Ransomware Response: What SMEs Must Get Right in 2024

As 2024 approaches, ransomware continues to dominate headlines and remain a top threat to small and medium businesses worldwide. In New Zealand and globally, we’ve seen a surge in targeted attacks against supply chains, service providers, and SMEs with weak protections. Responding to a ransomware incident isn't just about recovery—it's about survival and preserving trust.

⚠️ The Stakes Are Higher Than Ever

Ransomware groups no longer encrypt data and demand a ransom—they also exfiltrate and threaten to leak sensitive information if payment isn’t made. This creates legal and reputational risks that extend far beyond downtime or data loss. For SMEs, a poorly handled incident can mean loss of clients, regulatory scrutiny, or even closure.

🚨 First 24 Hours: What You Do Matters

When ransomware hits, every second counts. Immediate priorities include:

• Isolating infected devices and networks
• Notifying your IT provider or security partner
• Preserving forensic evidence (don’t wipe everything!)
• Identifying what data and systems were impacted

A prepared incident response plan (IRP) enables a coordinated response instead of a chaotic scramble.

🔑 Backup Strategy Is Your Lifeline

Not all backups are created equal. Ransomware often seeks out and encrypts attached or poorly protected backups. SMEs should ensure:

• Immutable/cloud backups with MFA
• Regular recovery testing
• Air-gapped or offsite versions
• Backup segmentation from production networks

🧠 Train Your Humans

Phishing remains the most common entry vector. Cybersecurity awareness training, regular simulations, and proper access controls are essential. Staff must know how to spot suspicious attachments and how to escalate threats.

🔐 Harden Your Defenses

SMEs must adopt a layered approach with:

• Endpoint detection and response (EDR)
• Patch management discipline
• Multi-factor authentication (MFA) everywhere
• Firewall rules that block unnecessary outbound traffic

Many ransomware attacks succeed simply because basic hygiene is neglected.

📣 Communications Matter

One of the most overlooked aspects of ransomware response is communication. Clients, suppliers, regulators, and even media may need to be informed. Having prepared templates and an assigned spokesperson can reduce confusion and reputational harm.

📄 Legal and Insurance Coordination

If you have cyber insurance, notify your insurer immediately. Some policies require forensic firms or recovery partners from an approved panel. Legal counsel should review ransom communications and breach disclosures before any actions are taken.

🏁 Post-Incident: Learn and Rebuild

After containment and recovery, SMEs must perform a thorough post-incident review. How did the breach occur? Were policies followed? What can be improved? These lessons should feed directly into updated playbooks and prevention strategies.

Eduardo Wnorowski is a Technologist and Director at Virtus Group Ltd.
With over 28 years of experience in IT and consulting, he brings deep expertise in networking, security, infrastructure, and transformation.
Eduardo helps New Zealand businesses navigate change with clarity, security, and trust.
🔗 Connect on LinkedIn