Ransomware Recovery: What to Do in the First 24 Hours

Posted: March 11, 2026 to Cybersecurity.

Ransomware recovery is the process of restoring business operations after a ransomware attack has encrypted files, disabled systems, or exfiltrated data. The first 24 hours after discovery are the most critical, determining whether the organization contains the damage to a manageable scope or suffers a full operational shutdown. According to the 2025 Sophos State of Ransomware Report, the median time to full recovery was 30 days for organizations that paid the ransom and 21 days for those that restored from backups, making the initial response decisions pivotal.

---

Key Takeaways

• The average ransomware payment in 2025 was $1.54 million, but total recovery costs including downtime, investigation, and remediation averaged $4.73 million
• Organizations with tested incident response plans recovered 62% faster than those without, according to IBM's 2025 Cost of a Data Breach report
• Paying the ransom does not guarantee recovery; 24% of organizations that paid received corrupted or incomplete decryption keys
• The first action is always isolation, never shutdown; powering off systems destroys volatile memory that forensic investigators need
• Reporting to law enforcement (FBI IC3, CISA) is required within 72 hours for critical infrastructure sectors and is strongly recommended for all organizations

---

Hour 0-1: Discovery and Initial Containment

Confirm the Attack

Not every suspicious file encryption is ransomware. Before mobilizing a full incident response, confirm the indicators:

• Multiple files with new, unusual extensions (.locked, .encrypted, .cryptXX)
• Ransom note files appearing on desktops or in directories (README.txt, DECRYPT_INSTRUCTIONS.html)
• Users reporting inability to open files
• Monitoring alerts showing mass file modification events
• Shadow copies or backup snapshots deleted

Once confirmed, declare an incident. Every minute of delay allows the ransomware to spread.

Isolate Affected Systems

Disconnect, do not power off. This is the most important rule in ransomware response.

CORRECT: Pull the network cable. Disable WiFi. Remove from VLAN.
WRONG:   Shut down the computer. Pull the power plug.

Why this matters: volatile memory (RAM) contains the encryption key in many ransomware variants. Forensic teams can extract this key from a running system. If you power off, that key is gone forever, and your only options become paying the ransom or restoring from backup.

Isolation steps in priority order:

1. Disconnect the affected machine(s) from the network (unplug Ethernet, disable WiFi adapter)
2. Isolate the network segment containing affected machines (disable switch ports or VLAN)
3. Block the ransomware's command-and-control (C2) IP addresses at the firewall
4. Disable any VPN connections to the affected network
5. Take a memory dump of affected systems before any further action

# Linux: capture memory dump
sudo dd if=/dev/mem of=/mnt/usb/memory-dump.img bs=1M

# Windows: use WinPMEM or Magnet RAM Capture
# Download and run from a USB drive - do NOT install on the affected system
winpmem_mini_x64.exe output.raw

Assess the Blast Radius

Before you can plan recovery, you need to know the scope. Quickly determine:

• How many systems are affected (endpoints, servers, backup infrastructure)
• Which data repositories have been encrypted
• Whether Active Directory/identity systems are compromised
• Whether backup systems are intact or also encrypted
• Whether data exfiltration occurred (check for large outbound data transfers in firewall logs)

Document everything. Timestamps, affected systems, observations. This documentation becomes critical for insurance claims, law enforcement reports, and compliance notifications.

Hour 1-4: Mobilize the Response Team

Activate Your Incident Response Plan

If you have a documented incident response plan (and you should; see our HIPAA Security Guide for requirements), activate it now. The plan should define:

• Incident Commander: One person who makes all decisions. No committee decisions during a crisis
• Communication Lead: One person who manages all internal and external communication
• Technical Lead: The most senior security/IT person available
• Legal Counsel: Either in-house or on retainer. They need to know immediately

If you do not have a plan, assign these roles now. Decision paralysis during ransomware response is the second-most common cause of excessive recovery time, after insufficient backups.

