It's mid-August, and school districts across the country are scrambling to get networks ready for fall. IT teams are patching servers, provisioning student laptops, and crossing their fingers. Because if there's one thing ransomware gangs love, it's hitting education targets right before the school year starts, when the pressure to pay is highest and the staff is thinnest on the ground.
But this isn't just an education problem. Ransomware doesn't care about your industry. It cares about your gaps. And most organizations, whether they're running a school district or a logistics company, don't have a real playbook for what happens before, during, or after an attack.
This is that playbook.
Stage 1: Before the Attack (Prevention)
The best ransomware incident is the one that never happens. Prevention isn't glamorous, but it's where 90% of your effort should go. Here's what actually moves the needle.
Follow the 3-2-1-1 Backup Rule
You've probably heard of the 3-2-1 rule: three copies of your data, on two different types of media, with one stored offsite. That's table stakes now. The updated version adds one more "1" to the end: one immutable copy.
Immutable backups can't be modified or deleted for a set period, even by an admin account. This matters because modern ransomware specifically targets backup systems. Attackers know that if they can encrypt your backups along with your production data, you have no choice but to pay. An immutable copy takes that leverage away.
- 3 copies of your data
- 2 different media types (local disk + cloud, for example)
- 1 offsite copy
- 1 immutable copy that cannot be altered or deleted
Test Your Backup Restorations
Having backups is meaningless if you've never tested restoring from them. I've seen organizations discover mid-crisis that their backups were corrupted, incomplete, or so slow to restore that they might as well not exist. Schedule quarterly restoration tests. Document how long a full restore takes. Know your actual recovery time, not the theoretical one in a vendor's marketing deck.
Segment Your Network
Flat networks are a ransomware operator's dream. Once they're in, they can move laterally to every system without hitting a single barrier. Network segmentation creates boundaries between departments, between user workstations and servers, and between IT and OT environments. If ransomware lands on a workstation in accounting, segmentation can prevent it from reaching your file servers, domain controllers, or backup infrastructure.
Deploy Real Endpoint Protection
Traditional antivirus that relies on signature matching is not enough anymore. You need endpoint detection and response (EDR) that watches for behavioral patterns: unusual file encryption activity, mass file renaming, privilege escalation attempts. Modern EDR solutions can detect and isolate a ransomware infection within seconds of execution, often before it spreads beyond the initial endpoint.
Lock Down Email
Email remains the number-one delivery mechanism for ransomware. Advanced email filtering should strip or sandbox executable attachments, flag lookalike domains, and block known malicious URLs. But filtering alone won't save you. Pair it with user training that focuses on recognizing the social engineering patterns attackers actually use, not the obvious Nigerian prince scenarios from 2010.
Pre-Negotiate a Breach Response Retainer
This is the one that most organizations skip and then regret. When ransomware hits, you don't want to be Googling "incident response firm near me" at 2 AM. Establish a retainer with a reputable breach response firm before anything happens. They'll already understand your environment, have your contact info, and be ready to deploy within hours. Many cyber insurance policies include or require this, so check your coverage.
"The time to find a surgeon is not when you're already bleeding."
Stage 2: During the Attack (Active Incident)
Your screen shows a ransom note. Files are encrypted. Panic is setting in. What you do in the next few hours will determine whether this is a rough week or a catastrophic quarter.
Step 1: Isolate Immediately
The single most important action in the first minutes is containment. Disconnect affected systems from the network. Don't shut them down (you may destroy forensic evidence in volatile memory), but pull network cables and disable Wi-Fi. If you have network segmentation in place, isolate the affected segment. The goal is to stop lateral movement before the encryption spreads to more systems.
Step 2: Assess the Scope
Before you can respond effectively, you need to understand what you're dealing with. Which systems are affected? What data is at risk? Is the encryption still actively spreading, or has it stopped? Is the attacker still inside your network? Your EDR tools and network monitoring should help answer these questions. If you have a breach response retainer, this is when you call them.
Step 3: Preserve Evidence
This step gets skipped in the chaos, and it shouldn't. Take forensic images of affected systems before you start remediation. Preserve logs from firewalls, endpoint protection, email gateways, and authentication systems. This evidence serves three purposes: it helps your response team understand the attack vector, it supports any law enforcement investigation, and your cyber insurance carrier will almost certainly require it for claims processing.
Step 4: Notify the Right People
Your notification list should already exist as part of your incident response plan. At minimum, it includes executive leadership, legal counsel, your cyber insurance carrier, and your breach response firm. Depending on your industry and the data involved, you may also have regulatory notification requirements with specific timelines. For education institutions, this often includes notifying the Department of Education and potentially FERPA-related obligations.
