Cybersecurity Tabletop Exercise
Read more
blog
What to Do During a Ransomware Attack: Ten Essential Response Tips for Businesses
When a ransomware attack is actively unfolding, every decision matters—and every minute counts. Systems may already be encrypted, sensitive data at risk of exfiltration, and business operations grinding to a halt, leaving leadership teams under intense pressure to act quickly and correctly. In these moments, organizations that follow a disciplined, proven response approach are far better positioned to contain damage, protect evidence, and accelerate recovery. Drawing from real-world incident response guidance, this article outlines ten critical actions businesses should take during an active ransomware attack to stabilize the situation, avoid costly missteps, and set the foundation for effective remediation and recovery.
1. Don’t Panic
To call an attack stressful is a major understatement but it’s also no time to panic. Do your best to remain calm and rely on your preparations and team to proceed quickly and efficiently.
2. Let Your Incident Response Plan Be Your Guide
This plan is home to the critical information you and your IT team will need when you experience a security incident. Be sure that this plan is updated frequently and tested at least annually to be sure you don’t encounter any costly barriers to action. While this plan is certainly stored online, it’s wise to also have it printed out on paper so it’s accessible when your network is down or inaccessible.
3. Open Communication with Trusted Advisors
If you have a response and recovery partner like Agility, that should be your first call so that team can begin triage right away. Follow-up calls should include insurance brokers, your insurance claims team, legal counsel, etc.
4. Isolate Backups
Be sure your backups are offline or physically offsite to isolate and prevent attackers’ access.
5. Disconnect Servers and Devices from Your Network
When an attacker is stealing data from your network in real-time, cutting off the internet and disconnecting devices from each other halts the hacker’s efforts.
Cyber Breach Response & Recovery with Agility
6. Do Not Engage the Threat Actor
Attempting to decrypt ransomed data or negotiate with the threat actor on your own could result in costly mistakes and a greater ransom. Instead, contact response and recovery experts like Agility Recovery. Skilled negotiations can reduce your ransom payment by as much as 64%. Even better, up to 70% of businesses who utilize professional negotiation services report a zero-payout resolution to their incident.
Be Ready for a Ransomware Attack
7. Document What Your Can with Screenshots, Photos, Etc.
Things to document include ransom notes/file extensions, reviewed logs, and software conveying the state of the environment.
8. Preserve Evidence
- Do not turn off devices
- Do not attempt to wipe, re-image, or restore from backup without consultation
- Failure to preserve evidence will prevent the ability to conduct a complete investigation
9. Change Your Passwords
This includes:
- Administrator accounts and all cloud accounts
- VPN/Remote connectivity software
- Firewall
10. Identify Where Sensitive Information is Stored
Know the host name of this device, review your backups for this information. Consult with your legal team before you inform employees, clients, etc., of the attack.