Notify Key Stakeholders

In order of priority:

1. Executive leadership: CEO/owner needs to know within the first hour
2. Legal counsel: Attorney-client privilege applies to investigation communications
3. Cyber insurance carrier: Most policies have notification requirements within 24-72 hours; some require notification before taking any remediation action
4. Digital forensics firm: Engage immediately if you do not have in-house forensics capability
5. Law enforcement: FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI field office, CISA at us-cert.cisa.gov

Do NOT Contact the Threat Actor Yet

Resist the impulse to respond to the ransom note. Every communication with the threat actor provides them with information about your situation, urgency level, and willingness to pay. Let your incident response team or negotiation specialist manage this if it becomes necessary.

Hour 4-8: Investigation and Assessment

Identify the Ransomware Variant

Knowing which ransomware variant hit you determines your options. Some variants have known decryption tools; others do not.

Free identification tools:

• ID Ransomware (id-ransomware.malwarehunterteam.com): Upload the ransom note and an encrypted file sample
• No More Ransom (nomoreransom.org): Law enforcement initiative with free decryptors for 150+ variants
• Emsisoft Decryptors: Free decryptors for dozens of variants

If a free decryptor exists, your recovery timeline just shortened dramatically. If not, you are deciding between backup restoration and ransom payment.

Determine the Attack Vector

Understanding how the attacker got in prevents reinfection. Common entry points in 2025-2026:

Entry Vector	Frequency	Indicators
Phishing email	36%	Mailbox analysis, user reports
Exploited vulnerability	32%	Unpatched VPN, RDP, or web application
Stolen credentials	19%	Dark web monitoring, authentication logs
Supply chain compromise	8%	Vendor notification, software update logs
Insider threat	5%	Access logs, behavioral anomalies

Check these in order:

1. RDP and VPN logs for unauthorized access
2. Email gateway logs for phishing delivery
3. Vulnerability scan results for unpatched systems
4. Authentication logs for compromised credentials
5. EDR/antivirus logs for malware delivery timeline

Assess Backup Integrity

This is the moment that determines your recovery path. Check each backup system:

• Are backup systems encrypted? Sophisticated ransomware targets backup infrastructure first. Check Veeam, Commvault, Proxmox Backup Server, cloud backup repositories
• Are offline/air-gapped backups available? Tape backups, disconnected USB drives, or immutable cloud storage (S3 Object Lock) cannot be encrypted by ransomware
• When was the last verified backup? A backup that has never been tested is not a backup. Verify restore capability before planning recovery around it
• How old are the clean backups? Ransomware may have been dormant for days or weeks before activating. You need backups from before the initial compromise, not just before encryption

Hour 8-16: Decision Point

Option A: Restore from Backup (Recommended)

If clean, verified backups exist:

1. Build a clean recovery environment (do not restore to compromised infrastructure)
2. Restore Active Directory/identity services first
3. Restore critical business systems in priority order
4. Restore user data and endpoints last
5. Verify each restored system for residual malware before connecting to the production network

Expected timeline: 3-7 days for critical systems, 2-4 weeks for full recovery

Option B: Negotiate and Pay (Last Resort)

The FBI's official position: do not pay. Paying funds criminal operations and provides no guarantee of recovery. However, some organizations face a pragmatic reality where the cost of extended downtime exceeds the ransom.

If paying is being considered:

• Engage a professional ransomware negotiator: They typically reduce the demanded amount by 40-60% and have experience validating decryption tools before full payment
• Verify proof of decryption: Request the attacker decrypt 2-3 files as proof before payment
• Prepare for partial recovery: Even after payment, expect 5-10% of files to be unrecoverable due to decryption errors
• Do not pay in the first 24 hours: Urgency benefits only the attacker. Negotiation windows typically last 5-10 days

Option C: Rebuild from Scratch

When backups are compromised and payment is not an option:

• Reinstall operating systems on clean hardware
• Redeploy applications from original installation media
• Accept data loss for any information not stored in unaffected systems
• Implement all security controls that were missing before rebuilding

This is the most painful option but sometimes the most appropriate, particularly when the original infrastructure was insufficiently hardened.

