Ransomware Recovery: What Actually Works

Prevention is better than cure. But sometimes prevention fails.

If ransomware encrypts your systems tomorrow, what do you actually do? This is the guide I wish more businesses had before they need it.

The First Hour

Don’t panic, but move quickly.

The decisions you make in the first hour shape everything that follows. Bad decisions here can make recovery harder, destroy evidence, or expose you to additional attacks.

Step 1: Disconnect affected systems

Unplug network cables. Disable WiFi. But don’t power off yet.

Why disconnect but not power off?

  • Stops the ransomware spreading to other systems
  • Preserves volatile memory evidence (useful for investigation)
  • Keeps encrypted files in current state (some decryptors need specific system state)

Step 2: Don’t use compromised systems to communicate

If your email is hosted on affected systems, don’t use it to coordinate response. Attackers often monitor compromised email.

Use:

  • Personal phones
  • Personal email accounts
  • Messaging apps (Signal, WhatsApp)
  • Out-of-band communication

Step 3: Document what you see

Take photos of ransom notes on screens. Note which systems are affected. Record timestamps. This information matters for investigation and insurance.

Step 4: Identify the variant

Ransomware comes in many variants. Some have known decryptors. Some don’t.

Resources:

  • ID Ransomware (id-ransomware.malwarehunterteam.com) - upload ransom note or encrypted file to identify variant
  • No More Ransom (nomoreransom.org) - free decryption tools for some variants

If a free decryptor exists, your situation just got much better.

The First Day

Assess the scope

  • Which systems are encrypted?
  • Which systems are unaffected?
  • Is backup infrastructure affected?
  • Can you confirm how attackers got in?

Notify the right people

Internal:

  • Leadership
  • IT team (or provider)
  • Legal

External:

  • Cyber insurance (immediately - most policies require prompt notification)
  • ACSC via ReportCyber (cyber.gov.au/report)
  • Your IT provider (if not already involved)
  • Incident response firm (if you’re engaging one)

Do not:

  • Contact attackers yet (unless you’re certain you need to negotiate)
  • Attempt recovery without understanding scope
  • Wipe systems without preserving evidence
  • Announce publicly before you understand what happened

The Decision: Pay or Don’t Pay?

This is the hardest question. There’s no universally correct answer.

Arguments against paying:

  • Funds criminal operations
  • No guarantee you’ll get working decryptor
  • No guarantee attackers won’t return
  • May be illegal (sanctions considerations)
  • Encourages more ransomware attacks

Arguments for paying (why businesses sometimes do):

  • Backups failed or don’t exist
  • Recovery from backup would take too long
  • Data loss would be catastrophic
  • Attackers have stolen data they’ll publish otherwise

My advice:

Don’t decide yet. First, explore all options:

  1. Can you recover from backups?
  2. Is a free decryptor available?
  3. Can you accept the data loss and rebuild?
  4. What does your insurance say?
  5. What does your incident response team advise?

Only consider payment after exhausting alternatives.

If you do engage with attackers, let professionals handle it. Incident response firms and insurers have experience with negotiations. Amateurs often get worse outcomes.

Recovery Options

Option 1: Restore from backup

This is the ideal outcome. It requires:

  • Backups that exist
  • Backups that are recent enough
  • Backups that weren’t encrypted by the ransomware
  • Tested restore processes

The businesses that recover quickly are the ones with tested, isolated backups.

Option 2: Use a decryptor

Some ransomware variants have been cracked by security researchers. Check No More Ransom and ID Ransomware.

Even if a decryptor exists, the process can be slow. Decrypting thousands of files takes time.

Option 3: Rebuild from scratch

If you don’t have backups and no decryptor exists, you may need to rebuild systems from scratch and accept data loss.

This is expensive and painful but sometimes the only option.

Option 4: Pay and decrypt

If you pay (and I’m not recommending this), you’ll typically receive a decryption tool from the attackers. These tools are often poorly written and slow. Decryption may take days.

Even after paying, you need to:

  • Rebuild infected systems (you can’t trust them)
  • Identify and close the initial entry point
  • Ensure no backdoors remain
  • Address whatever weakness let attackers in

Paying doesn’t end the incident - it just gets your data back.

