BLOG

Your Company Has Been Attacked by a Ransomware Group – What Now? An Action Plan

Kuba Nicpońnull
09/04/2025
Twoja firma została zaatakowana przez grupę ransomware – co teraz? Plan działania

Ransomware is one of the most destructive types of cyberattacks, in which criminals not only encrypt data but often first gain access to the infrastructure, move laterally across the network, and exfiltrate information for blackmail purposes (double extortion). Poland is among the top targets of ransomware groups, which is why organizations must have a prepared incident response plan. In the event of an attack, it is crucial to quickly confirm the incident, isolate the affected environment, report it to law enforcement authorities, the Data Protection Office (PUODO), and the national CSIRT, and then restore systems from backups. Support from a DFIR team is essential, as they analyze the attack’s progression using EDR/NDR telemetry, identify the initial point of compromise, and help restore business continuity. Paying the ransom should only be considered as a last resort, as it does not guarantee data recovery or eliminate the risk of future extortion. Ultimately, the most important steps are remediating vulnerabilities, implementing effective security controls, and adopting a proactive prevention strategy to avoid repeat incidents.

In recent years, ransomware attacks have become one of the most serious threats to companies worldwide, including in Poland. According to the European Union Agency for Cybersecurity (ENISA), ransomware is one of the most destructive types of cyberattacks, capable of paralyzing an organization’s operations and causing enormous financial losses.

Moreover, as indicated in the ESET Threat Report for the second half of 2024, Poland is among the primary targets of ransomware groups. In just six months, the number of such attacks increased by 37% compared to the first half of the year. Poland now ranks 7th globally in terms of ransomware attack volume, highlighting the scale of the problem.

Given this threat, it is crucial that companies know how to respond to ransomware attacks and what actions to take to minimize the damage. In this article, we explain what ransomware attacks involve and present a step-by-step action plan to help organizations restore normal operations.

What Is a Ransomware Attack and Who Does It Affect Most Often?

Ransomware (from ransom – payment demanded, and software – program) is a type of cyberattack in which criminals take control of a victim’s resources by encrypting data and demanding a ransom in exchange for restoring access (by providing a decryption key) or for not publishing stolen data.

The most common victims of ransomware attacks are private companies (both small and large). Cybercriminals target systems with security weaknesses, hoping for quick profit. This is why implementing effective protective mechanisms is critical to reducing risk and preventing a situation in which a company faces the dilemma of paying a ransom.

What Does a Ransomware Attack Involve?

A ransomware attack is not just a single infected file — it is the final stage of a complex process. Before criminals encrypt data and demand payment, they typically execute a full Cyber Kill Chain.

First, they gain Initial Access to the victim’s network — through phishing, malicious ads, exploits, or social engineering. Next, they establish Persistence and move across devices (Lateral Movement) to take control over as much infrastructure as possible.

The next step is Exfiltration, meaning data theft, which can later be used for blackmail. Only after these stages does the actual ransomware phase begin: attackers deploy an encryptor, making key files and applications unusable.

This is known as double extortion ransomware, currently the most common type of ransomware attack.

Cybercriminals not only block access to resources but also threaten to publish stolen data, increasing pressure on the victim.

Since ransomware is only the final stage, effective defense must start much earlier — at the stage of recognizing and blocking the initial attack vectors.

What Steps to Take if Your Company Becomes a Ransomware Victim – Action Plan

Although paying ransom may result in receiving a decryption key, it provides no guarantee of data recovery or future security. Criminals often do not delete stolen data. Additionally, paying ransom supports cybercrime and motivates further attacks.

A ransomware attack is one of the most difficult challenges an organization can face. Some companies that lack effective protections (EDR, SOC, NGFW, NDR) and backups decide to pay ransom when the threat of permanent data loss or exposure would completely paralyze operations.

If an organization chooses this path, it should act with extreme caution and consult cybersecurity experts first, who can provide support throughout the process.

