Ransomware: Prevention and Response
Ransomware attacks can cripple organizations. This guide is part of the documentation available in SecBoard. It explains what ransomware is, how to reduce the risk of an attack, and how to respond effectively if targeted. Learn how to prevent attacks through technical controls, access management, backup, and awareness—and how to respond with an incident process, containment, and recovery. SecBoard modules such as Incident Register, Document Register, SOC, Study, Gophish, Cabinet, and Framework Compliance support prevention and response when used as part of a broader security programme.
What is ransomware?
Ransomware is malicious software that encrypts or blocks access to data or systems and demands a ransom (often in cryptocurrency) to restore access. Attackers may also steal data and threaten to publish it (double extortion). Ransomware can spread via phishing, exploited vulnerabilities, remote desktop (RDP) abuse, or compromised credentials. It can cripple operations, cause financial and reputational damage, and put personal or sensitive data at risk. Prevention focuses on reducing the likelihood and impact; response focuses on containment, eradication, recovery, and lessons learned.
Prevention: key controls
No single control stops all ransomware, but a combination significantly reduces risk and impact.
Least privilege; MFA for all users, especially admins and remote access; strong passwords; disable or protect RDP; separate admin and daily-use accounts. Limit who can access sensitive data and change backups.
Regular, tested backups; offline or immutable copies so attackers cannot encrypt them; recovery procedures and RTO/RPO defined. Ensures you can restore without paying the ransom.
EDR/AV, network segmentation, logging and monitoring (e.g. SOC), patch management, secure configuration. Email and endpoint protection to block or detect phishing and malware early.
Prevention checklist (summary)
| Area | Measures |
|---|---|
| Access | MFA; least privilege; no shared admin accounts; lock or harden RDP; conditional access where possible. |
| Backup | Automated, frequent backups; offline/immutable copy; test restore; document RTO/RPO; protect backup credentials. |
| Patching | Patch OS and applications; prioritize internet-facing and critical systems; track and test updates. |
| Email & endpoints | Anti-phishing; block macros or use sandboxing; EDR/AV; application allowlisting where feasible. |
| Network | Segment networks; restrict lateral movement; firewall and monitoring at key boundaries. |
| Awareness | Security training; phishing simulations; clear reporting channel for suspicious emails and incidents. |
Response: if you are targeted
When ransomware is detected or suspected, act quickly to contain impact and recover.
- Contain: Isolate affected systems (disconnect network, power off if appropriate); preserve evidence (logs, images) for investigation and possible law enforcement; block attacker access (revoke credentials, close VPN/RDP).
- Assess: Determine scope (which systems, data, backups); classify the incident (e.g. critical); notify internal incident response and management; consider legal and regulatory obligations (e.g. breach notification).
- Eradicate: Remove malware and close compromise vectors (patch, reset credentials, rebuild if needed).
- Recover: Restore from clean, tested backups; verify integrity before bringing systems back online; monitor for reinfection.
- Learn: Post-incident review; update incident and continuity plans; improve controls and training. Document the incident for compliance and insurance.
Paying the ransom is a business decision with legal, ethical, and practical implications (no guarantee of decryption; may fund further attacks). Prefer recovery from backups and hardening over payment where possible.
How SecBoard modules support ransomware prevention and response
SecBoard does not replace technical controls (backup, EDR, MFA) but helps you document plans, track incidents, and demonstrate preparedness and response.
