Call or Text 877.840.2444


What to Do in an Ransomware Attack – Tips from a Cyber Security Expert


May 31, 2022 Posted by in Crisis Communications, Business Continuity

Current events have likely caused many of us to think more than usual about cyber attacks. One of the most common types of attacks is ransomware, where a hacker disables your systems and demands payment for releasing them or providing an encryption key. A ransomware attack is one of the most common cyber crimes, and yet most companies are only prepared from a technical perspective.

Planning and prevention is key. We recently spoke with George Makaye, CEO and Chief Information Security Officer at InfoSec, and he outlined the typical lifecycle of at attack and how you can reduce damage.

What is ransomware and why is it a big deal?

Ransomware is malicious software or malware that locks access to data and encrypts it, forcing the company to pay the criminal to restore the data.  In some cases, a criminal will add a layer known as double extortion, where in addition to encrypting the data they also threaten to publish it. In an even worse scenario called triple extortion, they will use the data as leverage to demand payment from clients, employees, and vendors. 

So why is ransomware a big deal, especially for small to medium sized companies? In the past these attacks were more of just a nuisance, but recently attacks have become much more mechanized and sophisticated. There are gangs or groups working together on attacks; it has truly become a lucrative industry and causes a lot more damage. There are even ransomware as a service providers, allowing criminals with little skill to carry out large or even multiple attacks complete with a portal and attack tracking. 

This means it is more a question of when, not if, your organization could be a target.

What happens during a ransomware attack?

There are four stages that define the life cycle of a ransomware attack. However, what’s not captured here is the stress and the time involved. Having a plan and taking preventative measures are the best ways to get back online quickly and with the least amount of damage possible. 

1: Discovery 

    • You realize your network has been compromised. Usually this happens when someone cannot access email or other files, or the criminal will even contact the victim demanding payment.
    • Typically the IT team begins fathering intel and troubleshooting the issues, which will lead them to discover the type of breach.
    • This is an excellent time to activate your Incident Response Plan. Having one ready will allow you to react with more speed. If you need to start or update your ICP, here is an excellent template by Makaye Infosec here.  
      • A key aspect of a good plan is communication that consists of simple and consistent messages with accurate and timely information. You will want a detailed plan for employee and stakeholder communication at each stage of the recovery process. You’ll also need to determine who has to be contacted from a recovery standpoint (insurance, legal, etc) and who will send those messages. You will also want to consider how can this be done if the system is down (a mass notification platform is a good way to accomplish this).  
    • Next comes triage. How did the criminal get in and what else can be secured? What did they get access to? What is the extent of the damage?
    • Most important thing is getting to the restoration stage. This may be when you explore if you have a viable backup. Ideally you will have one stored off of the network, making it safe from the criminal. 

2: Engage Insurance and Security Vendors

  • If you have an incident plan in place, all of your vendor contact info will be gathered and listed so you can begin right away. Use your mass notification platform to communicate to vendors, as this system is outside of your network and will not have been affected by the attack.
  • The cyber security vendor will begin security checks and forensics. Their main goal is to determine how it happened and what was accessed, and if the criminals have only viewed or actually modified data.
  • This can be a very stressful stage. Often some blame has to be assigned during the process. Keep in mind that while this is necessary, it is an opportunity to identify weaknesses to fix them.

3: Insurance Representatives Begin Negotiations

  • Your insurance carrier negotiates terms and payment with the criminal, which often includes pre-approving your payment.
  • Do not pay unless you confirm they can return encrypted files. There is usually a sample they must send back to prove the data will be restored.

4:  Restore and Prepare

  • Obviously restoring and checking the data is critical – however, it isn’t the only step in this final stage.
  • Prepare for litigation and investigation, especially if the data involved clients or vendors. Plan to provide services to affected individuals.
  • Demonstrate you have a plan to prevent this from happening again.

Prevention is key

Proper prevention is the key not only to recovering  data quickly, but getting your employees back to work, maintaining your reputation, and reducing the expense of an attack. Including these strategies as part of your overall plan will help you be as prepared as possible.

  • Maintain strong cyber hygiene practices. Criminals are looking for low hanging fruit. Don’t make yourself appealing. Implement strong backup policies, ensure you have reliable malware and spam solutions, and design a patch process that you follow regularly.
  • Create a strong backup strategy. Have a good backup OFF of the network, have multiple backups, and test them often.
  • Invest in training and build a culture of security. A majority of attacks are from social engineering and employees accidentally clicking a link that starts the attack. Carry out phishing testing and training and measure employees to make sure they are aware.
  • Perform regular vulnerability tests. Scan networks and applications and websites to look for weaknesses. As you find them, address them as quickly as possible.
  • Engage a cybersecurity expert or vendor. If you don’t have someone internal dedicated to cyber security, find a professional that has the skills and knowledge to help you.

Closing Thoughts

Paying the ransom is really only part of the “cost” of an attack – it’s not just about money – but lawsuits, reputation, and stress.

If you have a lot of sensitive data (healthcare, government contractor), it may be worthwhile or even required to work with a security consultant. Really size of organization doesn’t matter – it’s more critical that you have someone knowledgeable solely in charge of security. The basic preventions that used to suffice will not usually be effective as criminals are ganging up together using much more sophisticated tools. Even just an annual assessment from an expert is useful. As you grow, you may want to have a relationship that includes monitoring and advisement.

This information is taken from the webinar What to Do in a Ransomware Attack – Tips from a Cyber Security Expert featuring George Makaye, CEO and Chief Information Security Officer at InfoSec. Click this link to watch the webinar replay. 

About Pocketstop RedFlag

Pocketstop is a communication software solutions company who empowers companies to create personalized, automated messages designed to provide rapid ROI backed by the industry’s best support at a cost customers can afford. Our commitment to excellence propelled us to become the industry’s pioneer in innovative and effective technologies with a portfolio of customer-focused products designed to drive audience behavior, improve efficiency, provide insight and actionable data for decision making by improving their existing internal, employee, stakeholder or customer communication strategies. For more information, visit



Ready to Get Started?

See how RedFlag can help you protect what matters most with a 15-minute custom demo.