This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
Why Ransomware Planning Matters.
Planning for a ransomware attack is a vital component of any organization’s cybersecurity strategy. Having a ransomware plan is important because it helps organizations prepare for, respond to, and recover from ransomware attacks effectively. Ransomware attacks can cripple operations by locking critical systems and data, often demanding payment to restore access. A well-developed plan minimizes downtime by outlining clear procedures for restoring operations, typically through secure backups and tested recovery processes. Financially, the costs of paying a ransom, addressing data breaches, managing legal fallout, and recovering from lost productivity can be devastating. A ransomware plan helps mitigate these costs by enabling a swift, coordinated response. It also protects an organization’s reputation by demonstrating to customers, partners, and regulators that it takes cybersecurity seriously. Moreover, many industries have legal and regulatory requirements for incident preparedness, and a ransomware plan helps ensure compliance. By clearly defining roles, communication protocols, and decision-making criteria, such a plan supports better incident management and limits confusion during a crisis. Ultimately, having a ransomware plan strengthens an organization’s overall cyber resilience and its ability to adapt and recover from evolving digital threats.
The Risk of Not Having a Plan.
Marks & Spencer (M&S) is grappling with the aftermath of a significant cyberattack that began over the Easter weekend in April 2025 by Scattered Spider, a group widely known for their social engineering tactics. The attack caused widespread disruption across the company’s operations, as well as resulted in exposed customer PII. A concerning revelation came when an insider revealed that M&S lacked a comprehensive plan to deal with such cyber incidents. IBM’s Cost of a Data Breach Report 2023, organizations with no incident response (IR) plan or inadequate testing faced breach costs averaging $5.36 million, compared to $3.26 million for those with well-tested plans — a $2.1 million difference.
Key Elements of Ransomware Plan.
A strong ransomware response plan is essential for minimizing the damage from an attack and ensuring a swift, coordinated response. Two foundational elements are defining roles and responsibilities and establishing a communication strategy, but a complete plan should include several key components:
- Define Roles and Responsibilities. Clearly assigning duties ensures there is no confusion during an incident. This should include members from across the organization, not just IT. Some areas to consider are executive leadership, legal, insurance, communications, compliance, investor relations.
- Outline Major Steps from Mitigation to Recovery.
- Prepare. It is good practice to include how often plans will be reviewed and updated, as well as the frequency they will be exercised.
- Detect. Identify the initial actions the organization will be taking upon being alerted to a potential ransomware incident.Contain. Who are the key incident responders, and how will they go about identifying, isolating, and mitigating the threat?Investigate. During this phase it is important to conduct a root cause analysis and ensure that evidence is preserved for potential regulatory or litigation purposes.
- Contain. Who are the key incident responders, and how will they go about identifying, isolating, and mitigating the threat?
- Investigate. During this phase it is important to conduct a root cause analysis and ensure that evidence is preserved for potential regulatory or litigation purposes.
- Remediate. This part of the plan should detail the steps for post-incident repair, validating that the threat has been contained.
- Recover. A key element of this phase is conducting a post-incident analysis to review the decision-making processes during the incident, gather lessons learned, and make any necessary updates to policies and procedures.
- Communication. Effective communication can prevent panic, reduce misinformation, and maintain stakeholder trust. Some communications considerations include:
- Internal Communications.
- What are the secondary and tertiary communications platforms if the primary method is not available?
- Who has the responsibility to alert various departments and personnel that will be needed for a response?
- How will misinformation be handled if there is a leak about the incident?
- External Communications.
- It is highly likely that a ransomware response will include various vendors, and external stakeholders like insurance and law enforcement. A good ransomware response plan will ensure those timelines for reaching out, and responsible parties for such actions are identified.
- Information sharing during an incident can help identify resources to support incident response. Plans should identify those potential external stakeholders, and who is tasked with that coordination.
- Internal Communications.
Developing the Plan.
Start by bring together key stakeholders and hold a workshop to review the key elements of the plan outlined earlier in the blog. Encourage cross-functional dialogue to break silos and spend time considering various scenarios that might require new additions to the plan. Once the plan has been formalized, it is recommended to conduct a tabletop exercise (TTX) to validate the plan. This can be done internally, or by utilizing external experts who can provide fresh perspectives and specialized knowledge, identifying weaknesses internal teams might miss.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): PLAY (11), Hunters International (2), RALord (2), Rhysida (2), Silent (2)
- Coalition’s 2025 Cyber Claims Report: In the U.S., average losses per claim were about $108,000
- Marsh’s UK Cyber Insurance Claims Trends Report 2024: Cyber claims in the United Kingdom decreased by 20%
Coming Up Next: Test, Don’t Guess: Exercising Your Response Plan.
Our next blog in the series will focus on how to regularly test your ransomware response plan through tabletop exercises and simulated attacks. These drills help identify gaps, strengthen team coordination, and ensure every stakeholder—from the SOC to the C-suite—knows how to act under pressure.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at [email protected].
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.