Skip to content Skip to footer

Loading Results

Ransomware readiness and recovery

Ransomware is now the most significant threat facing organisations

Over the last two years, there has been a surge in the number of “human-operated” ransomware attacks. In this type of attack, criminals gain access to an organisation's networks and deploy ransomware to encrypt data –often to devastating effect – before attempting to extort organisations into paying seven or eight figure ransoms. There has also been a major shift in tactics with attackers now stealing and exfiltrating organisations' most sensitive data, before deploying ransomware, to further extort victims. This has significantly complicated how organisations respond. These attacks represent a greater challenge than previous well-known cyber threats, as they are carried out by skilled and adaptable criminals, who can overcome defences, as well as evolve their tactics to maximise their chances of getting organisations to successfully pay out. Recovering from these attacks can take organisations months and cost millions, all while they are unable to operate and provide key services.

The disconnect between cyber security and business resilience

The cyber security function’s core focus is to both prevent a cyber attack from reaching critical IT services, and to rapidly detect and contain it should prevention fail. It rarely considers how to recover if an attack cannot be contained.

The IT and business resilience teams focus on avoiding downtime, but are commonly built around "failure modes" which are physical in nature and limited to a single location (e.g. natural disasters impacting a data centre) and fail to consider cyber security threats.

This organisational disconnect results in gaps in both IT resilience and cyber security capabilities which are rarely understood or articulated.

Resilience solutions, which do not take cyber threats into account by design, may inadvertently facilitate the spread of ransomware across the IT estate via data replication technologies, including to disaster recovery facilities which are then also infected and cannot be relied upon.

Resilience solutions may also not be secured against deliberate tampering by an attacker (e.g. to prevent their use for recovery). In the event of an incident this means that resilience solutions either fail, are ineffective or even exacerbate the problem.

The end result is that the business cannot restore its IT services in the timescales or state needed, and operations are significantly interrupted. In some cases, this interruption can be severe enough to create a “going concern” risk for the business.

In order to protect themselves against the latest ransomware threats, organisations need to:

  • Have key cyber security controls in place to prevent attackers getting a foothold.
  • Obtain clear visibility of their IT estate to maximise the chances of early detection before the attacker “detonates” their ransomware.
  • Build a resilient business which can contain the spread of ransomware and respond quickly.
  • Prepare and plan for disruption, and become confident in how recovery will be achieved.

These efforts require concerted engagement from both technology and business teams to deliver holistic resilience to ransomware.

End-to-end exercising

Ransomware attacks are unique in the immediate scale of impact they can have across an entire organisation. Staying afloat in the face of a catastrophic ransomware attack will rely on a well-organised, well-rehearsed response from technical front line to C-Suite and Board and across the supporting functions such as Corporate Affairs; everyone needs to play a part.

However, the initial response to a ransomware attack is only the beginning - recovery takes weeks, if not months.

End to end exercising will help you understand the potential routes and validate the timelines to recovery, including the processes which are required to recover both with and without paying a ransom.

The first step to reducing the exposure for your organisation to ransomware disruption is:

  • Understanding your risks and current defences.
  • Making rapid, targeted preparations to respond if you’re attacked.
  • Planning to build your resilience.

How can PwC support?

PwC provides a multi-disciplinary best in class team of cyber incident response, crisis management, crisis communications, and business resilience experts who can rapidly baseline your current exposure to ransomware risk, and help you plan to improve your resilience and your ability to respond effectively.

1. Ransomware readiness review

  • Assess the cyber security controls which are key to defending against ransomware attacks.
  • Review your ability to respond and recover from ransomware attacks.
  • Provide a clear understanding of your vulnerability to ransomware and identify priority improvements.
  • (Optional) Simulate an attack against your organisation using security testing to identify quick-win improvements.

2. Resilience and recovery strategy

  • Assess the impact on the IT services and on the business immediately following ransomware detonation.
  • Identify the current recovery options in place to assist recovery in the event of a successful attack
  • Review your business and technology response plans, and your scenario playbooks.
  • Identify options for improvements in prevention and detection.

3. Response and recovery exercising

  • Understand the complex business challenges which come with a catastrophic ransomware attack.
  • Rehearse how IT, Security and ITDR teams work together when corporate IT ceases to function.
  • Explore the realities of recovering from ransomware, both with and without a decryption tool.
  • Prepare for the significant internal and external communications challenges which come with ransomware attacks.

Why choose PwC

Real-world experience of responding to ransomware

PwC’s specialist teams bring experience and insights from the front-lines of assisting hundreds of clients respond and recover from real ransomware attacks. This is used to deliver realistic exercises and reviews focused on the cyber security capabilities and technology design decisions which make a real difference in a ransomware scenario. Below are just a few examples of exercises and reviews PwC has conducted for clients.

 retail rose

Performed a Ransomware Readiness Review for a UK retailer to assess their vulnerability to human-operated ransomware attacks.

 strategy rose

Developed a series of priority tactical and strategic projects to reduce their risk of attacks, and improve their ability to respond and recover.

 data security rose

Simulated attacks with security testing to validate improvements and that the risk of ransomware attacks has been reduced.

 auditing rose

Delivered a series of escalating Ransomware Response and Recovery exercises for a professional services organisation.

 people audience teamwork rose

Exercised how the IT Major Incident and cyber response teams would work together to respond against challenging timeframes.

 cogs rose

Simulated the complex decision making and leadership challenges Executives would face when responding to catastrophic attacks.


Follow us

Required fields are marked with an asterisk(*)

By submitting your information, you acknowledge that we may send you business insights that we consider relevant to your interests. Please see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving marketing communications from us). To stop receiving marketing communications from us, click on the unsubscribe link in the relevant email received from us or send an email to

Contact us

Simon Borwick

Simon Borwick

Partner, PwC United Kingdom

Tel: +44 (0)7867 196473

Bobbie Ramsden-Knowles

Bobbie Ramsden-Knowles

Crisis and Resilience Partner, PwC United Kingdom

Tel: +44 (0)7483 422701

James Cooke

James Cooke

Director, PwC United Kingdom

Tel: +44 (0)7718 864896