Topic 60

Ransomware Response

Ransomware

Ransomware deserves its own topic because it inverts the usual incident: the damage is loud and immediate, backups are the answer and the attacker's target, and there is a payment decision no other incident forces. Modern ransomware also steals data before encrypting (double extortion), so "we have backups" no longer means "we are fine."

This topic covers responding to a ransomware incident on Meridian — the preparation that decides the outcome, the response under pressure, and the payment question — honestly, because the honest position is that prevention and recovery-readiness are the only reliable answers.

Double and Triple Extortion

Attackers now exfiltrate data (Chapter 5) before encrypting, then threaten to leak it — so backups protect availability but not confidentiality. The threat model shifted: "restore from backup" is necessary but no longer sufficient, because the stolen data is already gone and the leak threat remains whether or not you recover your systems.

Backups as the Real Defense

Recoverable, tested, offline or immutable backups are what turn ransomware from catastrophe to inconvenience — but only if the attacker could not reach and encrypt them too. This is why backup isolation is the pivotal control: the classic 3-2-1 approach, immutability, and offline copies mean the one control that defeats ransomware does not fail alongside everything else the attacker reached.

Responding Under Pressure

Isolate to stop encryption spreading (the containment of the previous topic), identify the strain and scope, preserve evidence (the exfiltration matters legally), and work the tested recovery plan. The incident that has been rehearsed goes far better than the one improvised — under the pressure of encrypted systems and a ticking ransom clock, a practiced runbook is what keeps the response coherent.

The Payment Decision

Paying funds crime, may not restore the data, marks you as payable, and increasingly runs into legal and sanctions issues — and it does nothing to un-leak exfiltrated data. It is a business, legal, and executive decision made against a plan, not a technical one, and it should be decided in advance with legal input rather than ad hoc under pressure. The honest conclusion is that prevention (Chapters 3 through 9) and tested recovery are the only reliable defenses; the payment question is one you want to have answered before it is asked.

Backup Restoration vs Paying the Ransom

Restore from backup — no criminal funding and provable recovery, if backups are recoverable, tested, and were out of the attacker's reach; does nothing about leaked stolen data.

Pay — no guarantee of a working decryptor, funds and marks you, legal and sanctions risk, and still does not un-leak exfiltrated data. Neither addresses double-extortion's confidentiality loss — which is why prevention and data protection are the real answer.

Common Mistakes
  • Backups the attacker can reach and encrypt (online, same credentials or network), so the one control that defeats ransomware fails with everything else.
  • Never testing restores, discovering during the incident that the backups do not actually recover the business.
  • Assuming backups solve ransomware in the double-extortion era, ignoring the exfiltration and leak of confidential data.
  • Making the payment decision ad hoc under pressure with no legal or sanctions input or pre-agreed policy.
  • Neglecting prevention on the assumption that backups make ransomware survivable regardless.
Best Practices
  • Keep tested, immutable, offline or isolated backups (3-2-1) that the attacker's access cannot reach or encrypt.
  • Rehearse the full recovery runbook so restoration under pressure is practiced, not improvised.
  • Treat data exfiltration as part of every ransomware incident — investigate and handle the confidentiality and legal impact, not just availability.
  • Decide the payment stance in advance with legal, executive, and sanctions input.
  • Invest in prevention (Chapters 3 through 9) as the only reliable defense against ransomware.
Comparable toolsBackup immutable/offline (3-2-1) · object-lock · tested restoresHelp No More Ransom decryptors · IR retainersLegal sanctions/OFAC guidance — ties to Ch 8 ransomware behavior

Knowledge Check

Why do backups alone no longer fully solve ransomware?

  • It exfiltrates data first, so stolen data can still be leaked
  • Backups can no longer be created on modern encrypted systems
  • Ransomware now encrypts the backups faster than they restore
  • Backups only ever protect against physical hardware failure

Why is backup isolation the pivotal control against ransomware?

  • If the backups are reachable too, the one control that defeats ransomware fails
  • Isolated backups always restore far faster than any online copy would in practice
  • Isolation encrypts the backups against theft
  • Only isolated backups can be tested

How should the ransom-payment decision be made?

  • As a pre-decided business, legal, and executive matter with sanctions input, not ad hoc under pressure
  • Automatically, by the incident responder at the keyboard
  • Always pay, since it guarantees data recovery
  • Never involve legal, to keep the incident quiet

You got correct