Ransomware Protection and Response

Ransomware Protection and Response

Over the past weeks, we discussed What is ransomware, and the Anatomy of ransomware attacks. Now, let us look into some ways to protect yourself from ransomware and how to respond if you fall victim to any.

According to IBM, ransomware attacks are very high which contributes up to more than 23% of total cybersecurity attacks. The total amount of ransom amount was more than 120 million dollars in a year. To prevent a ransomware attack, the organization needs to have a specified plan, awareness, and cooperation from everyone in the organization. Below are some of the methods to prevent the organization from ransomware attacks.

  • Backups
  • Plans and policies
  • Port and endpoints
  • Awareness


The simplest and easiest way is to prepare a backup copy of the confidential data. It will be easy to recover the data if the backup is available and not infected. So, it should be noted that backup files should be protected properly offline or some other networks which can’t be accessed if the current system network was hacked. And the backup files should be routinely monitored. Some ransomware strains are specifically created to attack the data stored in the cloud system. Before doing recovery during an attack it is of utmost importance to check if the backup data are infected or not.

Plans and policies

Having a proper plan and policies will help a lot in mitigating ransomware attacks. Create incident response plans and policies if the system undergoes infection, so the cybersecurity team can handle it according to the plans without issues. It will prevent panic among the organization. The plans should also have who should be contacted if the attack happens.

Ports and endpoints

The systems in the organization should be customized by having security as their top priority. Having a proper secure configuration can help to prevent attacks and stop the security gaps provided in the standard configuration. The hackers mainly used certain ports to spread the malware strains. Knowing the ransomware strains can help in understanding the specified ports. It should be properly considered if the organization needs those ports to be open. If it is required to be set in open it should be limited only to the trusted hosts.


It is highly recommended to develop a team specialized in cybersecurity. Every employee should be aware of ransomware attacks. A phishing email is the highest method hackers have used for spreading ransomware. The employees should know how to spot suspicious emails and report immediately to the cybersecurity team about the mail. Having a specified team with the latest updates and hardware will help in preventing or mitigating the attack faster.

The systems should be updated regularly to not give the hackers to use of any kind of loophole to initiate the attack. Having regular patches of the software also help to reduce the vulnerability of the system.


Ransomware Incident response

If an organization was infected by ransomware, these are the best and most simple response plans that needed to be carried out.

Identify and Validate

First and foremost, confirm whether the attack was a ransomware attack or some other bugs, viruses, or malware. It is easy to confirm as the files will be encrypted or systems will lock with ransom notice published.


If the attack was confirmed, immediately gather a response team to analyze the exact scope of the attack. How the malware is spreading, which network is affected, which network and systems are not affected should be analyzed as soon as possible.


After analyzing, disconnect all the systems that have been confirmed to be infected immediately from the networks. If it’s not possible, disconnect the network to prevent from infection spreading. Have a SOC team monitor the network traffic and block access to the ransomware command center.


Next is to identify what kind of ransomware strain infects the systems. Having a clear understanding of the specified strain may help to mitigate the attack much faster. Some strains use low-level encryption algorithms which have decryption code publicly available.

Erase and recovery

This step includes formatting all the systems that have been infected and restoring the backup data. Backup data should be checked for infection before restoring and all the passwords, security keys should be changed.

Post-infection actions

After the infection is over, properly adhere to all the instructions stated in the contracts. Informing law enforcement agencies can help in mitigating the attack impact or capture the hacker as soon as possible. They might have encountered similar attacks and have ways to prevent the attack. If not, they may provide the proper guidance to pay the ransom and recover data without loss.

Properly analyze and check how the attack was initiated, time taken for the security team to respond, logs created during the attack, type of strains of malware that infected the system and all such information should be noted. It will help to prevent from getting attacked by the same kind of vulnerability in the future. And from the reports, the policies can be improved further to prevent future attacks.

With Clear Infosec, keep your workforce trained to stay fortified to any kind of social engineering attacks. Also, keep them informed of the evolving threat landscape.