Security awareness

How to prepare for a ransomware attack

Howard Poston
November 12, 2019 by
Howard Poston

The threat of ransomware

Ransomware has become a common and well-known threat to organizations. Its success is largely based on the fact that it is a simple yet effective way for an attacker to make money from a target organization. By denying people access to their (valuable) data, an attacker can demand an average of $12,762 per attack.

While almost 40% of ransomware victims pay the ransom, this doesn’t always solve their problems. 4% of the time, a ransomware victim does not receive the decryption tool even after paying; on average, only 93% of data is recovered from a ransomware attack.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

The most cost-effective means of dealing with ransomware attacks is to never to be the victim of one in the first place. By preparing for a ransomware attack, an organization can limit the probability of being a victim of ransomware and soften its expected impact.

Preparing for a ransomware attack

Ransomware attacks are only becoming more common. In the first quarter of 2019, ransomware attacks grew by 118%. With an average cost of $55,000 per attack, it’s far more economical for organizations to take the necessary steps to minimize their exposure than to pay the cost of an attack. 

By taking a few simple actions, an organization can dramatically decrease the probable impact of a ransomware attack.

Employee education

92% of malware is delivered by email, and this is the most common delivery mechanism for ransomware as well. By tricking a user into clicking on a malicious link or opening an Office document that acts as a downloader, an attacker can infect a computer with ransomware. The threat of phishing emails makes employee education a priority. 

The sheer number of phishing emails sent every day and the wide variety of attack techniques mean that some emails will make it to the employee’s inbox. Training employees to recognize and respond appropriately to these emails can help minimize an organization’s exposure to ransomware.

Patching systems

Ransomware takes advantage of unpatched systems in a variety of different ways. The WannaCry malware, for example, is famous for exploiting the SMB protocol to create a wormable ransomware variant. However, malware can also use exploits behind the scenes to elevate privileges and take other actions on infected machines.

The WannaCry outbreak demonstrates the importance of deploying patches when they are available. While the attack occurred in May of 2017, the patch was available starting in March. Affected machines were only vulnerable due to a failure to apply available patches for known vulnerabilities. 

Implementing an effective patch management program, disabling or locking down unnecessary services and deploying defenses to detect attempted exploits of unpatched vulnerabilities can help minimize an organization’s vulnerability to ransomware attacks.

Monitoring and detection

Some types of malware are designed to be subtle. When an advanced persistent threat (APT) installs an implant on a machine in order to exfiltrate sensitive data, they do everything they can to ensure that the malware remains undetected for as long as possible.

The same can’t really be said of ransomware. In order to do its job, ransomware needs to perform a massive amount of file operations in a very short amount of time: opening files, creating an encrypted copy and deleting the originals. This isn’t normal behavior for any other legitimate application.

The unique nature of a ransomware attack makes it fairly easy to detect. By monitoring for the API calls necessary for file access and encryption, a ransomware infection can be identified and shut down fairly quickly. By implementing protocols for managing a possible ransomware outbreak, an organization can prevent the spread of the malware throughout the organization and, hopefully, limit its impact on the originally infected machine.

Maintaining security solutions

Most organizations have deployed basic security solutions. However, if these defenses are not properly maintained, their effectiveness is limited.

A good example of this is the antivirus. To be effective, an antivirus needs to be updated regularly and to perform scans on a regular basis. Failure to update means that the antivirus doesn’t have access to the information necessary for detecting the latest threats, and failing to scan means that the antivirus is useless.

However, antivirus scans and updates can be annoying, so they’re sometimes set to be performed manually and then forgotten. Configuring antiviruses to be run manually, ensuring that users haven’t turned off their firewall and other basic security hygiene can help protect against a ransomware attack.

Automated backups

Ransomware attacks rely on the target only having one copy of sensitive and valuable data. If the attacker manages to encrypt this data, then the value of the data might exceed the requested ransomware payment. If this is the case, the victim may be willing to pay the ransom in order to regain access to the lost data.

Setting up an automated backup system can help ensure that the value of data lost to ransomware is minimal. The loss of an hour’s worth of data is far less than a requested ransom payment and far less damaging to the organization. By setting up a backup system to automatically preserve data, an organization can both protect itself from ransomware attacks and help to force ransomware developers out of business.

Conclusion: Defending against ransomware

Ransomware attacks will be a threat to organizations as long as they are profitable. If organizations are the victims of attacks and it is more economical to pay the ransom than to write off the data, then hackers continue making money from this type of malware.

By taking the necessary steps to prepare for a ransomware attack, an organization can minimize the probability of falling victim to one and the expected cost to the organization. As ransomware attacks become less profitable, it will also become less common, making everyone’s data safer.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.



  1. 2017-2019 Ransomware statistics and facts, Comparitech
  2. McAfee Labs Threats Report, McAfee
  3. Ransomware: The cost of rescuing your files is going up as attackers get more sophisticated, ZDNet
  4. Ransomware Attacks Cost Organizations an Average of $55K in Q4 2018, KnowBe4
  5. Top cybersecurity facts, figures and statistics for 2018, CSO
  6. Customer Guidance for WannaCrypt attacks, Microsoft Security Response Center
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at