What to Do Step by Step

1. Verify the incident

Confirm whether it is truly a ransomware attack or simply a system failure.

2. Report the crime to the appropriate authorities:

a. The National Police Headquarters, or in more advanced cyberattacks, the Cybercrime Bureau.

b. The Personal Data Protection Office (PUODO) — if personal data is involved, the company must report the breach within 72 hours, in accordance with GDPR.

c. Company management and employees — internal communication is essential to provide awareness and instructions.

d. Customers and business partners — depending on the type of breach (e.g., stolen data), affected individuals may need to be notified.

Companies can also seek help through:

3. Restore from backups

If your organization performs regular backups, begin infrastructure restoration immediately.

4. Contact a DFIR team (Digital Forensics & Incident Response)

If your company has implemented telemetry-based security systems such as EDR and NDR, reconstructing the attack timeline becomes much easier.

These systems help:

  • build full incident context
  • trace attacker activity paths
  • identify root causes
  • prevent future attacks

DFIR teams can also assist in negotiations with ransomware groups.

5. If recovery is impossible, ransom payment may be considered

If the company cannot restore operations and loss of data threatens business continuity, contact with the ransomware group may occur.

WARNING: Paying ransom provides no guarantee and supports criminal activity.

What If the Company Decides to Pay the Ransom?

Do not contact criminals on your own

This must be done via a DFIR team. The process is stressful, complex, and requires cybersecurity expertise.

Our DFIR team supports clients at every stage, regardless of the final decision.

Attackers provide “attack rules”

They send instructions describing the encryption, consequences of non-payment, and next steps.

Criminal groups often describe the attack as an “unannounced penetration test” to appear professional.

Proof of stolen files

Ransomware groups usually confirm they have company data by:

  • sending a few random stolen files
  • demonstrating that their decryptor works

Negotiation stage

Attackers propose a price in exchange for:

a. not publishing the stolen data b. deleting stolen files from their infrastructure c. providing an “audit report” explaining how they breached the network d. delivering a decryptor

The organization must decide whether to pay.

Payment method

Payments typically occur in cryptocurrency, most often:

  • Bitcoin
  • Monero

Criminals provide a wallet address.

The process is complicated and involves:

  • withdrawing large sums from the bank
  • purchasing crypto through an exchange
  • fees and transaction costs
  • accounting and legal challenges

Test payment first

The company should send a small portion (e.g., 1%) to confirm transaction success before paying the full amount.

Decryptor delivery

Attackers deliver decryptors for systems like Windows or ESXi with instructions.

They often recommend disabling security systems during decryption.

IMPORTANT: Always back up encrypted files before decryption. The process may fail, and without backups recovery may become impossible.

After payment

Usually, groups do not publish stolen data, especially if they care about their “reputation.”

However, there is never 100% certainty. Criminals may still keep stolen data for future extortion.

Final Step: Fix the Root Cause

After recovery, vulnerabilities that led to the attack must be addressed:

  • patching systems
  • correcting misconfigurations
  • improving security controls
  • implementing prevention measures

This helps prevent future incidents.

Conclusion

The risk of ransomware is enormous, and companies must protect their IT infrastructure as soon as possible.

A proactive cybersecurity strategy is the best way to avoid the costly consequences of such attacks.

At 4Prime, we support organizations at every stage – from prevention to effective response during ransomware incidents.

Don’t wait – contact us today and protect your organization.

This article was prepared by a 4Prime expert and edited with the support of artificial intelligence tools.

Text autors:
Kuba Nicpoń
Kuba Nicpoń , CTI Team Leader, SOC360 , 4Prime Group
An experienced SOC analyst, expert in Cyber Threat Intelligence and vulnerability management. For over 5 years, he has been co-creating and developing the Security Operations Center — SOC360 team. His experience includes advanced security incident analysis, real-time threat monitoring, and designing cybersecurity solutions.
null
4Prime IT Security

The attack on your company could have started a month ago.

Check how you can secure your organization today.