Companies recover from ransomware by isolating infected systems, restoring data from clean backups, and methodically rebuilding their network. The full process typically takes weeks, not days. As of 2022, the average downtime after a ransomware attack at U.S. organizations was 24 days, and the true cost extends well beyond any ransom demand to include lost revenue, remediation labor, legal exposure, and long-term security upgrades.
Isolate Systems Immediately
The first hours after discovering ransomware determine how much damage the company ultimately absorbs. Ransomware spreads laterally across networks, encrypting every system it can reach. The immediate priority is cutting off that movement. IT teams disconnect infected machines from the network, disable Wi-Fi, and sever connections between network segments. If the company runs industrial control systems or operational technology, those get isolated too.
This containment phase is messy and disruptive. It often means taking entire departments offline, shutting down email servers, and pulling the plug on customer-facing systems. But every minute of delay lets the malware encrypt more files. NIST’s ransomware framework emphasizes that immediate isolation is essential to minimize damage and prevent infection from jumping to other systems and networks.
During this window, the company also needs to determine the scope of the attack. Which systems are encrypted? Which are still clean? Has data been exfiltrated (copied out of the network), or was it only locked in place? Answering these questions shapes every decision that follows.
Investigate the Root Cause
Once the bleeding is stopped, forensic analysis begins. The goal is to figure out exactly how the attackers got in, what tools they used, and whether they left behind any backdoors that would let them return. Common entry points include phishing emails, unpatched software vulnerabilities, and compromised remote access credentials.
Forensics teams look for stolen credentials, persistence mechanisms (hidden software that lets attackers reconnect later), and signs of data theft. This investigation directly feeds the cleanup: if the attacker stole admin passwords, those get reset. If they planted additional malware beyond the ransomware itself, every instance needs to be found and removed. Skipping this step is how companies end up hit a second time weeks later.
Restore Data From Backups
For most companies, the real recovery path runs through backups, not through paying for a decryption key. The quality of those backups determines whether recovery takes days or months.
The gold standard is immutable backups, which are backup copies that cannot be modified, overwritten, or deleted for a set period, even by administrators. This matters because sophisticated ransomware operators specifically target backup systems. If they compromise an admin account and your backups are stored in a format that admins can delete, those backups get encrypted too. Immutable backups survive because they use technologies that physically prevent changes:
- Write Once, Read Many (WORM) storage: Data can be written once and then only read, never altered.
- Object locking: Cloud storage providers offer features that lock individual files so they cannot be overwritten or deleted until the lock period expires.
- Retention policies: Rules that prevent deletion until a defined retention window passes.
Traditional backups, by contrast, can be edited or deleted by anyone with admin permissions. If the attacker compromised those credentials, the backups are gone. Companies that maintained immutable, offline, or air-gapped backups can restore their systems to a clean state from before the attack. Companies without them face a much harder road: rebuilding systems from scratch, recovering partial data, or weighing the ransom payment option.
Why Paying the Ransom Is Risky
Some companies, especially those without usable backups, consider paying the ransom to get a decryption key. This is unreliable for several reasons. Payment does not guarantee full data recovery. The decryption tools attackers provide are often buggy and slow, sometimes corrupting files during the process. Paying also does not guarantee clean systems or protection against a repeat attack. The attackers already have access to your network, and nothing about a payment removes their backdoors.
There are also legal risks. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) maintains sanctions against many cybercriminal groups. If a company pays a ransom to a sanctioned entity, even unknowingly, it can face civil penalties under the International Emergency Economic Powers Act. OFAC issued specific guidance on sanctions risks for facilitating ransomware payments, and the liability extends to the company, its executives, and any third-party negotiators or insurers involved in the transaction.
None of this means payment never happens. Companies facing existential threats to their operations sometimes conclude it is their least bad option. But security professionals and federal agencies consistently frame it as a last resort, not a recovery strategy.
Rebuild and Harden the Network
Restoring data is only part of recovery. The company also needs to rebuild the infrastructure that was compromised, and it needs to do so in a way that closes the vulnerability the attackers exploited in the first place.
This phase typically includes reimaging (wiping and reinstalling) affected servers and workstations, deploying updated endpoint detection tools, implementing network segmentation so a future breach cannot spread as easily, and enforcing multi-factor authentication across all remote access points. Password resets are standard for every account, not just the ones confirmed as compromised.
Companies also review and tighten their backup architecture during this phase. If the attack revealed that backups were reachable from the production network, the rebuild plan should include air-gapped or immutable backup solutions. If backup retention windows were too short, they get extended. The goal is to ensure that if another attack occurs, the recovery path is faster and more reliable.
Report the Incident
Federal reporting requirements for ransomware are evolving. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require covered entities to report ransomware incidents and ransom payments to CISA, the federal Cybersecurity and Infrastructure Security Agency. The final rule establishing specific timelines and requirements is still being finalized, but CISA encourages all organizations to voluntarily report incidents now through cisa.gov/report.
Beyond federal rules, companies may face state-level breach notification requirements if personal data was exposed. Publicly traded companies also have SEC disclosure obligations for material cybersecurity incidents. And depending on the industry, sector-specific regulators in healthcare, financial services, and energy may impose their own notification timelines. Getting legal counsel involved early in the incident helps the company meet all applicable deadlines without accidentally waiving legal protections.
What the Full Timeline Looks Like
Recovery from ransomware is not a single event but a sequence that plays out over weeks. The first day or two focuses on containment: disconnecting systems, assembling the response team, and beginning forensic analysis. Over the following one to two weeks, the team works to identify the full scope of the breach, eradicate the attacker’s access, and begin restoring systems from backups.
The restoration itself can take another one to three weeks depending on the size of the organization and the volume of data involved. Some systems come back online quickly. Others, particularly those that were heavily encrypted or that lacked recent backup copies, take longer. During this period, the company is often running in a degraded state: some departments operating normally, others working with limited tools or manual processes.
Even after systems are restored, the hardening and monitoring phase continues for months. The company is watching closely for signs that the attacker retained access, testing the rebuilt security controls, and training employees on whatever entry point the attacker originally exploited. Full recovery, meaning the organization is back to normal operations with confidence in its security posture, commonly takes two to three months from the initial attack.
What Separates Fast Recoveries From Slow Ones
The single biggest factor in recovery speed is whether the company had tested, immutable backups stored separately from the production network. Organizations with this setup can begin restoring data within hours of containment. Organizations without it face weeks of negotiation, manual reconstruction, or permanent data loss.
The second factor is having an incident response plan that was written and practiced before the attack. Companies that have designated roles, communication templates, and pre-negotiated contracts with forensic investigators move faster than those assembling a response team for the first time under pressure. A tabletop exercise, where the team walks through a simulated ransomware scenario, costs almost nothing and dramatically compresses the initial confusion phase of a real incident.
The third factor is network segmentation. Companies with flat networks, where every system can communicate with every other system, tend to suffer organization-wide encryption. Companies that had segmented their networks into zones, limiting lateral movement, often find that the damage is contained to one department or one set of servers, making recovery far more manageable.