Skip to main content
  • For Support:

    815-308-2095

  • New Client
    815-788-6041

Ransomware Recovery Plan: How to Recover from Ransomware (The Business Playbook)

June 11, 2026

The average total cost of a data breach reached $4.88 million in 2024, according to IBM’s Cost of a Data Breach Report. For ransomware incidents, that number climbs higher when you factor in weeks of downtime, IT remediation labor, legal fees, and regulatory obligations on top of whatever ransom demand landed on the screen.

The question every business owner asks after an attack is straightforward: can we get our data back? The honest answer is that recovery depends almost entirely on what your backup architecture looked like before the attack began.

This playbook covers what to do in the first hour after a ransomware attack, whether paying the ransom ever makes sense, how the technical recovery process works, and what a real ransomware recovery plan looks like before you need one.

What Ransomware Recovery Actually Means

Ransomware recovery is the full process of containing the attack, restoring encrypted or destroyed data, rebuilding compromised systems, and returning business operations to normal. Unlocking files is one step in that process, not the finish line.

Three realistic outcomes exist after a ransomware event. Full recovery means all data and systems are restored from clean, verified backups and the entry point is closed before anything comes back online. Partial recovery means some data returns, but gaps remain from infrequent backup schedules, missed backup jobs, or backup targets that were also encrypted during the attack. Unrecoverable scenarios occur when no usable backups exist and no decryption key is available.

Most small and midsize businesses (SMBs) with recent, tested, offline or immutable cloud backups recover fully. Organizations without that foundation face a substantially harder path.

Four variables determine recovery success more than anything else:

  • How recently your last backup completed
  • Whether those backups have ever been verified through an actual restore
  • How quickly the attack was detected after it began
  • Whether the backup repositories themselves were also encrypted during the event

What to Do in the First Hour After a Ransomware Attack

The first hour matters more than any other window in a ransomware response. Here is the sequence that limits total damage:

  1. Isolate affected machines immediately. Disconnect compromised systems from the network, cutting both wired connections and Wi-Fi. Do not power them off. Volatile memory often contains forensic evidence that incident responders use to identify the attacker’s tools and entry path.
  2. Identify the scope before touching anything. Determine which systems show signs of encryption, which appear clean, and whether backup repositories are intact or were also compromised during the attack.
  3. Contact your IT provider or incident response team within 30 minutes. Time-to-containment is the single most important variable in limiting total damage. Every minute of unchecked lateral spread expands the recovery scope and cost.
  4. Document everything visible before acting. Photograph or record the ransom note, the encrypted file extensions, and any visible error messages before rebooting or taking further action. That information helps identify the specific ransomware strain and informs every decision that follows.
  5. Loop in legal counsel early for regulated industries. Healthcare, finance, and legal services organizations face breach notification timelines that begin at discovery, not after remediation is complete. Confirm that your HIPAA-compliant IT solutions include an incident notification workflow, so your team knows exactly which obligations trigger and when.
  6. Do not pay, delete files, or attempt a DIY restore until the full scope of the attack is understood. Any of those actions, taken too early, complicates recovery and destroys forensic evidence.

Should You Pay the Ransom? The Honest Answer

No. Both CISA and the FBI advise against payment, and the reasoning is practical. Payment does not guarantee a working decryption key. It directly funds the criminal operation that attacked you, and it signals to the broader attacker network that your organization is willing to pay, which increases the probability of repeat targeting.

Consistent guidance from the FBI’s Internet Crime Complaint Center (IC3) and CISA makes this point clearly: a significant share of businesses that pay a ransom still lose data, receive non-functional decryption tools, or face a second attack within months. Paying does not resolve the underlying problem.

One legal risk most SMBs overlook: Several active ransomware groups appear on the U.S. Treasury’s Office of Foreign Assets Control (OFAC) Specially Designated Nationals list. Paying them constitutes a sanctions violation regardless of intent. Any organization considering payment must verify the ransomware group against the current OFAC SDN list and involve legal counsel before any funds transfer.

Payment enters the conversation only in a narrow scenario: no viable backups exist, the data at stake is genuinely irreplaceable, and both legal and law enforcement contacts are involved. Even then, it is a last resort with no guarantee of resolution.

The more productive question is not “should we pay?” but “why don’t we have backups that make this decision irrelevant?” That reframe leads directly to the recovery plan every SMB needs before an attack arrives.

How Ransomware Data Recovery Works Technically

When backups are available and intact, recovery follows a clear sequence. Skipping steps during a high-pressure event is where organizations create new problems on top of existing ones.

