Ransomware Recovery Plan: How to Respond and Recover Without Paying

The first hours of a ransomware response determine whether the encryption spreads to additional systems or is contained. Speed and decision quality in this window matter more than any other factor.

First 30 minutes: Isolate affected systems immediately — disconnect from the network (physically if necessary) without powering off. Preserve evidence by leaving systems running; powering off destroys volatile memory that may contain encryption keys or attacker tooling. Alert your incident response team, legal counsel, and executive leadership. If you have an IR retainer, engage it now.

First 2 hours: Identify the blast radius — which systems are encrypted, which are still clean, which backups are intact or compromised. Check your most recent backup integrity before assuming recovery is possible. Preserve all logs from affected systems, network devices, and security tools before they rotate. Take forensic images of affected systems if resources allow. Identify patient zero and the initial access vector if possible.

First 4 hours: Make the containment decision — how much of the network do you isolate to stop spread versus keep operational for business continuity? Ransomware lateral movement often continues until fully detected, so default toward broader isolation if uncertain. Activate your business continuity plan for critical operations that cannot wait for full recovery.

The first question that determines your recovery path is: are your backups intact? Sophisticated ransomware operators spend weeks in your environment specifically to find, corrupt, or encrypt your backup infrastructure before triggering encryption on production systems. Assuming your backups are usable without verification is a common mistake.

Backup validation checklist: Identify your most recent clean backup — check timestamps and compare with when you believe the initial compromise occurred. Verify backup integrity by attempting to restore a sample of files or a test system rather than trusting the backup catalog. Check whether backup software credentials were accessed or modified during the attacker's dwell time. Verify offline or immutable backups (tape, object-lock cloud storage, air-gapped systems) separately — these are the backups that ransomware operators cannot reach.

If backups are intact: Plan your recovery sequence (most critical systems first), validate your recovery time against your business continuity SLAs, and begin recovery from the cleanest backup environment you have — not from the compromised production environment. If backups are compromised: Check the No More Ransom project for available decryption tools before considering payment. Engage your cyber insurance carrier and legal counsel before making any payment decisions.

Before considering a ransom payment, exhaust all decryption alternatives. The No More Ransom project (nomoreransom.org) maintains a database of free decryption tools for dozens of ransomware families. Ransomware variants with known decryptors include STOP/Djvu, REvil, Dharma, and many others. Check it first.

For novel ransomware families or when no decryptor is available: engage a specialist IR firm that may have insights or tools not publicly disclosed. Some firms (Emsisoft, Coveware, Mandiant) have developed private decryption capabilities for specific variants through law enforcement cooperation and ransomware group analysis.

If payment is under consideration: the decision requires legal counsel (OFAC sanctions prohibit payments to sanctioned ransomware groups including Conti, Evil Corp, and others — paying a sanctioned group creates federal legal exposure regardless of intent), your cyber insurance carrier (most policies have specific procedures that must be followed for ransom payments to remain covered), and executive/board authorization. Never pay without validating that the attacker actually has decryption capability — request a proof-of-decryption of a sample of non-sensitive files before any payment. Average ransom demands are routinely negotiable down 50–70% through intermediaries.

Recovery from backups requires more than restoring files — the environment was compromised, and restoration to the same architecture with the same vulnerabilities will result in reinfection, often within hours. Attackers frequently leave backdoors specifically for this purpose.

Secure recovery sequence: (1) Rebuild core infrastructure first — domain controllers, DNS, authentication systems — from known-good backups or fresh installations with hardened configurations. (2) Reset all credentials before bringing systems back online — every service account, every user account, every API key that existed during the attacker's dwell period. (3) Restore data (not entire system images) where possible — restoring system images risks restoring the attacker's persistence mechanisms along with legitimate data. (4) Validate each restored system against your baseline before reconnecting it to the network — endpoint security agents, patch levels, no unexpected startup items or scheduled tasks.

For systems that cannot be restored from backup, clean installation is safer than disinfection. Ransomware operators routinely install multiple persistence mechanisms; attempting to identify and remove them all is less reliable than a clean rebuild. Rebuild from a hardened baseline image, not from your pre-incident standard build that may reflect years of configuration drift.

Ransomware incidents that involve personal data exfiltration trigger breach notification obligations in most jurisdictions. GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach if the breach is likely to result in risk to individuals. US state laws vary — California, New York, and most other states have breach notification timelines ranging from 30 to 90 days. SEC rules (for public companies) require material cybersecurity incident disclosure within 4 business days.

Document the timeline of the incident from initial compromise to containment — this documentation is required for regulatory responses and litigation defense. Preserve all forensic evidence and logs. Engage privacy counsel as part of your incident response team from day one if personal data is potentially exposed.

Post-incident hardening priorities (based on most common ransomware entry and propagation paths): patch and disable RDP if not required, implement phishing-resistant MFA on all external-facing authentication, segment backup infrastructure to a network unreachable from workstations, implement network monitoring for lateral movement indicators, and review and restrict domain admin privileges to the minimum required accounts.

Ransomware recovery without paying is achievable for organizations with intact, tested, offline backups. The organizations that recover fastest are those that practiced recovery before the incident — backup restoration drills and tabletop ransomware scenarios are not optional. If your backup strategy cannot survive a ransomware attack (no offline copies, no immutability, backups accessible from the same credentials as production), that gap is your highest-priority security investment before the next attack.