Ransomware Incident Response Plan

An Incident Response Plan Prepares You for a Ransomware Attack

Many businesses and non-profits are wondering if they will be next in the throes of ransomware attacks. Ransomware victims who were well-known made headlines recently when they paid ransom to recover their data quickly and resume normal operations. Are you ready to make the same decision? Is your company prepared to restore vital data from backups? Organizations have the best chance of surviving ransomware attacks and minimizing the damage they sustain by having a disaster response plan that includes disaster recovery procedures.

Creating an Incident Response Program

The accompanying disaster recovery plan and incident response plan outline the steps to follow if ransomware is detected in an organization’s IT resources. An incident response plan should contain four sections, according to the National Institute of Standards and Technology.


Make sure everyone in your organization knows what their role is in an emergency. To ensure the plan is effective, create scenarios.

Detection & Analysis

Determine whether an incident took place, what type of incident it was and how severe it was.

Containment, Eradication & Recovery

You must stop the cause of the problem before further damage can be done.

Post-Incident Activity

Do a lesson-learning exercise to determine if documented procedures were followed, and if so, what they were. These lessons learned can be used to avoid similar situations in the future.

These recommendations can be found in NIST’s Computer Security Incident Management Guide.

The 3-2-1 Rule

Organizations who wish to safeguard their data assets should follow the 3-2-1 Rule for Backups. This rule states that an organization should have three copies of its data and store them on two media types. One backup copy should be kept offsite.

While offsite backups are important, organizations must confirm that they cannot be accessed by the same machines backing up any backups and cannot be modified with backup immutability. Backup data can be immutable for a specific period. Data can’t be changed or deleted before this period has expired.

Backup Policy

Backups can be done once an hour, once per day, or even once every 24 hours depending on the company’s backup retention policies. Backups to offsite storage may be performed only once per week, or monthly. It is important to establish a backup retention plan as part of your disaster recovery plan to respond to ransomware attacks and make important decisions that lead to data recovery.

Some acronyms to remember: MAD (RPO), RTO

An organization should establish its maximum allowed downtime (MAD), recovery point objective (RPO), and recovery time objective (RTO) during plan development.

MAD = How much time can a system or service be down before the organization can’t continue its normal operations?

RPO = Maximum time data can be lost after an incident.

RTO = The time it takes to recover from an incident.

The cost of any backup solution and restoration time have an inverted relationship. Your organization will be able to determine your RTO and strike the right balance between downtime in case of an emergency and the ongoing costs of a backup solution.

Ransomware Susceptibility Index

Is your company vulnerable to a cybersecurity attack, including the feared ransomware attack? GRF’s Cyber Threat Assessment Scorecard now contains a Ransomware Sustainability Index to help organizations assess their risk and identify the top areas of risk.