The Attack That Paralyzed a Hospital System for 28 Days

In 2024, Ascension Healthcare — one of the largest health systems in the United States — was hit by the Black Basta ransomware group. The attack disrupted operations across 140 hospitals. Clinicians reverted to paper records. Ambulances were diverted. It took nearly a month to restore critical systems. If your organization doesn't have documented ransomware recovery steps, you're betting your entire operation on luck.

I've helped organizations walk through the aftermath of ransomware attacks — from small law firms to mid-size manufacturers. The pattern is always the same. Panic first. Then a scramble to figure out what happened. Then the gut-wrenching realization that backups are either missing, encrypted, or untested. This post gives you the specific, sequenced playbook I use when the worst happens.

Whether you're a security lead, IT director, or business owner, these steps apply. They're grounded in CISA's StopRansomware guidance and real incident response experience.

Step 1: Isolate Everything — Speed Beats Precision

The first minutes matter more than anything else. Every second a compromised machine stays on the network, the threat actor can move laterally, encrypt more endpoints, and exfiltrate data. I've seen cases where a 15-minute delay in isolation tripled the number of affected systems.

What Isolation Actually Looks Like

Disconnect affected machines from the network — pull Ethernet cables, disable Wi-Fi adapters, and if you're using VPNs, kill those sessions immediately. Do not power off the machines. Forensic evidence lives in memory, and you'll need it later.

Segment your network if you can. If your switches support VLAN isolation, use it now. Disable inter-VLAN routing for affected segments. If you have a flat network with no segmentation — and many organizations do — you'll need to be more aggressive about pulling machines offline entirely.

Alert your entire IT team. No one should be logging into anything until the scope is understood. Credential theft is a hallmark of modern ransomware. If the attacker has domain admin credentials, every login attempt could make things worse.

Step 2: Assess the Blast Radius

Once you've stopped the bleeding, figure out how far it spread. This is where most organizations underestimate the damage. They see ten encrypted machines and assume that's the scope. In my experience, the real number is usually three to five times what's initially visible.

Key Questions to Answer Immediately

  • Which systems show ransom notes or encrypted file extensions?
  • Are domain controllers compromised?
  • Did the attacker access backup repositories?
  • Is there evidence of data exfiltration (check outbound traffic logs)?
  • Which user accounts were compromised, and what privileges did they hold?

Check your Active Directory logs. Look for unusual service account activity, new admin accounts, or group policy changes. Many ransomware operators deploy their payload through Group Policy — it's a devastatingly efficient distribution method.

Document everything. Timestamps, affected hostnames, IP addresses, ransom note text, encrypted file extensions. This information feeds your forensic investigation and any law enforcement reporting.

This isn't optional. If you handle any regulated data — health records, financial information, personal data — you likely have mandatory breach notification requirements. In the U.S., all 50 states have data breach notification laws. HIPAA, PCI DSS, and state privacy laws all have specific timelines.

Report to the FBI's Internet Crime Complaint Center (IC3) and CISA. These agencies can provide threat intelligence specific to the ransomware variant you're dealing with. In several cases I've worked, the FBI had decryption keys available for the specific variant — keys the victims didn't know existed.

Contact your cyber insurance carrier immediately. Most policies have strict notification windows. Miss it, and your claim could be denied.

Step 4: Identify the Ransomware Variant

Knowing exactly what you're dealing with changes your recovery options dramatically. Upload a copy of the ransom note and a sample encrypted file (not sensitive data) to No More Ransom, a joint project from Europol and major security vendors. They maintain a database of decryption tools for known variants.

Check the file extensions on encrypted files. Ransomware families like LockBit, BlackCat (ALPHV), Royal, and Akira each use distinctive extensions and ransom note formats. Knowing the variant tells you about the threat actor's typical behavior — whether they exfiltrate data before encrypting, what their negotiation patterns look like, and whether decryption tools exist.

Step 5: Restore from Clean Backups — If They Exist

Here's the moment of truth. Your ransomware recovery steps are only as good as your backup strategy. The Verizon 2024 Data Breach Investigations Report found that ransomware was involved in 24% of all breaches. Yet when I audit organizations, roughly half have never tested a full restoration from backup.

Before You Restore Anything

Verify that your backups are clean. Attackers routinely compromise backup systems before triggering encryption. They'll lurk in your environment for days or weeks, identifying and poisoning backup repositories. If your backups run on the same network with the same credentials, assume they're compromised until proven otherwise.

Test your restore on an isolated system first. Bring up a single server in a sandboxed environment and confirm the data is intact and the system is functional. Only then proceed to broader restoration.

Restoration Priority Order

  • Identity systems: Active Directory, DNS, DHCP. Nothing works without these.
  • Communication systems: Email, messaging platforms. Your team needs to coordinate.
  • Critical business applications: ERP, patient records, financial systems — whatever generates revenue or keeps people safe.
  • Everything else: Workstations, secondary applications, file shares.