Step 5: The Pay or Don't Pay Decision
This is the hardest call you'll make. There's no universally right answer, but here's a framework for thinking through it.
Arguments for paying:
- You have no viable backups and the data is critical to operations
- The cost of extended downtime exceeds the ransom amount
- Patient safety or student safety is at risk (healthcare, education)
- Your cyber insurance covers ransom payments
Arguments against paying:
- There's no guarantee you'll get a working decryption key (roughly 1 in 4 organizations that pay never fully recover their data)
- Payment funds criminal organizations and incentivizes future attacks
- You may face legal consequences if the attacker group is on a sanctions list (OFAC regulations apply)
- Paying marks you as a willing payer, making you a target for repeat attacks
- You still need to rebuild and harden your systems regardless
Legal considerations: Before making any payment, consult with legal counsel. The U.S. Treasury's OFAC has sanctioned several ransomware groups, and paying a sanctioned entity can result in significant fines and legal liability, even if you didn't know the group was sanctioned. Your breach response firm and legal team can help navigate this.
"Paying the ransom is a business decision, not a moral one. But it should never be your only option. If paying is your only path forward, something went wrong long before the ransom note appeared."
Stage 3: After the Attack (Recovery)
The ransom note is dealt with, one way or another. Now the real work begins. Recovery is not just about getting systems back online. It's about making sure this doesn't happen again.
Restore from Clean Backups
If you followed the 3-2-1-1 rule, you have immutable backups ready to go. Before restoring, make absolutely sure the backups themselves aren't compromised. Attackers sometimes plant backdoors weeks or months before deploying ransomware, which means your most recent backup may contain the same vulnerability they used to get in. Work with your response team to identify the initial compromise date and restore from a backup that predates it.
Rebuild Compromised Systems
Don't just decrypt and keep running. Any system that was touched by the attacker should be rebuilt from scratch. Reimage workstations. Rebuild servers from known-good configurations. Reset every credential in the environment, including service accounts that nobody remembers exist. Yes, this is painful. But restoring a compromised system without rebuilding it is like changing the locks on your front door while the burglar is hiding in your closet.
Post-Incident Hardening
Use the forensic analysis to understand exactly how the attacker got in, moved laterally, and deployed the ransomware. Then close every gap:
- Patch the specific vulnerability that was exploited for initial access
- Tighten network segmentation based on the lateral movement path
- Implement or improve MFA on every externally facing system and all admin accounts
- Review and restrict administrative privileges (attackers almost always escalate to admin)
- Deploy or reconfigure EDR based on the behavioral patterns observed
- Update email filtering rules based on the specific delivery mechanism used
Conduct a Blameless Post-Mortem
This is not about finding someone to fire. It's about understanding what failed, what worked, and what needs to change. Document the full timeline. Identify where detection was delayed, where communication broke down, and where your tools or processes fell short. The output should be a concrete list of improvements with owners and deadlines, not a finger-pointing exercise.
The Education Sector: A Special Note for August
If you work in K-12 or higher education, ransomware season is right now. School districts are prime targets because they hold sensitive student data, operate on tight budgets that limit security spending, and face enormous pressure to be operational by the first day of school. Attackers know this. They time their attacks deliberately.
A few education-specific recommendations:
- Segment student-facing networks completely from administrative systems
- Ensure FERPA-protected data is covered by your immutable backup strategy
- Run a tabletop ransomware exercise with your IT team before school starts
- Have a communication plan ready for parents and the school board, because you will be asked questions and "we're working on it" is not enough
- Check whether your cyber insurance covers the specific ransomware scenarios you're most likely to face
Your Ransomware Defense Checklist
Print this out. Tape it to the wall. Check off each item.
- Immutable backups in place and tested within the last 90 days
- Network segmentation implemented between critical zones
- EDR deployed on all endpoints with behavioral detection enabled
- Email filtering with attachment sandboxing and URL rewriting active
- Breach response firm on retainer with a current scope of work
- Incident response plan documented, distributed, and rehearsed
- Cyber insurance policy reviewed with ransomware coverage confirmed
- Admin credentials audited and MFA enforced on all privileged accounts
- Backup restoration tested with documented recovery times
- Post-incident communication templates ready for stakeholders
Ransomware is not going away. The attacks are getting faster, the ransom demands are getting larger, and the attackers are getting more professional. But the playbook for defending against them is well understood. The organizations that get hit hardest aren't the ones facing the most sophisticated attacks. They're the ones that never built the playbook in the first place.
Start with backups. Add segmentation. Get a retainer. Test everything. And when August rolls around and the ransomware gangs come knocking, you'll be ready.