After Recovery: Don’t Repeat

Every ransomware incident is a learning opportunity (an expensive one).

Understand how they got in:

Common entry points:

  • Phishing (compromised credentials)
  • Exposed RDP or VPN
  • Unpatched vulnerabilities
  • Compromised managed service provider

If you don’t fix the entry point, you’ll get hit again. Attackers share access. You’re now a known target.

Fix what failed:

  • If backups didn’t work, fix your backup strategy
  • If MFA wasn’t enabled, enable it
  • If patches were missing, implement patch automation
  • If detection failed, improve monitoring

Improve detection:

Ransomware typically has a dwell time - attackers are in your network for days or weeks before deploying ransomware. Better detection might catch them earlier.

Document lessons learned:

What worked? What didn’t? What would you do differently? This documentation is valuable for preventing future incidents.

Insurance Considerations

Cyber insurance can be genuinely helpful in ransomware situations:

Coverage may include:

  • Incident response costs
  • Data recovery expenses
  • Business interruption
  • Legal and notification costs
  • Ransom payment (policies vary)
  • Public relations support

What you need to do:

  • Notify promptly (within 24-48 hours typically)
  • Use approved incident response vendors
  • Document everything
  • Follow their guidance on negotiations

What can go wrong:

  • Late notification can void coverage
  • Using non-approved vendors may not be covered
  • Pre-existing vulnerabilities may be excluded
  • Insufficient security controls may reduce coverage

Read your policy before an incident. Know who to call and what’s required.

Preparation Beats Recovery

Everything above is what to do when things go wrong. But preparation makes everything easier.

Essential preparations:

  1. Tested backups Not just “we have backups” but “we’ve tested restoring from backups in the last month.”

  2. Incident response plan Who makes decisions? Who do we call? How do we communicate? Written down, not improvised.

  3. Insurance Cyber coverage with clear understanding of what’s included.

  4. Relationships IT provider, incident response firm, legal counsel - established before you need them.

  5. Essential Eight controls Patching, MFA, backups, privilege management - the fundamentals that prevent most incidents.

The Role of Specialists

Ransomware incidents are complex. Having expert support matters.

Incident response firms: Handle containment, investigation, recovery, and negotiation if needed. Examples include CyberCX, Tesserent, ParaFlare.

Insurers: Provide access to approved IR firms, legal support, and sometimes negotiators.

IT providers: Handle technical recovery and system rebuilding.

Legal counsel: Advise on notification requirements, regulatory obligations, and liability.

For prevention and preparation, specialists like Team400 can help implement the controls that prevent ransomware from succeeding in the first place. Automated detection, proper backup verification, and continuous monitoring are all areas where AI-powered approaches can make a significant difference.

Australian Regulatory Considerations

Notifiable Data Breaches:

If ransomware involves access to personal information, you may have mandatory notification obligations under the Privacy Act. This applies if:

  • Personal information is accessed or stolen
  • There’s a likely risk of serious harm

Consult legal counsel on notification requirements.

Reporting to ACSC:

Report to ACSC via ReportCyber. This isn’t primarily for your benefit (though they may provide advice) - it helps Australia understand the threat landscape and potentially warn others.

Critical infrastructure:

If you’re in a critical infrastructure sector, additional reporting requirements may apply under SOCI Act.

Tabletop Exercises

One of the most valuable preparations is a tabletop exercise: walk through a ransomware scenario with your team without an actual incident.

Discussion points:

  • Who’s in charge?
  • How do we communicate?
  • Who can authorise spending?
  • What’s our backup status?
  • Who do we call first?
  • How do we handle media inquiries?

The exercise reveals gaps in your planning while stakes are low.

AI consultants Sydney and similar firms can facilitate these exercises, bringing external perspective and experience from other incidents.

Final Thought

Ransomware recovery is hard. It’s stressful. It’s expensive. Decisions made under pressure have lasting consequences.

The best time to prepare is before an incident. Tested backups. Incident response plans. Insurance. Relationships with responders.

The second best time is now.

If you’re reading this during an actual incident: take a breath, follow the steps, and get professional help. It’s survivable.

If you’re reading this during calm times: use this as motivation to prepare. The businesses that recover quickly are the ones that prepared before they had to.

Preparation isn’t paranoia. It’s prudence.