Part 1 of this two-part series outlined the mechanics and dangers of ransomware. In Part 2, this post will examine what steps to take, or not to take, during and after a ransomware attack.

“We’ve Been Hit – Now What?”

Bill Hardin of Charles River Associates, one of the panelists at the September FTC fall technology conference on ransomware, introduced an easy to remember acronym for guiding ransomware response strategies: “CPR” – contain, preserve, remediate.

  • Contain – As soon as you have determined that your device is infected, immediately unplug infected device from the network, turn off wireless capabilities, disrupt connection to the network, and shut down the agent. If this occurs at a service provider’s location, the service provider should run programs to detect and sever the connection. Create and maintain an incident response plan and train all your employees on the plan.
  • Preserve – The FBI representative on the panel highly recommends that the organization preserve the evidence, and report the ransomware attack to its local FBI law enforcement office or online at the FBI Internet Crime Complaint Center (at The FBI conducts joint investigations with numerous countries to try to identify and shut down these attackers. While the FBI may not be able to resolve the current situation, the more information the FBI has, the better they will be able to potentially disrupt the criminal hierarchy and prevent future attacks.
  • Remediate – At this point, once your data is held for ransom, there are not many alternatives available to you. You can pay the ransom, try to negotiate a reduced ransom payment, or not pay the ransom. The FBI discourages the payment of any ransom. The Bureau believes that “success breeds success” and paying a ransom will encourage those bad actors to keep at it so long as there is a profit to be made.

To Pay or Not to Pay, That is the Question

The FBI recommends that companies not pay the ransom. However, in reality, if the information is critical and there are no backups, companies may be tempted to pay the ransom. The attackers know the sweet spot and have priced the ransom accordingly – a small sum of a few hundred or thousand dollars versus the cost of company down time, lost data, productivity, and general network shut down in addition to bad publicity. But beware when paying a ransom!  There are pitfalls – these attackers are not model citizens.

  • First, do not expect that your data will be returned even if the ransom is paid. Less than 80% of decryption keys are returned to victims that paid.
  • Second, beware of the bait and switch, where once you agree to pay the agreed upon price, the attacker then raises the ransom amount.
  • Third, beware of any links provided by the attacker for you to purchase Bitcoins, as that link may be programmed to harvest additional information from you – to be used against you at a later date or to sell to other organizations to attack you again. If possible, purchase the Bitcoins from a reputable place – some sources are sketchy, and purchasing from them may lead you to provide additional information that can subject you/your organization to further malware.
  • Fourth, by demonstrating a willingness to pay, you increase your risk of being a target of future attacks.
  • Finally, if possible, communicate with the attacker via an anonymous account or an intermediary.

Some organizations may not be in a position to pay the requested ransom amount and may be tempted to negotiate more favorable pricing. One panelist indicated that on average, negotiations may lower the ransom demand by approximately 29%. However, a willingness to negotiate tells the attacker that you have no data backup and he/she may try to take further advantage of the situation.

Mitigating the Damage

Correctly managing the aftermath of a ransomware attack is critical to protecting your customer and navigating liability. Ransomware attacks can affect different industries differently (Click here for a closer look at how ransomware affects the healthcare industry.)  But, regardless of industry, security and communication will be key in the wake of an attack.  Some things to consider include:

  • Be prepared to determine if, and to what extent, you want law enforcement involved. Establishing relationships with law enforcement officials before an attack can help restore your business after an attack.
  • Be ready to respond to customer questions with facts – do not speculate.
  • Be sure your information governance program identifies what data you have and where it is stored, so you know what data is at risk.
  • Have an incident response team and plan in place– internally and externally.
  • If your service was disrupted, be sure to restore service first, then do a forensic search later. Most importantly, don’t repeat poor behavior – if the attack was a result of a phishing email, be sure that email is flagged so other employees do not click on it.