Ransomware Recovery Checklist: What to Do When You Get Hit

No business plans to get ransomware, but every business should have a recovery plan. The median ransomware attack costs $200,000 in recovery expenses and 23 days of downtime. Here is what to do.

## Immediate Response (First 4 Hours)

### 1. Isolate Affected Systems Disconnect infected machines from the network immediately: - Unplug Ethernet cables - Disable WiFi - Do NOT power off (forensic evidence may be in memory) - Isolate the affected VLAN at the switch level

### 2. Assess the Scope Determine what was affected: - Which systems show ransom notes or encrypted files? - Which file shares are encrypted? - Are backups accessible and unencrypted? - Has the attacker moved laterally to other systems?

### 3. Notify Key Stakeholders - Executive leadership - Legal counsel (breach notification requirements) - Cyber insurance carrier (most have 24-hour notification requirements) - Law enforcement (FBI IC3 for reporting)

### 4. Preserve Evidence - Screenshot ransom notes - Document the timeline of discovery - Capture network logs from firewalls and switches - Do not communicate with the attacker yet

## Recovery Phase (Days 1-7)

### 5. Identify the Ransomware Variant Use the ransom note text and encrypted file extensions to identify the variant: - Check nomoreransom.org for available decryptors - Engage a cybersecurity incident response firm if needed - Some variants have known decryption tools — paying may be unnecessary

### 6. Evaluate Backup Integrity Check backups in this order: - Air-gapped or offline backups (most reliable) - Cloud backups with versioning - Immutable backup storage - Verify backups are from BEFORE the infection date

### 7. Rebuild and Restore - Rebuild systems from clean images (do not trust cleaned machines) - Restore data from verified clean backups - Apply all patches before reconnecting to the network - Change ALL passwords (domain admin, service accounts, user accounts)

## Prevention (Post-Recovery)

### 8. Close the Entry Point Most ransomware enters through: - Phishing email with malicious attachment or link - Exposed RDP (Remote Desktop Protocol) - Unpatched VPN appliances - Compromised credentials from credential stuffing

### 9. Implement Defenses - EDR/XDR on all endpoints - Email security gateway with attachment sandboxing - Disable RDP or restrict to VPN-only access - Network segmentation to limit lateral movement - Immutable backups (cannot be deleted or encrypted by the attacker)

### 10. Test Your Recovery Run a tabletop exercise every 6 months simulating a ransomware attack. Time how long it takes to detect, contain, and recover.

Summit DNC helps businesses implement ransomware-resistant infrastructure — from network segmentation and backup architecture to endpoint protection and disaster recovery planning.