.png)
What is Ransomware Response?
Ransomware response covers the decisions made in the first hours and days after an attack. Learn the playbook boards need, from containment to ransom decisions to recovery.
The First 24 Hours: Containment and Assessment
The first priority in a ransomware response is containment — preventing the ransomware from spreading to additional systems while preserving forensic evidence. This requires isolating affected systems from the network, identifying the initial access vector (how did the attacker get in?), determining the scope of encryption, and assessing whether the attacker still has active access to the environment.
Critically: ransomware encryption is typically the last stage of a multi-week attack. By the time files are encrypting and the ransom note appears, the attacker has usually been in the environment for days or weeks — conducting reconnaissance, stealing data, identifying backup systems, and positioning for maximum impact. The encryption event is not the beginning of the incident. It is the end of the attacker's preparation phase.
This means that the first response question — 'what systems are affected?' — is significantly harder to answer than it appears. The attacker may have accessed systems that show no encryption. Credentials may be compromised beyond the identified blast radius. Data may have been exfiltrated before encryption began. Forensic investigation is required to establish the true scope, and that investigation takes time that feels interminable under board pressure for immediate answers.
The Ransom Decision
The decision of whether to pay a ransom is one of the most consequential and legally complex decisions in ransomware response. Several factors bear on it.
OFAC compliance. The US Treasury's Office of Foreign Assets Control maintains a list of sanctioned entities. Paying ransom to a sanctioned threat group — which includes several major ransomware operators — may violate OFAC regulations regardless of intent. The legal obligation to check the ransomware group against the OFAC SDN list before any payment decision is non-negotiable. This requires legal counsel involvement before the ransom decision is made.
Backup viability. If backups are intact, isolated, and tested, paying the ransom provides little operational value — the organization can recover from backups. If backups were encrypted or destroyed by the attacker (which sophisticated operators do systematically), paying for the decryptor may be the fastest recovery path. Backup viability assessment is the first technical question that informs the ransom decision.
Data exfiltration. Most sophisticated ransomware operators now use double extortion: they encrypt files AND threaten to publish stolen data if the ransom is not paid. If sensitive customer data, regulated data, or strategically significant information was exfiltrated, paying the ransom for a 'promise' not to publish provides no legal protection — the data is still in the attacker's possession regardless of payment.
Regulatory Notification Requirements
Ransomware attacks trigger notification obligations that are independent of whether data was actually accessed or exfiltrated. The key frameworks: SEC rules require public companies to disclose material cybersecurity incidents within four business days of determining materiality. State breach notification laws require notification when personal information was 'accessed or acquired' — most ransomware incidents involving systems that contain personal data trigger this standard regardless of whether exfiltration is confirmed. HIPAA requires breach notification within 60 days of discovery for covered entities. The EU GDPR requires notification to supervisory authorities within 72 hours of becoming aware of a breach affecting personal data.
The practical consequence is that most significant ransomware incidents require regulatory notification within days of detection — often before forensic investigation is complete enough to fully understand the scope. Legal counsel should be engaged within hours of confirmed ransomware detection, not after the technical response is complete.
Ransomware Recovery Sequencing
Recovery from ransomware follows a sequencing logic that is counterintuitive under pressure. The instinct is to restore everything immediately. The correct sequence is: restore critical business operations first (payroll, customer-facing systems, supply chain), then internal productivity systems, then administrative systems. Restoring everything simultaneously overwhelms IT capacity and may delay the systems that matter most to business continuity.
Before restoring any system from backup, the initial access vector must be identified and closed. Restoring systems from backups into an environment where the attacker still has active access results in re-encryption. This is not a hypothetical scenario — it is documented in multiple incident response after-action reports as one of the most costly mistakes in ransomware recovery.
The Board's Role in Ransomware Response
For boards, ransomware response preparedness requires three things before an incident occurs: an incident response plan with defined decision authorities (who approves the ransom decision? who authorizes regulatory notification?), tested backups with demonstrated recovery time objectives, and pre-engaged external resources (forensic firm, outside legal counsel with breach response experience, public relations counsel for crisis communications). Organizations that prepare these elements in advance recover materially faster than those that assemble them under pressure.
Related Reading
Change Healthcare: When Ransom Payment Doesn't End the Crisis
UnitedHealth Group paid approximately $22M in ransom to the ALPHV/BlackCat ransomware group following the February 2024 Change Healthcare attack. The payment did not end the incident. The ransomware affiliate — separate from the ALPHV leadership — claimed they still had the stolen data and began threatening to publish it independently. UnitedHealth faced regulatory investigations, congressional testimony, class action lawsuits, and business continuity costs that pushed total incident costs well beyond $870M in the first reporting quarter. The Change Healthcare case illustrates two lessons that boards must internalize: paying ransom does not guarantee data security when double extortion is involved, and the true cost of a major ransomware incident is measured in multiples of the ransom payment itself.
Average ransom payment in 2024 for enterprise organizations, according to Sophos State of Ransomware research. The ransom payment is only the beginning — forensics, legal response, regulatory notification, business interruption, and reputation damage typically cost multiples of the ransom itself. Total incident cost averages $2.73M beyond the ransom payment.