Ransomware Recovery

Steven Alexander

Steven Alexander

5 min read
Ransomware Recovery
Photo by Colin Lloyd / Unsplash

If your organization suffered a ransomware attack tomorrow, how long would it take to get back to normal?

Most organizations set ambitious recovery targets for ransomware incidents, despite limited confidence in their ability to meet them. A 2024 survey commissioned by Cohesity highlights this gap between expectations and reality. Most respondents reported a recovery time objective (RTO) of one day, but only two percent believed they could actually meet that target. Nearly 20 percent expected to be fully operational within three days, yet many still opted to pay a ransom, suggesting they lacked confidence in their ability to recover, or tried and failed.

Ransomware recovery isn't as simple as restoring a backup. It involves a complex, chaotic, and time-consuming process, especially when the attack hits core IT infrastructure. If you serve on the board or hold executive responsibility for cybersecurity oversight, you need to recalibrate your expectations and start asking harder questions.

A professional acquaintance of mine went through this firsthand. A ransomware attack hit his college, and even with outside help, they needed nearly two weeks to restore critical systems. The college continued to deal with the residual effects of the incident long after initial containment. During that period, they invested heavily in recovery and experienced ongoing disruption, with multiple services still unavailable three months later.

Why Ransomware Recovery Is Different

Ransomware recovery poses a much greater challenge than typical IT incidents. It doesn’t just involve bringing systems back online. In many cases, the threat actor is still operating inside the environment. Restoring systems too soon can backfire if attackers reinfect or sabotage them.

The attack may also cripple the very teams responsible for recovery. If ransomware encrypts your IT department’s laptops and workstations, your most capable responders may lose access to the tools they need. Even basic tasks, like remote access or retrieving documentation, may become impossible without rebuilding critical infrastructure first.

Ransomware groups know how to maximize damage. They often search for and destroy backups before encrypting data. Many companies learn too late that their backups weren’t properly isolated, stored offline, or immutable. Even when backups survive, restored systems may rely on infrastructure that no longer functions. If the threat actor takes down your identity systems, storage arrays, or virtualization platforms, it can stall recovery.

Most of all, organizations underestimate the scale of the effort. Restoring a single system is routine. Rebuilding hundreds or thousands of systems, while working without full documentation or while locked out of administrator accounts, is a logistical and operational crisis. Many organizations simply don’t have the staffing or planning in place to manage that kind of recovery.

Organizations That Recover Well

Some companies recover from ransomware more effectively because they invest in resilience before a crisis occurs.

Resilient organizations approach recovery planning as an ongoing, evolving effort. They maintain a tested incident response and disaster recovery plan, review it at least annually, and rehearse their response through cross-functional tabletop exercises. These exercises give teams a chance to practice decision-making, escalation, and coordination before they face a real crisis. When possible, these organizations also conduct live recovery testing to confirm that they can restore critical systems under realistic conditions.

Resilient organizations design their exercises to reflect the full range of stakeholders involved in an actual incident. Management and executive sessions include participants from legal, communications, operations, and other business functions. Technical tabletop exercises involve the teams who lead the initial response—such as security, IT, or the SOC—and follow real-world escalation paths. These organizations also incorporate business users into recovery testing, so they can confirm whether restored systems are functioning properly.

They also build backup strategies that can withstand attack. Resilient organizations use isolated backups that cannot be directly accessed from the systems they protect. This might involve offline tape, segmented networks, or hardened cloud storage. They implement immutability controls that prevent even privileged administrators from deleting or altering backup data. If a system administrator can delete backups, then a threat actor who compromises the administrator’s account can do the same.

Preparation extends to third-party support as well. Resilient organizations establish relationships with outside experts before they are needed. They engage breach counsel, contract with incident response firms, and work with cyber insurance carriers to ensure alignment. They maintain retainers with their IR providers to guarantee a fast response. Without a retainer, companies often face delays, especially during surge events, when many organizations are under attack at once. And while there are many providers in the market, only a small number have the experience, tooling, and staff required to support large, complex incidents.

Other organizations can adopt these same practices, and boards play a critical role in making sure they do. The organization should review its incident response and disaster recovery plans regularly, conduct tabletop exercises at least once a year, and include key business functions when testing decision-making and communications. It should also have a standard in place for securing backups to ensure they are isolated and immutable. If the organization plans to rely on outside support during an incident—and most will—it should maintain a retainer and confirm that its preferred provider is approved by the cyber insurance carrier.

Boards don’t need to manage these details, but they should expect the organization to prepare. That includes maintaining up-to-date incident response and disaster recovery plans, exercising those plans regularly, and validating recovery procedures for critical systems and infrastructure.

Questions Board Members and Executives Should Be Asking

If you serve in an oversight role, you don’t need to know how to run the backup system or rebuild a domain controller. But you do need to challenge assumptions. Overconfidence is one of the most common failure points.

Ask questions like:

  • How often do we test our incident response and disaster recovery plans? Have we done a full recovery exercise?
  • Do we maintain up-to-date documentation of our critical infrastructure and dependencies? Could we rebuild if our documentation system went offline?
  • Have we prioritized which systems and services must be restored first? What criteria guide that prioritization?
  • How do we protect our backups from deletion or tampering if a threat actor gains access? What safeguards prevent that?
  • Do we have multiple types of backup stored in different locations, including at least one that is isolated or immutable?
  • If we had to recover from scratch, how long would it take, and do we have enough staff and support to do it?

Conclusion

Most organizations underestimate the difficulty of ransomware recovery because they underestimate its scale. They assume they’ll restore a few systems, not rebuild their entire IT environment without tools, documentation, or normal access.

As an executive or board member, you don’t need to execute the recovery yourself. But you do need to know whether your team could restore operations under stress, with limited tools, and without outside help, if necessary. You need to know whether they’ve ever practiced doing so.

Don’t wait for a crisis to discover that your recovery plan exists only on paper.

Read more