Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas).
Most organizations are aware of the risk of ransomware and the need to prepare for an event. But organizations that have not experienced a ransomware event are uncertain about what actually occurs, which hinders preparation. Building a ransomware playbook and conducting a tabletop exercise facilitated by a person experienced in responding to ransomware events are good preparation measures. To help with both, you can use the ransomware matter data from the DSIR and the list of considerations an organization facing a ransomware attack may have to address all at once on the first day of a ransomware matter.
The thing to prepare for in a playbook, and to test in a tabletop, is the one-two punch of business continuity impact and potential theft of data with a threat to release the data publicly if the ransom is not paid. You can then identify the key response actions, the internal team responsible for managing the response and the third parties you would bring in to help. There are some actions you can take ahead of time, such as identifying how you would assess revenue impact.
Day One Initial Considerations