Rebuild rather than restore where possible. A fresh OS installation with data restored on top is cleaner than restoring an image that might contain persistence mechanisms you missed.

What If You Don't Have Usable Backups?

This is the nightmare scenario, and it happens more often than anyone admits. If your backups are encrypted, corrupted, or nonexistent, your options narrow considerably.

Paying the ransom is a business decision, not a security decision. The FBI advises against it because payment funds criminal operations and doesn't guarantee decryption. Their data shows that organizations that pay often don't get all their data back. Some get hit again within months because the attacker knows they'll pay.

If you're considering payment, involve legal counsel, your insurance carrier, and law enforcement first. Make sure payment doesn't violate OFAC sanctions — paying certain threat actor groups is a federal crime regardless of your situation.

Step 6: Eradicate the Threat Actor Completely

Restoration without eradication is just setting the stage for round two. Before any recovered system touches your production network, you need to eliminate every foothold the attacker established.

Critical Eradication Actions

  • Reset ALL passwords — every user, every service account, every local admin. All of them.
  • Revoke and reissue all certificates and API keys.
  • Rebuild compromised domain controllers from scratch. Do not restore them from backup.
  • Remove any unauthorized remote access tools (AnyDesk, Splashtop, ngrok — threat actors love these).
  • Patch the initial vulnerability that got them in. If it was phishing, that's a training problem. If it was an unpatched VPN, that's a patch management problem.
  • Enforce multi-factor authentication everywhere — especially on remote access, email, and admin consoles.

This is also when you implement — or strengthen — a zero trust architecture. The assumption that anything inside your perimeter is safe died years ago. Verify every connection, every time.

Step 7: Monitor Aggressively Post-Recovery

The 30 days after recovery are the highest-risk period. Threat actors frequently maintain secondary access mechanisms that survive initial remediation. I've seen attackers re-enter environments through web shells that went undetected during cleanup.

Deploy endpoint detection and response (EDR) on every recovered system. Increase logging verbosity. Monitor for the same indicators of compromise (IOCs) associated with your specific attacker. Watch for beaconing traffic, unusual DNS queries, and any new service installations.

Conduct a formal lessons-learned session within two weeks of recovery. Not a blame session — a structured review of what failed, what worked, and what changes are non-negotiable going forward.

How Long Does Ransomware Recovery Take?

For most mid-size organizations, full ransomware recovery takes between two and four weeks. That number assumes you have usable backups and a documented incident response plan. Without those, I've seen recovery stretch to three months or longer. The average cost of a ransomware attack reached $4.88 million in 2024 according to IBM's Cost of a Data Breach Report — and downtime is the largest component of that cost.

The organizations that recover fastest share three traits: they've tested their backups, they've trained their people, and they have a written plan that doesn't live exclusively in the head of one IT person.

The Recovery Step Most Organizations Skip: Training

Here's what kills me. After every ransomware incident I've helped with, the root cause conversation almost always circles back to the same thing — social engineering. A phishing email that someone clicked. A credential harvested from a fake login page. A vishing call that tricked someone into providing VPN credentials.

Your ransomware recovery steps are incomplete if they don't include preventing the next attack. And prevention starts with your people. Technical controls matter, but humans remain the primary attack vector.

Invest in ongoing cybersecurity awareness training for your entire organization. Make sure it covers real-world scenarios, not just compliance checkboxes. And run regular phishing simulations to test and reinforce your team's ability to spot attacks before they become incidents.

Security awareness isn't a one-time event. It's a continuous process that directly reduces your ransomware risk. The organizations that train consistently are the ones that catch phishing attempts before they become full-blown data breaches.

Your Ransomware Recovery Checklist

Pin this somewhere your incident response team can find it at 2 AM on a Saturday — because that's when these things always happen.

  • Isolate — Disconnect affected systems immediately. Don't power off.
  • Assess — Determine scope, compromised accounts, and affected data.
  • Report — Notify law enforcement, your insurance carrier, and legal counsel.
  • Identify — Determine the ransomware variant and check for existing decryptors.
  • Restore — Use verified clean backups. Test in isolation first.
  • Eradicate — Reset credentials, patch vulnerabilities, remove all attacker persistence.
  • Monitor — Increase detection sensitivity for at least 30 days post-recovery.
  • Train — Address the human element that let the attacker in.

Ransomware isn't going away. The threat actors are more organized, more patient, and more sophisticated than ever. But organizations that prepare — that document their ransomware recovery steps, test their backups, train their people, and practice their response — survive these attacks. The ones that don't prepare become cautionary tales.

Start building your resilience today. Not after the ransom note appears on your screen.