This post was written with contributions from Andrew Gorecki, Camille Singleton and Charles DeBeck.

May and June bring warm weather, backyard barbecues and, in recent years, an uptick in ransomware attacks. Why?

“It’s possible workers are distracted because the sun is out and kids are out of school,” said Charles DeBeck, a former senior strategic analyst with IBM Security X-Force. Experts like DeBeck monitor attacks to determine if the uptick becomes an established seasonal pattern.

Ransomware is a severe threat, no matter the season. For over three years, ransomware has been the most prevalent cybersecurity attack type, as the IBM Security X-Force Threat Intelligence Index 2022 notes. The average cost of a ransomware breach is $4.62 million, including lost revenue and response expenses, according to the Cost of a Data Breach Report. That sum excludes the ransom itself, which can run into the millions.

While it’s critical to focus on prevention, companies also need to strategize in advance for a possible attack.

“A lot of organizations have response plans, but there’s great variance in the quality of these plans and whether they’ve been properly tested,” said DeBeck. Reacting quickly and decisively to an attack can make a vast difference in how much damage is done.

This year’s Threat Intelligence Index breaks down five critical steps in an effective ransomware response plan. We asked three experts from IBM Security for more details on what preparations should include.

Step One: Checklist of Urgent Action Items

The most effective response plan includes a list of steps to take right away in a crisis. Develop a step-by-step playbook of tasks to contain an attack, such as isolating hardware and shutting down services. Include steps to contact management and law enforcement, such as the FBI.

“Cyberattacks are often conducted by organized cyber crime and nation-state sponsored threat actors. For this reason, it’s important to notify law enforcement about a crime against your organization,” said Andrew Gorecki, global remediation lead for X-Force.

“The intelligence victim organizations share with law enforcement and government agencies is imperative to helping fight cyber crime and strengthening collaboration between private and public sector organizations,” he added.

Containing an attack quickly is key. Assuming that the attack has already encrypted your data, it’s essential to have a plan to restore data from backups safely. The longer you wait, the larger the impact will be on operations. Back up data frequently and test restoration procedures often.

Step Two: Assume Data Theft and Data Leakage

Ransomware attacks used to be fairly simple. The attacker rendered your data useless through encryption, then promised to hand over a decryption key if you paid up. Today’s attackers aim to improve their payout amounts by threatening to leak stolen data, such as:

  • Sensitive material that business rivals can use
  • Confidential messages that can embarrass executives or tarnish the company’s good name
  • Protected data, such as customers’ credit card information, which could result in legal liability or regulatory fines if leaked.

“Ransomware attackers have found that this kind of ‘double extortion’ tactic is extraordinarily effective, and we see it in almost every attack now,” said Camille Singleton, manager of the X-Force Cyber Range Tech Team.

The problem can worsen if your company holds data that belongs to someone else, like a business partner.

“Attackers know that if they steal data that belongs to a different organization than the one they’re attacking, that gives them added leverage,” said Singleton. Pressure from the victim’s partners and the threat of breaching a contract raises the stakes.

Step Three: Prepare for Cloud-Related Attacks

Knowing that enterprises rely more and more on cloud environments, attackers develop specific tools that are purpose-built to exploit common cloud-based operating systems and application programming interfaces. Nearly a quarter of security incidents stem from threat actors pivoting into the cloud from on-premises networks, according to the Threat Intelligence Index.

In fact, attackers today are focusing their attacks on cloud environments with new versions of Linux-based ransomware. About 14% of Linux ransomware in 2021 comprised new code, according to an analysis by X-Force Threat Intelligence partner Intezer.

Enterprises need to strengthen cloud-based systems and ensure passwords comply with policies. A zero trust approach — which assumes a breach has happened and uses network verification measures to thwart attackers’ internal movements — makes it more difficult for cloud attackers to gain a foothold.

Step Four: Stay Updated on Best Backup Practices

Traditional backups to old-school tape drives, a possible line of defense against ransomware, can be very slow due to their mechanical nature. Tapes also wear out, which can increase the risk of data loss.

Gorecki recommends rethinking how to approach cyber recovery. Disaster recovery (DR) strategies are not effective in ransomware recovery. Instead, consider creating logically air-gapped snapshots of primary storage, providing immutable, incorruptible data copies. Modern, effective cyber vault solutions offer validation and verification of data. This new backup approach lets victims recover more quickly from ransomware attacks.

Step Five: Decide Whether to Pay a Ransom

It’s commonly said — and law enforcement agrees — that organizations should never pay a ransom. Yet, some victims do pay, especially if lives are at risk, such as in a hospital setting, or if extensive system downtime threatens the viability of the business. Every organization should run through practice drills to consider what they’d do in tough scenarios.

Businesses need to weigh the following elements before paying a ransom:

  • The value of the data lost
  • The potential fallout from a data leak
  • The quality of backups
  • The expediency of restoring backups.

Paying a ransom doesn’t guarantee you’ll get your data back or that encrypted data can be restored without corruption. Even if things go according to plan, decryption can be a lengthy process. One company that paid millions of dollars in ransom to attackers in 2021 reportedly decided to restore its data from its own backups anyway. The attackers’ decryption tool was too slow.

“Whether or not you pay is ultimately a business decision,” Gorecki said. “Will paying prevent damage to your brand or help you recover more quickly? If you can quantify the potential damage in financial terms, you can compare that to the price of the ransom.”

A final note: protecting yourself from ransomware is a long game that requires constant attention to both your infrastructure and industry trends. Attackers’ tools and tactics will keep evolving, and companies need to meet the challenge. Regardless of whether ransomware attacks pick up, as they have in recent years, now is always the right time to plan ahead.

More from Cloud Security

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…