From severe operational disruption and financial losses to damaged consumer trust, a swift and effective response to a ransomware attack could mean the difference between containment and catastrophe for companies.
Shutterstock.com/Fah Studio 27
The number of ransomware incidents reported by businesses globally has more than doubled over the last five years, with 37% of all cybersecurity breaches involving ransomware, according to Verizon. This surge is driven by AI, shape-shifting malware, and tactics designed to outsmart even the most robust defences.
Targets are often forced to choose between paying extortionate sums in the hopes of regaining access to their systems and protecting sensitive information, or risk further disruption and stolen data being leaked online.
Ransomware attacks are lucrative for perpetrators; estimates suggest that criminals received more than US$1 billion in ransomware from their victims in 2023.
Companies should already have robust measures in place designed to prevent ransomware attacks from occurring in the first place. However, given the ever-increasing risk, it’s also prudent to be aware of how to respond if the worst happens, from containing the impact of a ransomware attack to conducting an assessment whether or not to make payments to cybercriminals.
Potential consequences
During a ransomware attack, criminals surreptitiously gain entry to an organisation’s IT system in order to block access to data, usually by encrypting files. The criminal group will then demand a ransom in exchange for decryption or threaten to expose the company’s information if the ransom is not paid.
The Marks & Spencer’s (M&S) ransomware attack in April 2025 devastated the company’s operations, resulting in lost profits amounting to £300 million (US$405 million), compromising customer data and drawing nationwide attention.
Cyber criminals posed as an employee and successfully manipulated a third-party IT provider into resetting an internal user’s password, granting them access to M&S’s systems.
The company declined to publicly confirm or deny whether it made ransomware payments, stating only that it adopted a "hands-off approach" to negotiating with the threat actors.
The multi-cloud data warehousing platform, Snowflake, experienced a major ransomware attack in 2024, impacting the company’s business customers, including AT&T, Ticketmaster and Santander Bank. The attackers demanded ransoms ranging from US$300,000 to US$5 million from affected companies.
Public sector organisations have not been spared. The UK NHS declared a “critical incident” after its pathology services provider, Synnovis suffered a ransomware attack last year, leading to thousands of elective procedures and appointments being postponed.
These cases underscore the devastating and far-reaching consequences of ransomware attacks on companies, their customers and critical services.
Responding to a ransomware attack
Considering the widespread potential consequences, it’s vital that organisations targeted by criminals act swiftly and appropriately to limit the scale and fallout from a ransomware attack.
Here are some key considerations for companies responding to ransomware incidents.
Detection and analysis
In the event of a suspected ransomware attack, the first step is to determine which systems are impacted and immediately isolate them. It’s necessary to disconnect infected devices from all network connections, whether wired, wireless or mobile-based.
If the attack is limited, it may be feasible to temporarily shut down the network or disconnect individual systems; this can help retain potential evidence related to the attack.
In serious cases, companies may need to fully disconnect from the internet, disabling any core network connections to contain the spread of ransomware infections.
Companies should avoid attempting to reboot, install updates or perform maintenance to affected devices, as this could result in permanent data loss or damage.
Mitigating the impacts
Once the attack has been contained, companies should reset their security measures, including credentials and passwords, particularly for administrator accounts.
It’s prudent to install, update, and run antivirus software and carefully monitor network traffic to determine whether any infection remains.
Before restoring systems, it’s vital to ensure that the backup is free from any malware and that the device being used is clean.
Has there been a data breach?
Key to assessing the impact of a ransomware attack is determining whether any personal or sensitive data has been compromised, and whether there are ongoing risks.
Companies should ascertain these facts as soon as possible to comply with relevant data breach reporting requirements. UK and EU General Data Protection Regulation obliges organisations to report certain personal data breaches to the relevant supervisory authority within 72 hours if feasible.
If the breach presents a high risk of adversely affecting individuals’ rights and freedoms, data subjects must also be informed without undue delay.
In the US, all states have enacted legislation requiring notification of security breaches involving personal information. Under the Health Breach Notification Rule, if a breach involves electronic personal health records, organisations must inform the Federal Trade Commission.
Data breach reporting requirements may differ in other jurisdictions.
To pay or not to pay?
Authorities and law enforcement generally do not encourage, endorse or condone the payment of ransom demands. This is because there is no guarantee that criminals will honour promises to restore access to data or systems and it could incentivise and help fund future ransomware attacks, if criminals see they can make a profit.
What’s more, 80% of ransomware victims who paid ransoms were hit by another ransomware attack, according to a study by Cybereason.
Regardless of whether they decide to pay the ransom or not, companies should record their decision-making process and consult with experts on the matter, such as insurers, cyber authorities, law enforcement or cyber incident response companies with experience handling ransomware incidents.
Before deciding to comply with ransomware demands, companies should thoroughly exhaust all other options, taking into account the impact of the incident, viable back-up and recovery options and the possibility of obtaining a decryption key from a third-party.
Managing communications
An effective communication strategy is key to handling a ransomware event, particularly as such incidents at large companies often draw media attention.
Companies should first identify the key stakeholders who need to be informed of the incident and any resulting disruption. It’s best practice to provide clear, up-to-date information to stakeholders, customers and media, while being cautious not to disclose details that could heighten the risks.
Depending on the scale of the attack, companies may wish to consider opening additional, dedicated lines of communication, such as a webpage for rolling updates or helplines for customers who have been impacted.
It may be prudent to set up social media monitoring to help identify and address any false information or rumours circulating about the incident.