How do I recover from a ransomware attack?

How to recover from a ransomware attack

Ransomware attacks are on the rise, and they can greatly cost businesses which is why a good ransomware recovery plan is key.

A successful ransomware attack will restrict access to devices and steal important data, with the business having to pay a ransom to get access back or recover stolen data. We understand how important business continuity is and planning for potential disruptions can lead to faster resolutions and peace of mind for everyone involved. In this article, we’re going to discuss what to do when you’ve been breached because good preparation can lower the impact an attack has on the business.

Malware prevention is an important part of a robust cyber security system but with ransomware attacks tripling in the last few years, it’s important to get prepared for the possibility of a breach by understanding the steps to ransomware attack recovery. Having the right team and processes in place to recover from a ransomware attack is just as important as prevention.

In this article, we’ll cover:

  • The impact of ransomware on businesses
  • Why ransomware is a growing threat
  • The steps to ransomware recovery


The impact of ransomware on businesses


Security Magazine reported ransomware attacks increased by 92.7% in 2021 when compared to 2020 and the estimated cost of ransomware attacks for businesses globally in 2021 was $20 billion (USD).

The ransom money paid is not the only cost a business will face from an attack. Ransomware attacks also lead to damaged brand image, loss of revenue, service disruption and unplanned workforce reductions. The FBI’s Internet Crime Complaint Center reported a 225% increase in ransomware demands between 2019 and 2020 in the US which is an alarming trend.

We know the malware landscape is an ever-evolving threat and it’s our job to support leaders and crisis planners with up-to-date knowledge and response tactics. Crisis management teams will be no strangers to new and unexpected threats. Good planning results in prepared teams, so knowing how to recover from a ransomware attack should be a part of every incident response plan.


Why ransomware is a growing threat


One of the key factors behind the growth in this threat is ransomware-as-a-service. Cyber criminals use this technique to create a strain of ransomware and then license it to other cyber criminals. Instead of executing the attack, the licensor gets a percentage from ransoms collected.

That’s right, the same automation, outsourcing and scaling strategies most businesses use to grow are now being used by cyber criminals. This creates an environment where new threats are being created and the frequency of attacks increases too.

When looking at the amount of money these attacks can make, you begin to see the reason behind such a sophisticated approach to ransomware. This current environment only reinforces the need for a ransomware recovery plan. That’s why it’s key to have set processes to follow and to execute them with speed and precision. The more experienced your cyber security support means they will have more known solutions. Below are the key steps to ransomware recovery.


The steps to ransomware recovery


Accepting that a ransomware breach is a possibility isn’t pessimism or talking down your prevention system, it’s a mindset that results in good planning, training and processes. Ransomware attacks are on the rise, and it took an average of 212 days to detect ransomware in breach and 287 days to both detect and contain a breach in 2021. In recovering from a ransomware breach, it’s important to investigate, remediate (contain, eradicate), and communicate in parallel. The need to work in parallel requires skilled individuals and teams who are well drilled in this type of scenario.




A successful ransomware attack will often be discovered by a staff member who can’t access the documents or device infected. Your cyber security team’s first step is to assume that more than one user could be affected and they should identify infected systems, users who could be infected, what ransomware has been installed and the potential impact of the ransomware. Questions to ask yourself at this stage may include:

  • Will this disrupt front-end services and internal systems?
  • Has any business or client information been lost?
  • Is it a network attack, data theft, or a mix of threats?
  • Has the attack put you in violation of contracts?

It’s important that identification happens quickly and is accurate as this will instruct the next steps of ransomware recovery: containment and eradication. Different types of ransomware have varying capabilities, so identifying the correct ransomware is key.

While a team is focused on stopping the current attack and recovery, other members of the cyber security team will be focused on root cause analysis to instruct long term solutions such as patching of the vulnerability that led to the attack.


Remediate: Contain


The goal of containment is to ensure the ransomware does not complete encryption and to stop it from spreading in the same network. This should include immediately isolating any infected devices from your network and shutting down or hibernating any systems that you can’t disconnect from your environment.

Next, you should take a system image and memory capture from a sample of infected devices, which allows for analysis to take place knowing that the ransomware can no longer spread.

The quarantine process should cut all access for the infected device and systems including access to cloud storage and software, single sign-on access, and system access to business tools.

Also, be sure to collect all security logs and preserve evidence that’s highly volatile in nature or has limited retention during this stage.

