corporate accounts
• Continuous risk-based patching programmes
• Continuous user training and awareness programmes
• Regular back-ups according to the best practice 3-2-1 strategy
• Reputable anti-malware on all endpoints
• Network detection and response (NDR) for alerts about suspicious behaviour
• Blocking port 3389 to reduce RDP attack surface
• Allowing RDP access only through a VPN, and limiting access to specific IP addresses

Prevention is always better (and cheaper) than cure, especially as there’s no guarantee that even a ransomware decryption key will work on all of your encrypted data. And once they’ve stolen it, it’s more than likely that your adversaries will seek to monetise that data, even if they tell you otherwise.

Enhancing incident response

However, in the event that they do manage to breach your organisation, a streamlined incident response process will go a long way to minimising the impact of an attack. In a best-case scenario, you’ll find the threat actors before they’ve had a chance to exfiltrate any data or encrypt key systems.
Forward planning is essential. A live breach is no time to start working out roles and responsibilities. Consider the following:

• Put together a ransomware response team including key members from IT, HR, comms, legal and possible other parts of the business. Ensure everyone has a clearly defined role.
• Assign an incident response lead – someone who works well under pressure. They must be given authority to take critical decisions for the duration of an incident, overruling even the CEO and board.
• Develop an incident response plan. Don’t make it too complex and detailed as you don’t know exactly what an incident will look like. Keep things simple and high level.
• Ensure the plan is accessible even if IT systems are down.
• Don’t worry about frequent training exercises as these will be of limited use.
• Focus on clear and precise communication during an incident between team members, and between the IR team and the board, employees and customers.
• Nominate an individual to be the external face of the organisation during a crisis.

Ransomware has a nasty habit of turning up when you least expect it. The latest research reveals that most attacks now occur between the hours of 1am and 5am local time, or at weekends, in an attempt to catch cybersecurity teams off guard. All the more reason to invest in a comprehensive incident response plan today, to avoid potential disaster tomorrow.

Key Takeaways:

• Prevention is Key – Strong passwords, MFA, regular backups, and security training help prevent ransomware attacks.
• Have a Clear Response Plan – A dedicated response team, incident lead, and accessible plan can minimise damage.
• Attackers Strike Off-Hours – Most attacks occur at night or on weekends, so early detection is crucial.

Are you concerned about the potential impact of ransomware on your organisation? What would an attack and its aftermath look like in practice? Join us for a QuoStar webinar where our cybersecurity experts reveal all – helping you build a more resilient organisation.