The Clock Starts the Moment You See the Ransom Note

In February 2024, Change Healthcare — one of the largest health payment processors in the United States — was hit by the ALPHV/BlackCat ransomware group. The attack disrupted pharmacy operations, delayed insurance claims, and affected an estimated one-third of all Americans' health data. UnitedHealth Group eventually disclosed costs exceeding $870 million related to the incident. That's what happens when ransomware recovery steps aren't rehearsed before you need them.

I've walked organizations through ransomware recovery more times than I'd like to count. The pattern is almost always the same: panic, confusion, and a frantic search for "what do we do now?" This post is the playbook I wish every IT team had taped to the wall before the worst day of their professional lives.

Whether you're a small business owner or a CISO at a mid-size enterprise, these ransomware recovery steps will help you move from chaos to control — fast.

Step 1: Isolate Every Infected System Immediately

Speed matters more than precision in the first minutes. Disconnect infected machines from the network — pull Ethernet cables, disable Wi-Fi adapters, shut down VPN connections. The goal is to stop lateral movement before the threat actor encrypts your backup servers too.

I've seen organizations lose their entire domain controller infrastructure because someone spent 20 minutes "investigating" before isolating. Don't make that mistake. Isolate first, investigate second.

What Isolation Actually Looks Like

  • Physically disconnect affected endpoints from wired and wireless networks.
  • Disable compromised Active Directory accounts.
  • Block known malicious IPs and domains at the firewall.
  • Shut down file shares and cloud sync services to prevent encrypted files from overwriting clean copies.

If you have network segmentation in place — part of a zero trust architecture — containment is far easier. If you don't, this incident just became your strongest argument for implementing it.

Step 2: Assess the Blast Radius

Once you've contained the spread, figure out exactly what got hit. This means cataloging encrypted systems, identifying the ransomware variant, and determining whether data was exfiltrated — a hallmark of modern double-extortion attacks.

Check CISA's Stop Ransomware resource hub and the No More Ransom project to identify the variant. Some older strains have known decryptors. Most newer ones don't.

Key Questions to Answer During Assessment

  • Which systems and data sets are encrypted?
  • Are backups intact, or were they compromised too?
  • Is there evidence of data exfiltration (check DNS logs, outbound traffic spikes)?
  • What was the initial attack vector — phishing, exposed RDP, compromised credentials?
  • Are any credential theft indicators present (credential dumping tools, Mimikatz artifacts)?

This assessment drives every decision that follows. Document everything. You'll need it for law enforcement, your insurer, and potential regulatory notifications.

Step 3: Engage Your Incident Response Team and Notify Authorities

If you don't have an internal incident response team — and most small to mid-size organizations don't — now is when you call your retained IR firm or cyber insurance carrier's hotline. They've done this hundreds of times and will accelerate your recovery.

Report the incident to the FBI's Internet Crime Complaint Center (IC3). This isn't just a formality. The FBI has recovered ransom payments before (as they did in the Colonial Pipeline case), and your report feeds intelligence that helps protect other organizations.

Depending on your industry and the data involved, you may have legal notification obligations under HIPAA, state breach notification laws, or SEC disclosure rules. Get legal counsel involved early.

Step 4: Restore from Clean Backups — If You Have Them

This is where preparation pays off — or where its absence devastates. The Verizon 2024 Data Breach Investigations Report found that ransomware or extortion was involved in 32% of all breaches. Yet I still encounter organizations with backup strategies that wouldn't survive a power outage, let alone a sophisticated threat actor.

Backup Recovery Best Practices

  • Verify backup integrity before restoring. Threat actors sometimes corrupt backups weeks before deploying ransomware.
  • Restore to isolated systems first. Confirm they're clean before reconnecting to the production network.
  • Prioritize critical business systems: email, ERP, customer-facing applications.
  • If backups are compromised, consider professional data recovery services — but set realistic expectations.

The 3-2-1 backup rule still holds: three copies of your data, on two different media types, with one stored offsite or air-gapped. If your organization wasn't following this, make it non-negotiable going forward.

Should You Pay the Ransom?

This is the question everyone asks. Here's my direct answer: paying the ransom should be your absolute last resort. The FBI advises against it. Payment funds criminal operations, doesn't guarantee full decryption, and marks your organization as a willing payer — increasing the likelihood of a repeat attack.

That said, I've been in rooms where the alternative was shutting down a hospital or laying off an entire workforce. These decisions aren't made in a vacuum. If you're considering payment, involve legal counsel, law enforcement, and your IR team. Some payments may also violate OFAC sanctions, which carries its own legal risk.

Step 5: Eradicate the Threat Actor Completely

Restoring data without removing the attacker is like mopping the floor while the faucet is still running. Before any system goes back online, your team must identify and close every persistence mechanism the threat actor established.

Common Persistence Mechanisms to Hunt

  • Rogue administrative accounts or modified group policies.
  • Scheduled tasks and startup scripts that re-launch malware.
  • Web shells on public-facing servers.
  • Compromised service accounts with domain admin privileges.
  • Backdoors planted in legitimate remote access tools.

Reset every password in the domain. Every one. Implement multi-factor authentication on all accounts, starting with privileged access. If MFA wasn't in place before, the absence was almost certainly part of the attack chain.

Step 6: Harden Defenses to Prevent the Next Attack

Recovery isn't complete until you've addressed the root cause. Most ransomware infections I've investigated trace back to one of three entry points: phishing emails, exposed Remote Desktop Protocol, or unpatched vulnerabilities.

Post-Incident Hardening Checklist

  • Deploy phishing simulation campaigns and ongoing security awareness training. Our phishing awareness training for organizations is built specifically for this purpose.
  • Disable RDP on internet-facing systems or gate it behind a VPN with MFA.
  • Patch critical vulnerabilities within 48 hours. CISA's Known Exploited Vulnerabilities catalog is your priority list.
  • Implement network segmentation and least-privilege access — core tenets of a zero trust model.
  • Review and test your incident response plan quarterly.

The NIST Cybersecurity Framework provides an excellent structure for building a recovery and resilience program. If you haven't mapped your controls to it, start now.

Why Security Awareness Is the Most Overlooked Recovery Step

Here's what actually happens in most ransomware incidents: someone in accounting clicked a link in a convincing social engineering email. The technical controls failed — or didn't exist — and the human was the last line of defense. That line broke.

Post-incident, organizations pour money into new tools. Endpoint detection, SIEM platforms, threat intelligence feeds. All valuable. But the single highest-ROI investment is training your people to recognize and report threats before they detonate.

I recommend starting with a comprehensive cybersecurity awareness training program that covers phishing, social engineering, credential hygiene, and incident reporting. Combine that with regular phishing simulations, and you'll measurably reduce your attack surface at the human layer.

Your Ransomware Recovery Steps at a Glance

  • Isolate infected systems immediately to contain the spread.
  • Assess which systems, data, and backups are affected.
  • Engage incident response professionals and notify law enforcement.
  • Restore from verified clean backups in an isolated environment.
  • Eradicate all attacker persistence mechanisms and reset credentials.
  • Harden defenses — patch, segment, enforce MFA, and train your people.

Ransomware recovery steps aren't theoretical. They're the difference between a two-week disruption and a company-ending event. I've seen both outcomes. The organizations that survive are the ones that prepared before the ransom note appeared on screen.

Build your playbook now. Test it. Train your people. Because the next data breach headline could easily be yours — unless you make it somebody else's problem by being the hardest target on the block.