Hour 16-24: Recovery Begins

Communication Plan

Internal communication:

• All-hands email from the CEO explaining the situation, what is being done, and expected timeline
• Daily status updates at a fixed time (e.g., 5 PM)
• Clear point of contact for employee questions
• Instructions for alternative workflows during recovery (paper processes, personal devices, etc.)

External communication:

• Customer/client notification if their data was potentially affected
• Regulatory notifications per applicable requirements:
  • HIPAA: 60 days for breaches affecting 500+ individuals; "without unreasonable delay" for smaller breaches
  • CMMC: 72 hours to DIBCAC
  • State breach notification: varies by state, typically 30-60 days
  • GDPR: 72 hours to supervisory authority (if applicable)

What NOT to say publicly:

• Specific ransom amount
• Whether you paid or are considering paying
• Specific technical details of the vulnerability exploited
• Blame directed at any employee or vendor

Begin Forensic Investigation

Preserve all evidence before it is overwritten by recovery activities:

• Forensic images of affected systems (bit-for-bit copies)
• Firewall and proxy logs covering the past 90 days
• Email gateway logs
• Authentication/directory service logs
• EDR/antivirus detection logs and quarantine
• Network flow data

This evidence serves three purposes: determining the full scope of the breach, supporting insurance claims, and enabling law enforcement investigation.

Post-Incident: The Next 30 Days

Harden the Environment

Whatever vulnerability the attacker exploited must be closed before restoring production systems:

1. Patch all systems to current levels
2. Enforce MFA on every account, no exceptions
3. Implement network segmentation between critical systems
4. Deploy EDR on every endpoint
5. Verify backup integrity and implement the 3-2-1-1 rule (3 copies, 2 media types, 1 offsite, 1 immutable)
6. Review and restrict privileged access
7. Implement DNS filtering to block known C2 infrastructure

Conduct a Post-Incident Review

Within 2 weeks of recovery, conduct a formal review:

• Timeline reconstruction: when did the attacker enter, how long were they present, what did they access
• Root cause analysis: what control failed that allowed the initial compromise
• Response effectiveness: what worked, what did not, what needs to change in the incident response plan
• Investment recommendations: specific technology, process, and staffing improvements

Update the Incident Response Plan

The plan should be a living document. Every incident teaches lessons that improve the next response.

Prevention Checklist

Control	Implementation	Cost
Immutable backups (S3 Object Lock, air-gapped)	Required	$100-$500/month
EDR on all endpoints	Required	$3-$10/endpoint/month
MFA everywhere	Required	$3-$6/user/month
Network segmentation	Required	$0 (firewall rules)
Email security gateway	Required	$2-$5/user/month
Security awareness training	Required	$2-$4/user/month
Privileged access management	Strongly recommended	$5-$15/user/month
24/7 SOC monitoring	Strongly recommended	$15-$30/user/month
Penetration testing (annual)	Strongly recommended	$5,000-$25,000/year
Incident response retainer	Recommended	$2,000-$10,000/year

Get Expert Help Before the Attack

Petronella Technology Group provides ransomware preparedness services including digital forensics, incident response planning, and proactive ransomware protection for businesses of all sizes. Our team has responded to active ransomware incidents and helped organizations recover without paying the ransom.

As CMMC Registered Practitioners (RP-1372) with 23 years of cybersecurity experience, we build the layered defenses that stop ransomware before it executes. Prevention costs a fraction of recovery.

Call 919-348-4912 or visit petronellatech.com/contact/ for a ransomware readiness assessment.

---

About the Author: Craig Petronella is the CEO of Petronella Technology Group, Inc., with over 30 years of experience in cybersecurity and incident response. A CMMC Registered Practitioner (RP-1372), Craig has led ransomware recovery efforts for healthcare practices, law firms, and government contractors, and hosts the Petronella Technology Group podcast covering cybersecurity topics.

---

Frequently Asked Questions

Should I pay the ransomware demand?

