Ransomware Recovery: Your 15-Minute Action Plan
Your screen goes black. Then this message appears:
"All your files have been encrypted. You have 72 hours to pay $50,000 in Bitcoin or your data will be permanently deleted. Don't try to restore from backups—we encrypted those too."
Welcome to every IT manager's nightmare. Ransomware has hit your business, and the clock is ticking.
What you do in the next 15 minutes will determine whether you're back online by lunch or explaining to the board why the company is closing. Let's walk through the exact steps you need to take—right now.
Minutes 0-5: Stop the Bleeding
Step 1: IMMEDIATELY Isolate Infected Systems (60 seconds)
DO NOT shut down infected computers yet. First, disconnect them from the network:
• Unplug network cables physically
• Disable Wi-Fi
• Disconnect from VPNs
• Turn off wireless mice/keyboards (Bluetooth can spread malware)
Why: Ransomware spreads laterally across networks. Every second it stays connected, it's encrypting more devices. Stop it NOW.
Step 2: Alert Your IT Team and Management (60 seconds)
Send immediate alerts to:
• IT/Security team
• Executive leadership
• Your managed service provider (if you have one)
• Your cyber insurance carrier
Use phone calls or text messages—NOT email (email servers might be compromised). Use a group text or emergency contact system.
Step 3: Identify the Scope (3 minutes)
Quickly assess:
• How many devices show encryption?
• Which servers are affected?
• Are backups accessible or encrypted?
• Is ransomware still actively spreading?
Document everything with timestamps and screenshots. You'll need this for insurance claims and forensics.
Minutes 5-10: Activate Recovery
Step 4: Do NOT Pay the Ransom (Yet) (30 seconds)
Resist the immediate panic urge to pay. Here's why:
• 40% of businesses who pay never get their data back
• Payment doesn't remove the malware—attackers can strike again
• You fund criminal operations and mark yourself as a willing payer
• Law enforcement and insurance carriers need time to assist
Payment is your last resort, not your first action.
Step 5: Check Your Immutable Backups (2 minutes)
Access your backup system (hopefully cloud-based and immutable):
• Verify backups exist and are intact
• Check the last successful backup timestamp
• Confirm backup data is NOT encrypted
• Identify recovery point objectives (RPO)
If you have clean, immutable backups, you won't need to pay. This is why immutability is critical—ransomware can't encrypt what it can't access.
Step 6: Activate Your Incident Response Plan (2 minutes)
If you have a documented plan (you should), activate it:
• Assign roles and responsibilities
• Set up communication channels
• Brief the response team
• Begin documentation
No plan? Keep following this guide—we'll get you through it.
Minutes 10-15: Begin Recovery
Step 7: Secure Clean Systems (3 minutes)
Protect what's not yet infected:
• Disable remote access (RDP, VPN) immediately
• Reset ALL admin passwords from a clean device
• Enable MFA if not already active
• Segment the network to contain the attack
Ransomware looks for credentials to spread. Change them before it finds them.
Step 8: Start Forensics Collection (2 minutes)
While specialists handle recovery, start gathering evidence:
• Screenshot ransom notes
• Copy ransom note files to USB drive
• Document affected systems
• Preserve logs from unaffected systems
• Note any suspicious activity from the past 2 weeks
This evidence is critical for: Insurance claims, law enforcement, identifying attack vectors, preventing recurrence.
The Next 24 Hours: Full Recovery
Now that immediate crisis is contained, here's your recovery roadmap:
Hour 1-4: Assessment and Planning
• Complete forensic analysis to identify ransomware variant
• Check haveibeenpwned.com for compromised credentials
• Review firewall logs for initial intrusion point
• Map all affected systems and data
• Develop detailed recovery plan with priorities
• Engage cyber insurance and legal counsel
Hour 4-8: System Cleanup
• Wipe and rebuild infected systems from clean images
• Do NOT just "remove the ransomware"—rebuild completely
• Update all firmware and software
• Patch vulnerabilities that allowed initial access
• Implement additional security controls
Hour 8-16: Data Restoration
• Restore from immutable backups to clean systems
• Verify restored data integrity
• Test critical applications
• Restore in priority order: critical systems first
• Maintain clean isolation until verification complete
Hour 16-24: Reconnection and Monitoring
• Gradually reconnect systems to network
• Monitor intensively for 48-72 hours
• Verify no persistence mechanisms remain
• Conduct user acceptance testing
• Brief stakeholders on status
Why 15 Minutes Matters
Ransomware can encrypt 100,000 files per hour. In large environments, that's your entire database, file servers, and backups gone in 2-3 hours.
Fast response stops the spread. Every minute you delay containment costs exponentially more in recovery time and data loss.
If You Don't Have Immutable Backups
This is the nightmare scenario. Your backups are encrypted too. Now what?
Option 1: Check for Decryptors
Visit NoMoreRansom.org—law enforcement and security companies have developed free decryptors for some ransomware variants. It's a long shot, but worth checking.
Option 2: Negotiate with Attackers
If you must pay, use professional ransomware negotiators. They reduce payment amounts 30-70% on average and ensure you actually get the decryption key. Never negotiate directly—attackers prey on desperate businesses.
Option 3: Rebuild from Scratch
If data isn't life-critical or can be recreated, consider starting over. Clean slate, enhanced security, lessons learned. Some businesses choose this over funding criminals.
The harsh truth: Without backups, you're at the mercy of criminals. This is why backup immutability isn't optional anymore.
Prevention: The Best Recovery Plan
The best ransomware recovery plan is never needing one. Implement these NOW:
1. Immutable, Offsite Backups
Backups that literally cannot be encrypted or deleted. Cloud-based with air-gapped copies. Test monthly. This single control makes ransomware a 15-minute inconvenience instead of a business-ending disaster.
2. Multi-Factor Authentication
Enable MFA on everything. Most ransomware enters through compromised credentials. MFA blocks 99.9% of credential-based attacks.
3. Network Segmentation
Don't run a flat network where ransomware can spread freely. Segment by department, function, and criticality. Contain the blast radius.
4. Endpoint Detection and Response (EDR)
Modern EDR stops ransomware before encryption starts. Behavioral analysis catches what signature-based tools miss.
5. Email Security
90% of ransomware arrives via email. Advanced filtering, sandboxing, and user training stop it at the door.
6. Patch Management
Attackers exploit known vulnerabilities. Automated patching closes those doors before they're breached.
7. Incident Response Plan
Document and drill your response. When chaos hits, training takes over. Teams that practice respond 3x faster than those who don't.
Your Recovery Checklist
Print this and keep it accessible:
☐ Immediately isolate infected systems
☐ Alert IT team, management, insurance
☐ Assess scope of infection
☐ DO NOT pay ransom immediately
☐ Check immutable backup status
☐ Activate incident response plan
☐ Secure uninfected systems
☐ Begin forensics collection
☐ Reset credentials from clean device
☐ Disable remote access
☐ Segment network
☐ Contact cyber insurance
☐ Engage incident response team
☐ Begin system rebuild and restoration
☐ Monitor for persistent threats
Ransomware recovery is stressful, expensive, and time-consuming. But with the right preparation—especially immutable backups—it's survivable. The businesses that fail are those caught unprepared. Don't be one of them.
Are You Prepared for Ransomware?
Get a free disaster recovery assessment. We'll test your backups, review your response plan, and identify gaps before attackers exploit them.
Schedule Assessment Today