Guide to preparing and recovering from a ransomware attack

12 March 2019

Ransomware is a malicious file designed to extort money by disabling your computer or encrypting your computer files until you pay the attacker’s ransom demands.

The file usually gains access to your systems through a bogus email link or attachment that someone clicks on, through a visit to a seemingly reputable, secure website; or through compromises of remote access protocols or patch vulnerabilities.

Anyone can be targeted by ransomware attackers, regardless of industry or company size, and attacks are on the rise, as they can be extremely profitable for hackers.


  • Ensure that your systems are adequately patched
  • Migrate from unsupported operating systems
  • Ensure your backups and archives are available and usable (no gaps)
  • Build a network of external vendors who can assist you in the case of an attack (including cyber extortion experts)
  • Be aware of the effects of RAAS (ransomware as a service) and ‘bad’ strains of ransomware on the decryption process
  • Ensure you have adequate cyber insurance cover (review the conditions of your existing policies and extensions to identify any gaps)
  • Stress test your policy with known ransomware scenarios.


  • Be aware that you may not regain control of your systems/ be able to restore your data
  • Remember that decryption can be a very time-consuming process and plan accordingly
  • Identify the root cause and scope of the attack to assess the potential damage and recovery time. For example, is the attack internal or external? Is it a scattershot or specifically targeted attack?
  • Understand the capabilities of the malware you’re dealing with and check it for additional payloads
  • Consult your cyber insurance policy to assess your coverage and check if the vendors/resources used during the recovery process need to be pre-approved.
 Sign up to our latest  news & insights Sign up to our latest  news & insights


Contain the damage:

  • Confirm that the hacker’s access has been revoked and the ransomware isn’t still actively encrypting files before you disconnect affected machines from the network
  • Identify the attack vector and patch your system vulnerabilities
  • Preserve a live copy of the ransomware offline for further analysis
  • The process and timeline of restoring your backups needs to be logged in your incident response plan.

Ransom payment:

  • Decide on the best form of communication with your attacker to determine the ransom deadline and consequences
  • Consider the steps and costs involved with transferring cryptocurrency
  • Secure the decryption key and ensure you understand the decryption process and contingency plan.


  • Involve law enforcement early on in the process
  • Perform your due diligence and any additional investigations to determine the identity of the hacker and the relevant implications
  • Be aware of any possible notification obligations to individuals, regulators or data protection authorities
  • There is also the potential for regulatory actions or lawsuits for failing to protect data or report your risk
  • Cyber-related disclosures may need to be added to your financial statements under certain regulations


In conclusion, being aware of all these factors and preparing your incident response plan accordingly will ensure that your cyber security is as airtight as possible.

Cyber insurance is a vital part of this process, as it will give your company access to a whole network of expert vendors who understand how to tackle all the potential hurdles that could come up during an attack.

Cyber insurance will also give you the added reassurance that your incident response plan has been stress tested to ensure its effectiveness and will act as the much needed safety net in the unfortunate case of data and financial loss.

Knowledge is power; make sure your company has its shield ready.

For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.