Every 14 seconds, companies fall victim to ransomware every 14 seconds, with an average attack value of $ 133,000, according to Cybersecurity Ventures. Overall, ransomware saves companies $ 8 billion annually.

This makes ransomware a serious security issue for businesses of all sizes, and ransomware response plans are an important document to minimize harm. A managed ransomware services response plan enables companies to take chaotic, quick and decisive action in the first hours after an attack.

So if you don't have a ransomware response plan, you need one. The things to include are:

1. First response protocol

The most important part of your ransomware response plan is to describe what happens in the first few minutes after your system becomes infected.

These initial actions generally include removing devices from the network, identifying compromised data, and collecting evidence of attacks such as emails and applications used to infect.

"The first step in the event of an incident is to immediately shutdown the affected system and isolate it from the network, preventing worm-enabled malware from spreading to other systems." Assign the right to make a shutdown phone call quickly. "

2. Contact information and protocols of the IT department

One of these first response steps, or the second step after the first response, should alert the IT department. A good ransomware response plan describes the order of the contacts and includes contact information for contacting these people.

Some companies handle incident response internally, while others simply list external providers that can take action when ransomware is attacked.

"If you don't have the skills, work with the incident response team," advises Daniel Wiley, incident response officer for cybersecurity software company Checkpoint.

3. Company policy regarding ransom payment

One of the most troublesome issues associated with ransomware attacks is the rescue problem. Should I gamble to pay the ransom and get the data back, or should I write it down and exit?

Security experts often emphasize that rescue is not a good idea. Data recovery is not guaranteed and payments could trigger a second attack. But personally, many admit that paying the ransom sometimes makes sense.

"I understand the ethics of not rewarding crime, but after 20% of ransomware attacks, more than 20% of companies will be closed and want to pay," said Aparavi, provider of ransomware prevention solutions. Says Darryl Richardson, chief product evangelist for.

Make sure your ransomware response plan answers this question and gives you an overview of how the company pays the ransom.

4. Guidelines for data recovery.

If your company has a ransomware response plan, it probably has a backup system. This is a good thing, as you will need these backups after a ransomware attack.

A ransomware response plan should indicate where to store a backup copy of the data, the process to restore the data, and the process to determine the loss of data as a result of restoring the backup. Make sure your plan also includes proper protocols to prevent backup ransomware infections.

"Be aware that cybercriminals can infect files and backups stored on primary storage," says Richardson. "Therefore, files stored in the cloud or offsite are backup copies of your backup."

Aparavi recommends backing up to the cloud, ideally across multiple clouds, or at least one offline copy that can be used during an attack. These backups must also be immutable and encrypted.

5. The process of identifying other objectives and strengthening security.

If a device is compromised by ransomware, other devices can be compromised. Your ransomware response plan should include the steps your company will take after an infection to identify and protect other IT resources from attack.

"Post-attack identification begins with forensic analysis. Conducting crime scene investigations to discover where and how attacks could pass through cybersecurity technology, and policies and processes, to ensure future events.