COMMENTARY: Ransomware attacks can halt operations, disrupt critical infrastructure, and cause long-term reputational and financial damage. Despite this, many organizations still rely on outdated or generic incident response (IR) plans that are ill-equipped to handle the unique nature of ransomware.Traditional IR strategies fall short because they assume email will work, response teams can communicate freely, and IT systems will support restoration efforts. However, in a ransomware event, these assumptions often prove dangerously wrong.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]In addition, true readiness starts at the top since it’s an organizational threat that requires executive ownership. Execs must adopt a mindset that prioritizes total system disruption and crafts a response that operates even when digital resources are unavailable. To mount an effective defense against ransomware, organizations must rethink their IR plans, and also shift their thinking from the top down.The three costliest mistakes of ransomware responseEven organizations with mature cybersecurity programs are vulnerable to specific, preventable errors during a ransomware incident. Some of the most damaging mistakes don’t stem from technical weaknesses, but from unpreparedness in important operational areas. Understanding and addressing these common missteps can mean the difference between swift recovery and prolonged chaos.Here are the three costliest and commonly overlooked pitfalls in ransomware response:
Logging and forensic failures: When systems are encrypted or taken offline, visibility into the attack gets lost—unless organizations have maintained adequate logging practices and captured forensic data in time. In many cases, logs are stored on the same systems that are compromised, or forensic imaging is skipped altogether. In one real-world case, an organization paid the ransom and resumed operations, but failed to collect proper forensic evidence. A year later, a potential acquisition was canceled when the buyer could not verify that the network was secure. To prevent this, ensure logging levels are appropriate (enable enhanced logging in Microsoft O365) and store logs off-network. Do not restore systems until responders have captured forensic images.
Communication breakdowns: Without clear, coordinated communication, confusion spreads, morale suffers, and reputations are damaged. In one example, a hospital failed to inform both IT staff and the public about the true nature of a ransomware event. Staff had to revert to pen and paper while leadership remained silent. The result was confusion, lost trust and eventually public exposure by the attackers themselves. Executives must ensure the IR plan includes a clear, legally vetted communication strategy. Define who speaks, what they say, how often, and to whom. Communicate within a “knowledge boundary”—and don’t speculate. In addition, it’s essential to practice this communication during tabletop exercises (TTXs).
Failure to prepare financially: Companies often overlook the financial aspects of ransomware readiness. The decision to pay or not pay a ransom requires complex ethical, legal and business considerations – all of which the company should debate and document long before an incident occurs. Use a structured three-gate framework to guide ransom payment decisions: Does payment conflict with the company’s organizational values? Is payment legally permissible under OFAC and other applicable regulations? Does the cost of downtime justify the business risk and recovery cost? Additionally, many banks limit large wire transfers to crypto brokers. One company discovered their daily limit was $500K—far too slow for a multi-million-dollar ransom. Some large firms are now pre-purchasing stablecoins like USDC to hold in reserve, which allows for rapid response if payment becomes the only viable option.
Tailor the plan to fit the organization: No two organizations are alike, and response plans must reflect differences in size, risk tolerance, industry requirements and operational dependencies. A strong plan includes a detailed communications matrix, legal and insurance engagement protocols, financial decision frameworks and a prioritized list of critical systems for recovery. It also defines out-of-band communication tools that do not rely on compromised systems.
Put the plan to the test: Real preparedness comes from testing the plan. TTXs simulate crisis conditions and reveal gaps in authority, process and execution. Effective TTXs are not about going through the motions. Assign a dedicated scribe to document breakdowns in ownership, confusion over roles, or unclear processes. Afterward, hold a debrief session, revise the plan and schedule a follow-up exercise to test fixes.
Ensure offline accessibility: Don’t let the plan become a victim of the attack. Ensure hard copies are printed, distributed, and stored in both onsite and offsite secure locations. Review and refresh these copies quarterly. IR partners should also have access to current versions.
Three ways to build a ransomware-resilient IR PlanA strong ransomware IR plan isn’t static—it’s tailored, tested and continually improved. Here are three proactive steps to build one that stands up:
Don’t think of ransomware as just another cyber incident: it’s a test of an organization’s ability to lead under pressure. The organizations that bounce back aren’t necessarily the ones with the most advanced tools, but those that planned, trained, and coordinated for this type of attack.Executives also bear the responsibility of leading this transformation. By rethinking the company’s IR strategy, embracing ransomware-specific planning, and committing to regular exercises and reviews, leaders can ensure that their teams are truly resilient when a ransomware attack occurs.Kurtis Minder, co-founder and CEO, GroupSenseSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