  • Verify backup integrity first. Confirm that backup copies are intact before restoring anything. Offline, air-gapped, or immutable cloud backups are the safest options. Network-attached storage (NAS) devices that were accessible on the network during the attack are a common encryption target and cannot be trusted until verified individually.
  • Wipe and rebuild rather than decrypt in place. Restoring data over a compromised operating system risks reinfection from dormant malware the attacker left behind. Clean OS images are the secure foundation for every machine in the recovery.
  • Scan restored systems before reconnecting. Use your managed endpoint detection and response (EDR) client to check each restored machine for residual indicators of compromise before it touches the network again.
  • Restore in business-critical priority order. Operational systems, customer-facing platforms, and financial records come first. Secondary and administrative systems restore after core operations are confirmed stable.
  • Close the entry point before anything goes live. The vulnerability that enabled the attack must be closed before any restored system reconnects to the network. That means patching unpatched Remote Desktop Protocol (RDP), replacing phishing-delivered credentials, and enforcing multi-factor authentication (MFA) on every remote access point.

For organizations with limited internal IT capacity or partially corrupted backups, professional data backup and recovery services accelerate the timeline and reduce the risk of incomplete remediation.

Ransomware Decryption: When Free Tools Are an Option

A free decryptor is the best-case outcome in a ransomware event, but it applies to a limited set of circumstances. The NoMoreRansom project (nomoreransom.org), operated jointly by Europol, the Dutch National Police, and industry partners, hosts free decryption tools for dozens of known ransomware families. This is the legitimate starting point for determining whether a decryptor exists for the strain attacking your organization.

Decryptors become available only when law enforcement seizes an attacker’s private encryption keys through a coordinated takedown of the group’s infrastructure. Newer variants, custom builds, and actively maintained ransomware-as-a-service (RaaS) platforms generally have no public decryptor.

To check whether a free decryptor exists for your strain:

  1. Identify the ransomware strain from the ransom note text, the encrypted file extension, or NoMoreRansom’s built-in identification tool.
  2. Search the decryptor database at nomoreransom.org for a match.

The process takes minutes and costs nothing.

Critical warning: Fake decryptor tools are a documented secondary attack vector. Download tools only from nomoreransom.org or verified law enforcement channels, never from third-party sites claiming to offer decryptors. Those sites are a common delivery mechanism for additional malware onto already-compromised systems.

Free decryption tools are a recovery supplement, not a strategy. They cover a subset of older or disrupted ransomware families and provide no protection against novel variants or actively maintained strains.

How Long Does Ransomware Recovery Take?

The range is wide, and preparation accounts for most of the difference.

Organizations with tested, recent backups and a documented incident response plan typically restore core operations within 24 to 72 hours. Those without adequate preparation routinely spend weeks or months rebuilding, often with permanent data loss. Organizations with mature backup architecture and enforced identity controls, including MFA on all remote access points, consistently recover faster than those without.

Several variables extend recovery time beyond the initial scope:

  • Encryption breadth: One compromised workstation recovers in hours. A full server environment with domain controller encryption takes weeks.
  • Backup retrieval speed: Restoring from on-site storage is faster than pulling large data volumes from offsite cloud infrastructure.
  • OS image availability: Pre-staged clean images accelerate rebuilds significantly. Organizations without them lose additional days sourcing and configuring base installations.
  • Entry point identification: Reconnecting systems before closing the original vulnerability means starting the recovery process over.

The hidden cost multiplier: Total recovery expense extends well beyond downtime. Staff hours on remediation, legal and forensic fees, regulatory notification costs, and reputational impact with customers all compound the direct expense significantly. The return on investment for backup readiness and a tested incident response plan becomes straightforward after even one incident.

Ransomware Recovery Best Practices for SMBs

The organizations that recover quickly from ransomware made structural decisions before the attack occurred, not after.

  1. Follow the 3-2-1-1 backup rule. Keep three copies of your data on two different media types, with one copy offsite and one offline or immutable. This architecture ensures at least one backup survives a full-environment attack, including deliberate targeting of backup repositories.
  2. Test restores on a documented schedule. A backup that has never been restored is an assumption, not a plan. Quarterly restore drills surface configuration issues and retention gaps before a crisis forces that discovery under pressure.
  3. Enforce MFA on every remote access point. Virtual private network (VPN), RDP, cloud email, and any other externally accessible system require MFA. Credential theft and phishing are the two most common ransomware entry vectors, and MFA blocks the majority of automated credential-based attacks.
  4. Segment your network. A compromised endpoint should not have a direct path to backup repositories, domain controllers, or financial systems. Segmentation is what keeps a single infected machine from becoming a full-environment event.
  5. Store the incident response plan outside your primary systems. A printed copy in an offsite location, or a version in a cloud environment separate from your production network, ensures the plan is reachable precisely when production systems are not.
  6. Formalize a tested recovery workflow with your managed IT provider. Partner with your provider to build business continuity solutions that cover both the backup architecture and the step-by-step procedures your team will actually execute when the pressure is on.

