Skip to main content

Ransomware attack: how to prepare for the worst-case scenario

March 13, 2023
clock 4 MIN READ

Ransomware continues to increase in both number of attacks annually1 and in their complexity, so if your organization hasn’t been impacted by ransomware yet, it is likely only a matter of time. The FBI received nearly 4000 alerts2 of ransomware attacks in 2021, with financial services, healthcare, education and government entities most likely to fall victim. 

The good news is that organizations are wising up and following the advice of law enforcement to not pay the ransom. But even though overall payments dropped3 from $765 million in 2021 to $456 million in 2022, companies are still handing over the money to recover their data. If they can recover their data, as more cybercriminals are taking the money and keeping the info. 

The bad news is that a ransomware attack is going to cost you no matter what you decide about paying the ransom. The worse news is that too many organizations aren’t prepared for the aftermath of a ransomware attack. While many companies have set up a cyberattack plan, they don’t always include the point-by-point checklist of what to do if that cyberattack is a ransomware attack. 

It is crucial to think about your approach to a ransomware attack before it happens. If you decide to pay—and that’s a decision that should be spelled out long before the attack happens—do you have funds for a ransom built into your budget? Do you know what your cyber insurance will cover? And how do you set up a transaction if it’s a cryptocurrency ransomware? In addition, it’s important to keep in mind some government agencies have put in legal implications if ransoms are paid.  

Writing a ransomware position statement

Ransomware doesn’t fit neatly into typical incident response planning and testing because it all comes down to one different factor: the data is being held hostage by cybercriminals and you have to determine if it is worth paying a ransom to recover. Sometimes all the steps normally taken to address a cyber incident—the detection, remediation, recovery—doesn’t work, and that’s when the difficult call has to be made. 

A best practice is to run a ransomware tabletop exercise. The exercise intends to mimic a realistic scenario and includes key stakeholders across the organization. The goals include creating transparency in communication, assessing the plan of action, minimizing potential gaps in your cybersecurity program and eventually help answer the question: do you pay the ransom?
Ultimately, your decision shouldn’t come in the middle of a cyber incident. Every company should have as part of its incident response plan a ransomware position statement that identifies when and why the company would pay a ransom. This statement should be devised with a group of corporate stakeholders that include legal, financial, executive leadership, IT, and security. 

Should you pay the ransom?  

Some things to take into consideration against paying a ransom:

  • Legal implications (American law enforcement recommends against it)
  • Risks of becoming a repeat target
  • Lack of insurance (many cyber insurance firms are declining ransomware protection)
  • Reputational damage 
  • Tax and audit considerations 

Putting the budget together

Despite the reasons to avoid it, some companies will decide that paying the ransom is the best option for them. It could be that they don’t have a good backup system or that the amount of time it will take to bring the backup online will do more damage to the business, especially where human life is concerned. If that’s the case, then you have to think about how to best budget for a ransomware attack.

That begins with deciding where the money will be coming from. Not every organization has the ability to set aside a few million dollars to use for a ransom, and even if they do, there needs to be agreement on where that money is coming from. Whose department will be responsible for releasing the funds, or will it be a mix of departments?

An approval chain must be put in place. Paying for a ransom shouldn’t be the decision of one person. Any ransomware recovery policy will include a decision-making and approvals chart from each entity.

The worst time to be figuring out any of the financial implications of a ransomware attack is during the middle of the crisis. Having a plan and budget in place before the worst happens will make it easier if you do decide to pay.


1The State of Ransomware 2022.” Sophos, 

22021 Internet Crime Report.” Federal Bureau of Investigation,

3Toulas, Bill. “Ransomware profits drop 40% in 2022 as victims refuse to pay.” Bleeping Computer, 

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.