You may want to consider automating parts of your containment process so teams can focus on other areas. Some of the tasks in the containment phase can be time consuming and repetitive, so automation with orchestration tools can save you time and speed up ransomware recovery.

If the analysis finds the ransomware came through email, the cyber security team will take measures to restrict incoming messages and may also delete all pending messages across all staff inboxes until the attacker’s IP and addresses have been blocked from the system.

Being prepared for the email system to be down is important in planning alternative all staff communication channels during a crisis such as SMS.

In the case of a website compromise, the cyber security team will take measures to block the website from the business network.

Containment may impact business operations including staff losing access to networks, customers losing access to websites and frayed relationships with impacted clients.


Remediate: Eradicate


Eradication of the ransomware can be a lengthy process depending on the severity of the attack as it involves removing the malware from infected systems across the organisation. If it is a single device that has been infected, eradication will be easier than an incident where ransomware has attacked multiple devices across a network. This is because the individual infected devices will need to be assessed and rebuilt, but also potential key machines in the IT infrastructure could also need to be taken offline, assessed, and rebuilt.

To make this process easier, we suggest organisations follow a 3-2-1 backup strategy. This involves always keeping three copies of data (one primary and two backups), keeping data on at least two types of storage media, and storing one of these offsite in a place that doesn’t have network connectivity to your environment.

Steps to consider at this stage:

  • Specify tools and procedures to rebuild infected systems
  • Restore from clean backups.
  • Confirm endpoint protection is up to date and enabled
  • Monitor for re-infection and conduct analysis to identify outside-in and inside-out persistence mechanisms
  • Specify what financial, personnel and logistical resources are needed to accomplish full remediation.




At all stages of a ransomware attack, communication with key stakeholders is critical to a successful recovery. With cyber security and IT teams focused on the issue of containment, leaders should be taking a broader view of business needs and impact so they can communicate and pull in required assistance. Some key teams and stakeholders to consider:

  • All staff: Staff should understand what to look out for, who to inform if impact, disruptions to business and media policy.
  • Client services and frontline staff: Staff who will be receiving queries directly from clients or customers.
  • Security and IT vendors: Third-party support in solving the ransomware issue.
  • Finance and HR: These teams should be prepared to release funds and allow outsourced help to come on board quickly.
  • Public relations: Pull in PR and communication teams to facilitate communication to key stakeholders including media, investors, board members and clients.
  • Legal department: To work closely with PR to form external messaging and to prepare for any breach of contract issues due to disruption to business continuity. You should also contact insurance providers (if cyber insurance in place – they should be contacted first).
  • Law enforcement: Notify law enforcement of the breach.
  • Administration teams: Extra support to document the response and facilitate communication between teams.
  • Executive teams: They should be briefed regularly with consistent reports to assist conversations with priority stakeholders.
  • Regulatory authorities: If a breach involves personally identifiable information (PII), you are obligated under UK law to report the breach to the
  • Information Commissioner’s Office (ICO): Contact within 72 hours of the breach.

Ultimately, it’s important for you to establish a secure communication channel and strategy with all key stakeholder and responders when handling the outbreak.

Also, if you have cyber insurance, it’s imperative that you seek legal advice or guidance from them before contacting the NCSC, NCA, or Action Fraud. If you fail to contact your insurer first, there’s a risk you may invalidate your insurance.




We do not recommend paying the ransom as it doesn’t guarantee the solution will go away and will just encourage the attackers to focus more attempts on your systems.

You should begin recovery only once you are 100% sure that the incident is under control and there’s no further risk of re-infection. Once you’re confident the threat is contained, you should begin the launch of your continuity plans, plan to recover data from clean backups, and use your cyber security team’s repository of keys and decryptors to regain access to data or systems.

Paying the ransom should only be considered as an absolute last resort for irretrievable critical assets and data. Before you do this, make sure you talk to experienced cyber security professionals as your team may not know all the potential solutions. Consider reaching out to a cyber security agency for extra support.

If ransomware is a new area of concern for your business, you should consult experienced cyber security agencies to do a cyber security audit of your systems. Having experienced third party support will also mean you’ll have access to a repository of previously used recovery methods that can be implemented quickly.

If you’ve been the victim of a ransomware attack and need additional advice or support, we are here to help.

We can also help you build a personalised incident response plan if you don’t have one. We’ve worked with several business continuity and crisis planning teams and can deliver an industry-specific plan and also feed into scenario planning and training.

Connect with one of our cyber security experts today to talk about prevention and recovery from ransomware attacks.