Ransomware Incident Response Checklist

A phased checklist only helps if it exists before the attack, not during it.

Phase 1: Immediate Containment (0–1 Hour)

  • Isolate affected systems from the network; do not power them down
  • Document the ransom note and encrypted file extensions
  • Notify your IT provider or incident response contact immediately

Phase 2: Assessment (1–4 Hours)

  • Determine the full scope of encryption
  • Confirm backup status and integrity
  • Identify the likely entry point
  • Escalate to legal counsel if regulated industry breach notification obligations apply

Phase 3: Decisions and Notifications (4–24 Hours)

  • Report to law enforcement through the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov
  • Verify OFAC obligations before any payment decision
  • Fulfill applicable regulatory breach notification requirements
  • Document the complete incident timeline for legal and insurance purposes

Phase 4: Technical Remediation (24 Hours to Several Days)

  • Wipe and rebuild affected systems from clean OS images
  • Restore data from verified backups in business-critical priority order
  • Run EDR scans on all restored systems before reconnecting to the network

Phase 5: Post-Incident Hardening (Week 2 Onward)

  • Patch or remediate the confirmed entry point
  • Rotate all credentials and service account passwords
  • Review EDR telemetry for dwell time and lateral movement patterns
  • Update the incident response plan with lessons learned from the event

Treat this checklist as a living document. Review and test it at least annually and after any significant infrastructure change. A checklist no one has practiced offers little real protection when an incident unfolds.

Frequently Asked Questions About Ransomware Recovery

  • Can you always recover from a ransomware attack?Not always. Recovery depends almost entirely on backup quality and recency. With tested, recent, offline backups, most SMBs recover fully. Without them, full recovery is not possible regardless of whether a ransom is paid.
  • Does paying the ransom guarantee getting your data back? No. FBI and CISA guidance is explicit: payment does not guarantee a working decryption key. A significant share of victims who pay still lose data or face repeat attacks within months.
  • How much does ransomware recovery cost in total? Total cost includes the ransom if paid, downtime losses, IT remediation labor, legal and forensic fees, regulatory notification costs, and reputational impact. IBM’s 2024 Cost of a Data Breach Report places the average total cost of a data breach at $4.88 million, with ransomware incidents trending above that average.
  • Can ransomware be reversed without paying? Sometimes. If a free decryptor exists on NoMoreRansom for the specific strain, decryption is possible without payment. If clean, recent backups are available, restoration is the more reliable path. For most current variants without a public decryptor and without viable backups, reversal without payment is not achievable.
  • What is the single most important action to take immediately after a ransomware attack? Isolate affected machines from the network to stop lateral spread, then contact your IT provider. Do not reboot systems, delete files, or attempt any recovery action before the full scope of the attack is understood.

Where to Go From Here

When your backup architecture is tested, current, and isolated from the rest of your environment, ransomware becomes a recoverable event rather than a business-ending one. Your team opens the incident response plan instead of scrambling to build one under fire. Recovery starts with a restore from a verified backup rather than a negotiation with attackers. The difference between those two scenarios is almost entirely about preparation made in advance.

LeadingIT provides managed IT and cybersecurity services to businesses across the Chicagoland area, including backup architecture design, incident response support, endpoint detection, and compliance alignment for regulated industries. Whether your organization needs to build a backup infrastructure from the ground up or close specific gaps in what already exists, the services that make this playbook actionable are available.

When ransomware becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

Find out whether your backup and recovery posture is ready for a ransomware attack. Schedule a free Cyberscore assessment or call 815-788-6041 to connect with our team.

Return to blog

Stephen Taylor is the founder and driving force behind LeadingIT, a Chicagoland-based IT and cloud services company, where he focuses on delivering practical, client-first technology solutions for businesses. A Microsoft Certified professional and author of Technology Should Just Work, he combines hands-on expertise with a passion for making IT simple, transparent, and effective. Read more about the author.

Let Us Be Your Guide In Cybersecurity Protections
And IT Support With Our All-Inclusive Model.
Meet With Us