5 Steps for Creating a Ransomware Crisis Communication Plan


According to the latest report from cybersecurity company Coveware, Q2 2020 saw a decrease in the number of ransomware attacks among top-ranking variants. But there was some bad news, too: In Q2, ransomware operators demanded even more money from their victims. The average ransom payment in Q2 rose to a whopping $178,254—that’s up 60 percent from Q1.   

Even with the encouraging drop in the number of attacks, ransomware remains a real threat to many industries. In fact, for healthcare organizations, government agencies, and large enterprises, the likelihood of your being impacted by ransomware is becoming a question of “when” rather than “if.”

Even tech giants like Germany’s Software AG aren’t immune to ransomware. The “Clop” ransomware gang recently infiltrated Software AG’s internal network, encrypted files, then demanded $20 million dollars from the massive software firm in exchange for the decryption key. 

When negotiations failed, the gang published screenshots of Software AG’s data on a dark web leak site, exposing employee passport and ID scans, employee emails, financial documents, and directories from the company's internal network.

The breach at Software AG is a timely example of why it’s crucial to have a ransomware crisis communication plan documented and tested before you need it. Many different individuals and groups were negatively affected by that ransomware attack, and all of them wanted and needed answers from the company.


Software AG obviously has the resources and technical acuity to defend itself against ransomware, and yet the company was the victim of a breach. Let this be your call to action. Follow these five steps to create or refine your ransomware crisis communication plan now so you aren’t scrambling to piece together an appropriate message for customers and stakeholders while your decision makers are in crisis mode.

Step 1: Decide Who Needs to Be Looped in Immediately

The middle of a crisis is a bad time to try to remember who needs to know what. Start building your communication plan by identifying all of the individuals and groups who will need to be informed of a cybersecurity event, including employees, customers, legal counsel, and major stakeholders. 

Step 2: Designate a Spokesperson

Designating a single gatekeeper for crisis communication will help preserve and control your messaging.  Have all communication go through this person, and decide in advance how messages will be communicated to customers and others on the “need to know” list. If your company is global, have the main spokesperson work with regional spokespeople for cohesive, region-specific messaging about the crisis.

Because you can’t anticipate the full impact of a ransomware outage, have a backup plan in case your first choice for sharing information isn’t an option because of the outage.

Step 3: Draft Boilerplate Messaging for Each Specific Audience and Each Communication Platform

The information you convey to your customers will be different from the information you share with employees and the legal team. Create audience-specific messaging for each group that can be disseminated quickly and easily during and after the crisis.

To ensure you’re communicating as efficiently as possible, develop messaging that is appropriate for each of your communication platforms, such as email, your website, social media, and the telephone.

Step 4: Create a Communications Best Practices Document for Customer-Facing Teams

Your customer-facing employees will be on the front lines during a ransomware crisis, so arm them with the appropriate tools. Set the teams up to succeed with a crisis communication best practices document that is brand-aligned, uses authentic language, avoids corporate speak, and adheres to the corporate strategy. 

Be sure to emphasize the importance of sticking to the official communications brief to avoid liability and further reputation damage.

Step 5: Develop an Internal Communication Plan for Fast Dissemination of Information

During a ransomware crisis, it’s important to keep employees informed about what is happening. Use email, Slack, or other company-managed communication tools to share updates about how the infection is currently affecting operations, the current recovery status, and any other information that gives employees visibility into the crisis and makes them feel looped in.

How your company responds after a ransomware attack can make a huge difference in how much damage your reputation and customer relationships sustain. Proactively creating a ransomware crisis communication plan gives control of the conversation to a single, knowledgeable source, which will enable the organization to release careful, cohesive messaging to stakeholders and the public.

Download A Ransomware Crisis Plan is Now a Business Imperative to learn more ways to minimize the impact of a ransomware attack on your data, productivity, and reputation.