Now Is the Time to Create a Ransomware Response Plan (Here's How)

Ransomware has become a critical threat to businesses of all types and sizes. The volume of attacks increased 485% in 2020, and that trajectory continues into 2021.

In addition to the increased number of attacks, ransomware demands have also been rising along with remediation costs, which now average over one million dollars per incident.

Without the proper cybersecurity safeguards in place, companies can be devastated if impacted by a ransomware attack. 

Two major attacks that happened in May of this year were Colonial Pipeline and JBS, the world’s largest producer of beef and pork. Both companies had to shut down operations for several days and the impact went far beyond those organizations.

In the case of the Colonial Pipeline attack, gas prices soared in the U.S. to above $3.00 per gallon and there were widespread gas shortages across the East Coast due to panic buying.

Restaurants saw an increased price for meat as a result of the JBS plant shutdowns.

Neither company was properly prepared and thus opted to pay millions of dollars to the attackers to regain operations as soon as possible. Colonial Pipeline paid $4.4 million and JBS paid $11 million in ransom.

And that’s the major reason that ransomware continues to get more dangerous each year. Fifty-six percent of companies pay the ransom because they’re not prepared to recover quickly on their own. This indicates to hackers and criminal organizations around the world that ransomware attacks are a great way to make money and fund other illicit activities. 

How do you avoid becoming a local ransomware news headline in your town? The key is to have a Ransomware Response Plan that will properly prepare you for an attack so you can respond swiftly and mitigate downtime.

Steps for Creating a Ransomware Response Plan 

There are three main areas you want to cover in your ransomware response plan. These include:

  • Preparation
  • Response
  • Recovery

The goal of a ransomware response plan is to mitigate costs and damage if you’re hit with ransomware. Of course, you want to put systems in place, like managed IT services, to reduce the chance for an attack, but you also need to be ready should one happen.

In the case of the Colonial Pipeline attack, one unused VPN account that didn’t have multi-factor authentication was the cause for that major breach, costing the company millions of dollars.

Were the organization properly prepared with a response plan, it might have avoided having to pay a ransom and been able to get operations back up and running sooner.

Here is a roadmap for creating your ransomware response plan.


Preparation includes putting systems in place to help you recover from an attack, as well as a plan for your team to follow.

For example, in preparation for being hit with ransomware you want to have a full backup of all your data in a format that’s easy to restore.

Time can also be wasted in a ransomware emergency if no one knows what they’re supposed to do. Create a clear responsibility chart so each employee knows what they’re to do if an attack occurs.

For example, all employees may be responsible to immediately disconnect their devices from the internet and company intranet to reduce the risk of spread. A manager may be in charge of calling your IT department, and another may have the task of disconnecting company servers from Wi-Fi and ethernet.

Once you have your plans ready, they need to be practiced in drills, so everyone will have gone through the paces and honed their response time.

Preparation involves:

  • Putting tools in place for a fast ransomware response (backup & recovery)
  • Creating a step-by-step plan for employees
  • Conducting ransomware response drills for practice


Once hit with ransomware, your team should spring into action if you’ve properly prepared your plan in step 1. You should have a fluid communication system in place through team messaging or other means, so everyone knows what’s happening and isn’t wasting time calling around to find out. (i.e., “Team: The IT department has been called and is expected on site in 20 minutes.”)

Don’t attempt to contact the ransomware attacker or try to remove the malware yourself. You could irreparably corrupt your data. It’s best to wait for the professionals so we can properly assess and remove the ransomware and prepare your systems for data recovery.

Recover involves:

  • Carrying out your response plan
  • Facilitating team communication
  • Letting the experts do their work


Once the ransomware is removed, the data recovery phase will begin. If you’ve already practiced data recovery in drills with your IT professional, then this phase should go smoothly.

Another recovery task you need to do is to prepare and send a notification to your customers, vendors, and anyone else whose data may have been impacted or who was impacted by your company being down. It’s best to get out ahead of questions and explain when you expect full operations to resume.

Next, work with your IT team to identify how the breach happened so that vulnerabilities can be addressed, and you can put measures in place to prevent a repeat incident.

Take what you’ve learned from your response and upgrade your ransomware response plan accordingly.

Recovery involves:

  • Restoring your backup data
  • Preparing and sending a notification to customers, vendors, and employees
  • Identifying the cause and rectifying the weakness
  • Improving your response plan with what you’ve learned

Get Help Preparing Your Business for a Fast Recovery

Onsite Techs of Rhode Island can help your company put together a ransomware response plan and work with you on preparedness drills. We’ll be by your side every step of the way to help mitigate risk and respond swiftly if needed.

Contact us today to schedule a consultation at 401-773-7766 or book a video call now.