How to respond to ransomware threats

It all depends upon your level of risk and how badly you want the data returned to you unharmed.


Don't jump

Ransomware is obviously analogous to kidnapping, and dealing with the perpetrators can feel much like negotiating with a jumper standing on the edge of high-rise roof. The Institute for Critical Infrastructure Technology recently released a report that in part describes how to deal with criminals when they are holding your data hostage. The report talks of what to do once a breach has been found.

ICIT says the proper response will depend on the risk tolerance of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and regulatory requirements.


Option 1: Engage the incident response

The information security team should have planned out a procedure to follow in the event of a ransomware attack. They should begin by notifying the authorities and applicable regulatory bodies. The plan identifies the organization’s recovery time objective (RTO), and recovery point objective (RPO) for data breaches. In the event that a backup exists, then cyber-forensic evidence of the incident should be preserved and documented for/by law enforcement.

In the event that there are no redundancy systems or if the secondary systems are compromised, then the information security team can find and implement a vendor solution or decryption tool.


Option 2: Try to implement a solution without an information security

In many cases, files may be partially corrupted or incompletely decrypted. Even if a vendor solution is a simple executable, the victim may not be able to assure that their system is not still compromised by inactive ransomware, backdoors, or other malware. The initial infection occurred as the result of a human error (clicking on a malicious email) or a pre-existing infection. Without training and awareness or more comprehensive system management, there is reasonable likelihood that the system will be compromised again.


Option 3: Attempt to recover the data

System backup and recovery are the only certain solution to ransomware. If you have a backup system, then recovery is a simple matter of restoring the system to a save point. Otherwise, you could attempt to recover data through shadow copies or through a file recovery software tool; however, many ransomware variants delete shadow copies and some even detect file recovery software. Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected.


Option 4: Do nothing

In lieu of an information security team or vendor solution, options are limited to paying the ransom or accepting the loss of the system or data. If the system is backed up, and the backup remains reliable, then the victim can ignore the ransom demand and restore the system according to the backup. If there is no backup, but the ransom outweighs the cost of the system, then the victim may have to purchase a new device and dispose of the infected system with extreme prejudice.

RELATED: 4 reasons not to pay up in a ransomware attack


Option 5: Pay the ransom

If the culprit actually provides the decryption key, then paying the ransom may alleviate the immediate pressure on the organization. Some attackers may release the system after receiving payment because doing otherwise would reduce the likelihood that other victims will pay. If paying the ransom is legitimately being debated, then perform a quick Internet search on the type of ransomware holding your system. Whether or not criminals who use that ransomware are likely to release data after receiving payment is likely to show up online.

Some attackers recognize this dichotomy of trust. They recognize that if files are never unlocked then no victim will ever pay a ransom. As a result,variants such as CTBLocker (Trojan.Cryptolocker.G) have an option to decrypt a few random files as a gesture of good faith. If you pay the ransom once, then the threat actor’s logical response after releasing the system would be to strengthen their foothold in hopes that you will pay the ransom again.


Option 6: A hybrid solution

If the ransom is low, say $300 for a multimillion-dollar organization, then it might make sense to adopt a hybrid approach. This could include simultaneous efforts to pay the ransom, to triage the system, and to attempt to restore from a backup server.

Organizations contemplate if system downtime is more dire than the consequences of the ransom. A hybrid approach ensures that the system will be operational in some amount of time, no matter what. To minimize the expended resources and the impact to the organization, hybrid solutions should only be attempted by a trained and prepared information security team.



A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimize the attack. The enlistment of an information security team whose sole purpose is proactive corporate infosec management is the first step in a companywide security strategy. The InfoSec team’s activity should cover: an immediate companywide vulnerability analysis, a crisis management strategy that takes into consideration all known threats, continuous device and application patching, auditing of third-party vendors and agreements, organizational penetration testing and security centric technological upgrades.