Detection, Isolation and Negotiation: Improving Your Ransomware Preparedness and Response

The risks presented by ransomware and cyber-extortion events have likely found a place in your own security team’s discussions, and rightly so. Ransomware attacks have increased over the past decade. The numbers are staggering, if not overwhelming, and make it abundantly clear that ransomware attacks are not a threat that no organization, regardless of size and industry, can afford to ignore.

It therefore follows that proactively protecting corporate assets and mitigating cyber risks is an essential investment for any business today. Without a threat preparedness and response plan in place, the damage from a ransomware or cyber extortion event could ripple through your organizations, resulting in data loss, service inaccessibility, operational disruptions, loss of confidence and competitive advantage in the market, as well as other costly and long-lasting repercussions. .

Improve threat preparedness

When your company’s data is exploited in a cyber extortion attack, a quick determination must be made of the nature and extent of the attack, followed by the execution of plans to respond and mitigate the attack. Because the longer a ransomware attack goes unaddressed, the greater the potential damage to your organization’s ability to conduct business as usual.

While an organization’s ultimate goal is complete prevention of an attack, mitigation is a more likely (and perhaps more reasonable) goal, and organizations should prioritize preparedness as much as to prevention. Prevention includes implementing best practices and measures that can prevent ransomware events from occurring while positioning the organization to suffer the least amount of damage in the event of an attack.

Ransomware preparedness can be broken down into three main components: preparation, detection and insulation.


Your organization’s ability to respond to a ransomware event is directly affected by the tools you have immediately, making preparation a key part of successfully navigating an attack. Proper preparation works doubly to educate your teams on how to prevent attacks and to provide guidance on what to do if you are targeted.

Here are some of the things you may want to include when developing your organization’s plan for cyber extortion attacks.

  • Create an incident response playbook that contains all relevant information related to responding to a ransomware attack.
  • Regularly hold mandatory training sessions for employees to educate them on how to prevent hackers from gaining access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and online security best practices may be among the topics covered.
  • Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and raise concerns if they feel there is a risk that needs to be addressed.


Detection refers to the tools, technology, people and processes in place to notice that an attack is occurring or has occurred and to identify its source within the network. Specific subcomponents of detection include:

  • Have a robust system of platforms configured to monitor your networks and alert you to suspicious activitysuch as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which may indicate that they are being encrypted.
  • Feed your threat intelligence program with easily accessible and up-to-date knowledge on specific ransomware actors/groups and tactics, techniques, and procedures (TTPs) – including technical intelligence – to better anticipate risk openings and potential attacks.
  • Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.


To limit its spread, insulation should be your organization’s first priority after realizing that a ransomware attack is targeting your organization. Designing your systems to separate the different networks can have a huge impact when every second counts. Specific isolation subcomponents include:

  • Limit each employee’s access to only the files and data they need to do their job.
  • Shut down infected systems and completely disconnect them from your organization’s network as soon as possible.
  • Disabling potentially dangerous means of spreading data between devices, including VPN, NAC, and AD-user.

Respond to a ransomware attack

Once you’ve successfully detected and stopped the progress of a ransomware attack, it’s essential to have a response plan already in place to help you save decision-making time and control reactions. emotional, which may arise during a potential emergency. It can be difficult to determine the full extent of a ransomware attack, and the more data the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.

A good response plan is well established, easily accessible when needed, and based on the resources available to the organization at the time it is written. It has several parts, including the designation of the parties that manage each step; contact details for all parties who will communicate and negotiate directly with the ransomers; and up-to-date protocols related to legal compliance for processing the ransom payment. But of these, one of the most crucial elements to address in your plan is negotiation management.


Negotiation encompasses any engagement with the threat actor and is necessary to reach any form of resolution, whether payment is involved or not. It is always advisable to hire a professional familiar with threat actor engagement, ransomware attacks, and the legal obligations of ransomware victims; knowledge of current cyber extortion trends, threat actor TTPs, and threat actor groups is also important. Using a negotiator who is transparent throughout the process and responsive to the goals of the client organization greatly facilitates a smooth discussion that is more likely to resolve in a way the organization is comfortable with.

There is no one-size-fits-all method for trading. However, there are some general things you need to be prepared for if your organization finds itself in this worst-case scenario.

  • Keep all chats and communications with ransomware actors private and limit internal access to threat actor communication records. It may be advisable to switch to non-network based communications if you are unsure whether the threat actor has access to your email communications.
  • Be prepared for professional negotiators. Further emphasizing the importance of having your own professional negotiator to use in this situation, it is important to note that many ransomware attackers have been observed using professionals with a career in negotiations behind them in order to compel organizations to comply with ransom demands.
  • It is highly recommended to involve law enforcement from the start of a ransomware attack. Not only does this help your organization ensure that it is handling the attack within the bounds of the law, but law enforcement can also sometimes provide information about specific threat actors or their TTPs, helping you in your negotiations and improving the prospects of your situation.

Extra pressure

There are other ways threat actors use to add pressure to negotiations aside from the ransomware attack itself, including:

  • Implementation of DDoS attacks
  • Directly email employees about the attack
  • Pretending to have data they didn’t actually exfiltrate to make the situation worse
  • Contact executives or customers of victims to educate them about the attack
  • Posting sensitive personal information in public forums or on social media
  • Leaving backdoors that allow ransomware attackers to carry out a second attack against the same organization

Being the victim of a cyber extortion attack is stressful and difficult. In order to mitigate its impact on your business and your customers, it is imperative that you prepare for all of these potential additional factors that could increase the aggressiveness of a ransomware attack and cause lasting damage to the reputation and bottom line of your business. organization.

Comments are closed.