cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

9 key decisions you’ll need to make in the wake of a ransomware attack

How should organisations respond in the aftermath of a ransomware attack? Steve Singer from Zscaler explores.

user iconSteve Singer
Mon, 24 Jan 2022
9 key decisions you’ll need to make in the wake of a ransomware attack
expand image

It’s an unfortunate business truth that it’s not a matter of whether your organisation will fall victim to a ransomware attack – it’s when.

The attacks, which involve a cyber criminal encrypting critical data and then demanding a ransom for the decryption keys, are rapidly increasing in number. Victims include everything from large utility and manufacturing companies to healthcare providers and financial firms.

During the past 12 months, the threat has extended even further. In some cases, cyber criminals have copied sensitive data before encrypting it. They then threaten to release the files onto the internet if payment is not forthcoming.


With the increasing risk of ransomware, businesses need to be ready to make some critical decisions in the aftermath. Nine questions that will require immediate answers are:

  1. How will your DR plan be implemented?

It’s tempting to view ransomware as a purely technical problem that impacts an organisation’s IT infrastructure. In reality, however, it’s something that will have a much broader effect. Therefore, It will be necessary to immediately begin a disaster recovery (DR) plan covering all business activity facets. From staff support and customer service to suppliers and partners – having a detailed plan in place will allow operations to be restored as quickly as possible.

  1. Should the entire IT infrastructure be locked down?

The first step following a ransomware attack should be containment. If the core infrastructure has been hit, it might be possible to isolate other parts so they can continue to function. This could be other data centres or backup servers in a different location. Containment will ensure the ransomware code cannot infect other systems and cause more significant problems.

  1. What steps should you take to protect your Active Directory server?

If an organisation’s Active Directory (AD) server has been encrypted, there may be little choice but to isolate it temporarily. This will have a massive impact on operations, but it won’t be able to be avoided. Ensure your DR plan contains steps and contingencies that can be implemented if AD is out of action.

  1. How do you balance investigation and recovery?

Initial activity after a ransomware attack tends to focus on investigating the extent of the impact. In many cases, such investigations could take weeks or even months. It’s crucial to balance this activity with others focused on recovery. This will include tasks such as locating and testing backups, conducting dry run installations and bringing up recovery systems in isolation and in parallel with all other activities. Investigations mustn’t block recoveries.

  1. Should I enlist help from external parties?

The short answer to this question is “yes”. Even if your organisation has a first-class IT team in place, additional skills and experience will be invaluable.

  1. How is it best to delegate authority for technical decisions?

A good approach is to appoint one person to drive investigation activities and another to conduct recovery activities. Both roles need solid technical background and are empowered to do what is right for the organisation.

  1. When should you notify the board, the legal team and the PR department?

The board should be immediately notified if a ransomware attack occurs. Next, work with your legal team to begin notification processes for all customers, suppliers and partners. It’s also essential to work with your PR team to ensure the correct messaging reaches customers and other interested parties.

  1. Should I recommend paying the ransom?

This is a question that is likely to be asked very soon after an attack. The answer will vary from one organisation to another, but it needs to be carefully discussed and considered by senior decision-makers. Never make a kneejerk reaction to an attack.

  1. How can I get all stakeholders and vendors to work together?

Quickly establish a communications channel that is accessible to all stakeholders. This will facilitate everything from communication to information sharing. Tools that could be considered include video conferencing services like Zoom or Teams, project management tools like Asana, and document sharing and storage services such as Dropbox or Google Drive. Everything needs to be in place to allow all parties to share information and rapidly make informed decisions.

If you can answer these nine questions, you’ll be as well placed as possible to recover from a ransomware attack rapidly. Likely, every organisation will eventually become a victim, but not all will have to suffer long-term disruption and loss.

Steve Singer is the regional vice-president and country manager, ANZ at Zscaler.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.