| SecBoard module | Prevention / response | How it helps |
|---|---|---|
| Incident Register (app_incident) | Response | Record ransomware and security incidents; document containment, scope, and recovery; assign owners and track status. Use for incident process evidence and post-incident review. Link to Framework Compliance. Incident Register Guide available. |
| Document Register (app_doc) | Prevention, response | Store incident response plan, backup and continuity procedures, acceptable use and security policies. Link to Framework Compliance. Mandatory Processes for recurring tasks (e.g. backup verification, restore tests). |
| SOC / Wazuh (app_soc) | Prevention, detection | Centralise logs; monitor for suspicious activity (e.g. mass encryption, lateral movement). Use for detection and investigation evidence. FIM Dashboard Guide available. Attach reports in Framework Compliance. |
| Study / Training (app_study) | Prevention | Deliver security awareness and phishing-resistant behaviour training. Use for training records and awareness programme evidence. Supports “don’t click, report” culture. |
| Gophish (app_gophish) | Prevention | Run phishing simulations to test and improve user behaviour. Use for awareness programme evidence. Gophish Guide available. Reduces likelihood of credential theft and malware delivery via email. |
| Cabinet (app_cabinet) | Prevention | Manage users and groups; enforce least privilege and access review. Document who has admin or sensitive access. Use with MFA and strong passwords at IdP/app level. Cabinet Users Guide available. |
| Risk Assessment (app_risk) | Prevention | Identify and assess ransomware and cyber risk; document treatment (backup, segmentation, MFA, etc.). Link risks to controls. Evidence for Framework Compliance. |
| Asset management (app_asset) | Prevention, response | Maintain inventory of systems and critical data. Use for scope definition, backup prioritization, and recovery planning. Asset Guide available. |
| Framework Compliance | Prevention, response | Map controls (backup, access, incident response, awareness) to frameworks (e.g. NIST, ISO 27001); attach evidence; track status. Use for audit and management reporting. |
| Keys & Certificates (app_keycert) | Prevention | Manage certificates and keys used for authentication and encryption. Protect backup and admin access; track lifecycle. Key/Cert Guide available. |
Quick mapping: goal → SecBoard
| Goal | SecBoard modules to use |
|---|---|
| Prevent (access, MFA) | Cabinet, Access, Study (password policy), KeyCert; Document Register (policies). |
| Prevent (backup, continuity) | Document Register (backup/continuity procedures), Asset (critical systems), Mandatory Processes (restore tests). |
| Prevent (awareness, phishing) | Study, Gophish, Document Register (awareness policy). |
| Detect | SOC, Incident Register (when detected). |
| Respond | Incident Register, Document Register (incident response plan), Asset (scope). |
| Document and comply | Framework Compliance, Document Register, Risk Assessment. |
Ransomware prevention and response with SecBoard
This guide is part of the documentation available in SecBoard. Ransomware can cripple organizations; prevention (access control, MFA, backup, patching, awareness) and effective response (containment, recovery from backups, incident process) reduce risk and impact. Use SecBoard Incident Register to record and manage incidents; use Document Register for incident response and backup procedures; use SOC, Study, Gophish, Cabinet, Risk Assessment, and Asset to support prevention and detection. Use Framework Compliance to map and evidence controls.
Combine technical controls with clear policies, training, and tested recovery procedures so your organization is prepared to prevent and respond to ransomware.
Frequently asked questions
What is ransomware? — Malicious software that encrypts or blocks access to data or systems and demands a ransom to restore access. Attackers may also steal and threaten to publish data (double extortion). It often enters via phishing or exploited vulnerabilities.
How can we prevent ransomware? — Use MFA and least privilege; keep reliable, tested, offline or immutable backups; patch systems; protect email and endpoints (anti-phishing, EDR/AV); segment networks; train staff and run phishing simulations. No single measure is enough—combine several.
What should we do if we are hit by ransomware? — Contain (isolate systems, preserve evidence, revoke compromised access); assess scope and impact; eradicate malware and close entry points; recover from clean backups; conduct a post-incident review and update plans. Document the incident (e.g. in SecBoard Incident Register).
Should we pay the ransom? — Paying is a business decision with legal and ethical implications; there is no guarantee of decryption and it may fund further attacks. Prefer recovery from backups and improving controls where possible.
How does SecBoard help with ransomware? — Use Incident Register for response and documentation; Document Register for incident response and backup procedures; SOC for detection and logs; Study and Gophish for awareness; Cabinet and Risk Assessment for access and risk; Framework Compliance to evidence controls.