Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology

Designing a Ransomware Response Plan

Designing a Ransomware Response Plan

Ransomware attacks, which have grown at rates of as much as 350 percent per year in recent years, are one of the most pressing security challenges facing businesses today. And, while the best strategy is to take steps to prevent ransomware attacks from happening in the first place, the reality is that there is no way to guarantee your data won’t be held for ransom.

That’s why it’s crucial to have a ransomware response plan in place. This plan helps both internal IT departments and managed services providers, or MSPs, react quickly and effectively when ransomware strikes.

Keep reading for tips on building a solid response plan tailored to your organization’s needs.

Table of Contents

    Why Create a Ransomware Response Plan?

    There are several reasons to create it, as opposed to managing ransomware recovery on an ad hoc basis with no plan in place.

    Perhaps the most obvious reason is that having a plan in place for responding to a ransomware incident helps to ensure that you can actually recover from the attack without paying the ransom. If recovery is expected to take too long because of the lack of a plan, the business you support may choose to pay the ransom in order to restore operations, even if the data could be recovered through other means. That’s not an ideal outcome. Not only will it cost the business money, but it also harms the reputation of your IT team.

    An important factor is that ransomware attacks cost businesses large sums of money. The typical business suffers financial losses of $7,900 per minute when data is rendered unavailable by a ransomware attack or other problem. By enabling faster data recovery, ransomware response plans save money.

    A response plan also helps ensure that you are in a stronger position to prevent ransomware attacks from recurring. If you don’t have a formal response plan in place that includes steps to prevent future breaches, you are more likely to keep suffering the same types of attacks over and over.

    A third reason to create it is to help protect your business’s reputation. Even if the direct financial impact of downtime is minimal, the business’s brand is likely to be harmed if services are disrupted by a ransomware attack. With a response plan in place, you are in a better position to recover data before customer operations are critically disrupted.

      New call-to-action

    Further reading Responding to Cyberattacks: 6 Top Tips

    Who Needs a Ransomware Response Plan?

    Ransomware affects businesses of all types and sizes, and across all industries. Whether you support a large enterprise or a small business with just a handful of employees, you should be prepared to respond to ransomware.

    In addition, as noted above, ransomware response plans are also a valuable resource for both internal IT teams and MSPs who provide IT support to businesses on an outsourced basis.

    The MSP’s Response Guide to a Ransomware Attack [PDF]

    New call-to-action

    Ransomware Incident Response Plan Template

    These plans will vary from one team to another. They should reflect the specific types of data that are at risk, the backup tools and processes the team has in place, and the resources available for responding to ransomware attacks.

    In general, however, the following is an outline of what a typical ransomware response plan looks like.

    Define the Scope of the Attack

    The first step in responding to virtually any ransomware attack is to determine how much data was affected, and how many systems were breached. Was the attack limited to a single server or a single S3 bucket, for example, or was all the data within your data center or cloud environment impacted?

    Disable Affected Systems

    After identifying the affected systems, your next step should be to disable them in order to prevent the attack from spreading further.

    You can disable them by shutting them down or simply disconnecting them from the network. Whichever approach you take, however, make sure you act in a controlled manner, rather than panicking: Specify in your plan which systems will be disabled first, how they will be disabled and which steps must be taken during disabling to ensure that data remains intact when the systems go offline.

    Assess the Damage

    Once you’re sure the attack is no longer active and spreading, you can assess the extent of the damage. Determine how much data was held for ransom, whether backups are available, and (if applicable) how recent those backups are.

    Your ransomware response plan should also include an assessment of whether recovery plans exist for any backup data you have on hand. Ideally, you’ll have specific data recovery plans already in place that you can execute quickly to recover the data.

    New call-to-action

    Disclose the Attack

    Sometimes, compliance regulations may require you to disclose the attack. For example, ransomware attacks that impact data that the GDPR defines as sensitive require mandatory disclosure of the attacks, regardless of the volume of data affected. On the other hand, data that is not considered personal or sensitive will generally not require disclosure of a breach.

    If disclosure is required, follow the steps specified by the relevant regulatory framework to disclose the attack. Typically, disclosure involves notifying government authorities and/or notifying consumers whose personal data was breached.

    Prepare a Recovery Plan

    Next, you can develop a plan for recovering your data.

    If all the affected data was backed up recently and you have recovery plans already in place for those backups, your ransomware recovery process can be as simple as executing your existing recovery plans.

    If you weren’t so well prepared, however, you’ll need to design a recovery plan following the attack. Developing a plan will take some time, but it’s important to build a complete plan before you begin actual recovery. Otherwise, you are at a higher risk of making mistakes or overlooking important details during the recovery process.

    You may also need to consider how to recover data if you don’t have recent backups for it. In some cases, this may simply be impossible. In others, however, you may be able to recover at least some data. For example, there may be production systems that weren’t breached that contain copies of some of the impacted data; you can use these to restore that data. You could also choose to restore from outdated backups, which may be better than nothing.

    During the recovery planning process, it’s often valuable to consult with business stakeholders. Let them know what to expect regarding when recovery will be complete and how much data will be restored to its original state. They may also be able to offer perspective on which data it is most important to recover first.

    Recover the Data

    With your recovery plan in place, you can execute it to recover data, depending on how your data was backed up.

    Further reading Guide to Cloud Disaster Recovery

    Perform a Security Audit

    Once the data is recovered and operations have been restored, take time to determine how your systems were breached. Did the ransomware enter your environment via phishing, malware, a malicious insider, or something else? Identifying the source of the breach will help prevent it from happening again.

    Further reading IT Security Audit: A Comprehensive Guide

    Whitepaper icon

    New call-to-action
    IT Security Assessment Checklist

    Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:

    • a ready-to-print PDF file
    • an Excel file to help create a customizable assessment resource

    Create an Incident Report

    The final step in many ransomware response plans is to write an incident report detailing the narrative of the attack, the data, and systems it affected, and the steps you took in response. The report may also include steps you will take or have taken to prevent a similar attack from happening again in the future.

    Response Plan Lifecycle

    Your planning for ransomware protection shouldn’t end with simply creating a ransomware incident response plan template. You should take additional steps to make sure the plan will actually work as required. Those steps include:

    • Define your response team: Determine who will be responsible for carrying out the response plan following a ransomware attack.
    • Test the plan: Do a dry run of the plan ahead of time to identify any gaps or unexpected problems.
    • Retest the plan: Design a schedule for testing the plan again on a periodic basis. This is important, because your systems will change, and you’ll need to make sure your ransomware response plan keeps up.
    • Update the plan: Don’t wait until you test the plan to discover that it no longer fits your systems. You should also update the plan whenever you implement new technology (such as a new type of cloud service or new servers) or new policy (like allowing users to work from home).


    Ransomware affects all businesses, across all industries. There’s no hiding from it, and even the most meticulous cybersecurity strategy can’t guarantee that your data won’t be impacted by ransomware.

    In order to protect the business you support, then, it’s essential to design a ransomware response plan, test it and update it regularly. With a plan in place, you’re in a better position to respond quickly and effectively when ransomware strikes.

    WP icon

    New call-to-action
    The MSP’s Response Guide to a Ransomware Attack

    Read our free guide to learn about:

    • Common MSP vulnerabilities;
    • How to prepare for a ransomware attack to keep your clients safe;
    • Which actions response to a ransomware attack should involve;
    • How to manage clients while handling an attack.