Navigating Ransomware Attacks


Agnidipta Sarkar

Read Time

3 Minutes

Last Updated

Feb 21, 2024

table of contents

While many are well-versed in the surge of ransomware incidents, the true focus should reside in one’s effective response. With the escalating threat of ransomware attacks, it is important to be aware of the steps necessary to mitigate fallout and respond effectively.

CISO: More Than a Technical Expert

The Chief Information Security Officer (CISO) plays a crucial role in orchestrating an organization’s ransomware attack defense and response plans. Beyond their technical acumen, CISO’s ensure business continuity, and more importantly, crisis management. However, a big part of a CISO’s job involves collaborative efforts.

Ransomware Attack Response: A Step-by-Step Guide

When confronted with a ransomware attack, a well-structured response plan is crucial. Here’s a step-by-step guide to strategically navigate the aftermath:

Quarantine: The Swift Isolation of Threats

Upon detecting an attack, immediate quarantine of affected systems is imperative. A successful quarantine means the potential damage is contained. However, if you aren’t successful, the consequences could impact across your operations from hampering product deliveries to disrupting salary distributions.

Cyber Crisis Management: Assembling the Council

In cases where quarantine is insufficient, a pre-established cyber crisis team, or council, takes precedence. The restricted ability to contact your board emphasizes the importance of securing cyber crisis council approval early on. This council will be crucial in mitigating fallout from an attack.

Paying the Ransom: A Delicate Negotiation

In dire situations, ransom payment becomes necessary. This delicate task falls on the negotiator. This is not something the CISO or anyone else in your company has the ability to do. Rather, you should hire an external negotiator. If you have a cyber insurance company, which I highly recommend, then they can help by providing a list of ransomware attacker negotiating professionals.

You also must be aware of your country’s payment restrictions: whether the common ransom payment of bitcoin is allowed. Yet, do not think you are done once payment is delivered as sometime even after you pay, the attacker will not grant you access to your systems. They are called egregor attackers—a direct translation for the word egregor is severe pain, and what a severe pain they are if this scenario happens to you.

You have a mere 24 to 48 hours after an attack to get your affairs in order. You must get an analysis on patient 0, the initial attack. Analyzing the origin, impact, and current state of the attack, along with determining the Recovery Point Objective (RPO), is crucial in developing a plan alongside your cyber crisis council.

Simultaneously, awareness and understanding of jurisdiction-specific mandates, such as India’s requirement to inform a computer emergency response team within six hours, ensures a timely and efficient response.

Additionally, notifying market regulators such as Wall Street and the stock exchange, overseen by the CFO, ensures a necessity transparency in a time of crisis.

IT Response: Eliminating Dormant Threats

From a technical perspective, the IT team must determine if there are any traces of malicious software remaining in the network. The possibility of dormant threats emphasizes the necessity for a thorough run through to eliminate any remnants of the attack.

Effective Communication: Navigating Reputation Risk

How you communicate with the public is critical to preserving your business’s reputation. Tailoring your approach based on who is aware of the attack – customers, the public, or internal teams – can significantly influence the narrative’s impact on your brand.

Strategic Investment: The Path to Resilience

Prevention beats remediation, therefore, having strategic investments that help fortify your organization’s resilience is important. Endpoint protection, network security, microsegmentation, data loss prevention, and observability are critical components in your defense strategy investment. Particularly, investing in “withstand” capabilities empowers manual workarounds, allowing essential operations to persist even amid an attack. This investment is critical to a company’s success as they make you better prepared than the person standing next to you.


In the height of a ransomware attack, you may feel lost, but there are clear-cut things to be aware of, so you are prepared. Investment in protection can help prevent these attacks, but if they ultimately do impact your business, it is helpful to reference these technical and non-technical steps.

Investing in ColorTokens can prove to be the preventative measure you need against these attackers. Invest before it’s too late.