Ransomware attacks started as a novelty, but have now become a clear and present danger to entities of every size and function. The number of ransomware attacks and the price of demanded ransoms have escalated steeply since 2018. Legislation and policy have not kept up. Policymakers have sought to shape the incentive structure for victims to incentivise defense and disincentivise ransom payments. While they are sympathetic to businesses who fall victim to these attacks, which can sometimes be existentially threatening, few policy-makers (or their staff) have ever experienced the shock of an attack firsthand and, as a result, are searching with incomplete information for the right combination of carrots and sticks that will help victims and hurt attackers.

This report aims to put the reader in the shoes of the victim—the shocking, powerless moment of realisation of a ransomware attack. It walks through a set of decisions that victim must make on their worst day and in the weeks to follow. How well an entity succeeds in navigating that peril depends on decisions made well before an attack, so the report also makes recommendations for both government and industry on how to encourage preparation and simple defensive steps.