Law enforcement agencies including the FBI consistently advise against paying. Paying funds criminal operations and does not guarantee recovery; 24% of organizations that paid in 2025 received non-functional decryption tools. However, some organizations face situations where critical data has no backup and the cost of permanent loss exceeds the ransom. If you are considering payment, engage a professional negotiator and your legal counsel first.

How long does ransomware recovery take?

Median recovery time is 21 days for organizations restoring from backups and 30 days for those that pay the ransom, according to the 2025 Sophos report. Critical systems can typically be restored in 3-7 days. Full recovery, including all data, applications, and hardening measures, takes 2-6 weeks.

Will cyber insurance cover the cost?

Most cyber insurance policies cover ransomware incidents, including ransom payments, forensic investigation, business interruption, and notification costs. However, coverage depends on your policy terms, and insurers are increasingly requiring evidence of basic security controls (MFA, EDR, backups) as conditions of coverage. Review your policy before an incident occurs.

Can we recover files without paying?

In many cases, yes. Free decryptors exist for 150+ ransomware variants through the No More Ransom project. If your variant has no free decryptor, restoration from backup is the primary alternative. Some forensic firms can extract encryption keys from system memory if the affected machines were not powered off.

Should I report the attack to law enforcement?

Yes. Reporting to the FBI (ic3.gov) and CISA (us-cert.cisa.gov) is strongly recommended for all organizations and legally required for critical infrastructure sectors. Law enforcement may have decryption keys, intelligence on the threat actor, or the ability to recover your data. Reporting also establishes a record for insurance claims.

How do I know if data was stolen before encryption?

Modern ransomware groups (BlackCat, LockBit, Cl0p) exfiltrate data before encrypting it, using the stolen data as additional leverage. Check firewall logs for unusual large outbound data transfers, DNS logs for connections to file-sharing services, and EDR logs for data staging activities. Forensic investigation is typically required to confirm or rule out exfiltration.

What is the 3-2-1-1 backup rule?

The 3-2-1-1 rule requires: 3 copies of your data, on 2 different media types, with 1 copy offsite, and 1 copy immutable (cannot be modified or deleted even by administrators). Immutable backups are the single most important defense against ransomware because the attacker cannot encrypt or delete them.

---

{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "Should I pay the ransomware demand?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Law enforcement advises against paying. It funds criminal operations and 24% of payers received non-functional decryption tools. If considering payment, engage a professional negotiator and legal counsel first."
      }
    },
    {
      "@type": "Question",
      "name": "How long does ransomware recovery take?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Median recovery time is 21 days for backup restoration and 30 days for ransom payment. Critical systems can be restored in 3-7 days. Full recovery takes 2-6 weeks."
      }
    },
    {
      "@type": "Question",
      "name": "Will cyber insurance cover the cost?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Most cyber insurance policies cover ransomware incidents including payments, forensics, business interruption, and notification costs. Insurers increasingly require evidence of basic security controls as conditions of coverage."
      }
    },
    {
      "@type": "Question",
      "name": "Can we recover files without paying?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "In many cases, yes. Free decryptors exist for 150+ variants through the No More Ransom project. Backup restoration is the primary alternative. Some forensic firms can extract keys from system memory if machines were not powered off."
      }
    },
    {
      "@type": "Question",
      "name": "Should I report the attack to law enforcement?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Yes. Report to FBI IC3 and CISA. It is legally required for critical infrastructure and strongly recommended for all organizations. Law enforcement may have decryption keys or intelligence on the threat actor."
      }
    },
    {
      "@type": "Question",
      "name": "How do I know if data was stolen before encryption?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Check firewall logs for large outbound transfers, DNS logs for file-sharing connections, and EDR logs for data staging. Forensic investigation is typically required to confirm or rule out exfiltration."
      }
    },
    {
      "@type": "Question",
      "name": "What is the 3-2-1-1 backup rule?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "3 copies of data, on 2 different media types, with 1 offsite and 1 immutable. Immutable backups cannot be modified or deleted, making them the single most important ransomware defense."
      }
    }
  ]
}