A ransomware attack is one of the most devastating events a UK business can experience. In the space of minutes, your files become encrypted, your systems become unusable, and a ransom demand appears on your screens — typically requesting payment in cryptocurrency in exchange for a decryption key that may or may not work. The UK's National Cyber Security Centre (NCSC) reports that ransomware remains the single most significant cyber threat to UK businesses, with SMEs increasingly targeted because they often lack the security infrastructure and incident response capabilities of larger organisations.
If your business has been hit by ransomware — or if you want to prepare for the possibility — this guide provides a practical, step-by-step recovery framework. It covers immediate response actions, data restoration from backups, system rebuilding, and the crucial steps needed to prevent a recurrence. Throughout, we reference UK-specific guidance from the NCSC, the Information Commissioner's Office (ICO), and the National Crime Agency (NCA).
The most important message is this: ransomware is survivable. Businesses with proper backups and a tested recovery plan can be back up and running within hours or days. Those without can face weeks of downtime and, in the worst cases, permanent data loss that threatens the very survival of the business.
Immediate Response: The First 60 Minutes
The actions you take in the first hour after discovering a ransomware attack significantly influence your recovery outcome. Speed and discipline are essential — panic and ad hoc responses make the situation worse.
Step 1: Isolate Affected Systems
Immediately disconnect affected machines from the network. Unplug Ethernet cables, disable Wi-Fi, and if possible, isolate affected network segments at the switch level. Ransomware spreads laterally across networks, and every minute an infected machine remains connected gives it more opportunity to encrypt additional systems. Do not shut down affected machines unless specifically advised to do so — some ransomware variants can be analysed from memory, and forensic evidence may be lost if machines are powered off.
Step 2: Assess the Scope
Determine how far the attack has spread. Which machines are displaying ransom notes? Which file shares have been encrypted? Are your backups accessible and intact? Is your email system affected? Is your phone system operational? Document everything you observe, including timestamps — this information will be needed for incident reporting and potentially for law enforcement.
Step 3: Notify Key Stakeholders
Alert your IT support provider, your senior management team, and your cyber insurance provider (if you have one). If personal data may have been compromised, your Data Protection Officer or the person responsible for GDPR compliance needs to be informed immediately, as the 72-hour notification window to the ICO starts from the moment you become aware of the breach.
Both the NCSC and the NCA strongly advise against paying ransoms. Paying does not guarantee that you will receive a working decryption key — research suggests that only 65% of businesses that pay actually recover all their data. Payment also funds criminal organisations and marks your business as willing to pay, making you a target for future attacks. Furthermore, depending on the criminal group involved, paying a ransom could potentially breach UK sanctions legislation. The best defence against ransom demands is having reliable, tested backups that allow you to restore your data independently.
Phase 1: Containment and Assessment
Once the immediate crisis response is underway, the next phase focuses on fully containing the attack and understanding its impact.
Identify the Ransomware Variant
Knowing which ransomware variant has attacked you can help determine whether free decryption tools are available. Upload the ransom note and a sample of encrypted files to the No More Ransom project (nomoreransom.org), an initiative supported by Europol and numerous security vendors. For some older or less sophisticated ransomware variants, free decryption tools exist that can recover your files without payment or backups.
Verify Backup Integrity
Before you begin restoration, verify that your backups have not been compromised. Sophisticated ransomware attacks often target backup systems specifically — encrypting or deleting backups to eliminate the victim's ability to recover without paying. Check your cloud backup repositories, offsite copies, and any air-gapped backups (backups stored on media that is physically disconnected from your network).
Phase 2: Recovery and Restoration
With the attack contained and backups verified, the restoration process can begin. The approach depends on the extent of the damage and the type of backup infrastructure you have in place.
Server Recovery
For servers that have been encrypted, the safest approach is a complete rebuild from a known-good backup or a clean installation. Attempting to "clean" a ransomware infection without rebuilding carries the risk that persistence mechanisms remain on the system, allowing the attackers to re-encrypt your data or maintain access for future attacks.
If you are using cloud-based backup solutions such as Veeam Cloud Connect, Datto, or Azure Backup, restoration typically involves provisioning a new server (or the same server after wiping) and restoring from the most recent clean backup point — meaning the last backup taken before the ransomware was introduced. Identifying this clean point is critical and may require checking multiple backup snapshots to find one that predates the infection.
Workstation Recovery
For user workstations, the most efficient approach is usually to reimage the machine using your standard deployment image and then restore user data from backups. If you use Microsoft 365, most user data (email, OneDrive files, SharePoint documents) is already stored in the cloud and may be unaffected by the local ransomware infection. Check OneDrive version history and SharePoint recycle bins — these can often recover files that were encrypted by ransomware running on the local machine.
Recovery Priority Order
Not all systems are equally critical. Establish a recovery priority order and restore the most important systems first.
| Priority | Systems | Target Recovery Time |
|---|---|---|
| Critical | Active Directory / Azure AD, email, core line-of-business applications | 4–8 hours |
| High | File servers, accounting systems, CRM | 8–24 hours |
| Medium | User workstations, printers, secondary applications | 1–3 days |
| Low | Development systems, archives, non-essential services | 3–7 days |
Phase 3: Reporting and Compliance
UK businesses have specific legal obligations following a ransomware attack, particularly if personal data has been affected.
ICO Notification
Under UK GDPR, if the ransomware attack has resulted in a breach of personal data that is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of the breach. The notification must include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach and mitigate its effects.
Law Enforcement Reporting
Report the attack to Action Fraud (the UK's national reporting centre for fraud and cybercrime) on 0300 123 2040 or via actionfraud.police.uk. For significant attacks, the National Crime Agency may become involved. Reporting helps law enforcement track ransomware groups and may assist in the eventual recovery of funds or the prosecution of attackers.
Recovery Best Practices
- Restore from verified clean backups, not from infected systems
- Rebuild servers from scratch rather than attempting to clean them
- Change all passwords after the attack, including service accounts
- Patch the vulnerability that allowed the attack before reconnecting
- Monitor recovered systems closely for 30 days post-recovery
- Document everything for compliance and insurance purposes
Recovery Mistakes to Avoid
- Restoring from backups without verifying they are clean
- Reconnecting recovered systems to the network too quickly
- Failing to change passwords, allowing attackers to return
- Not identifying the initial entry point before resuming operations
- Paying the ransom without exhausting other recovery options
- Failing to notify the ICO within the 72-hour deadline
Phase 4: Prevention and Hardening
After recovery, the priority shifts to ensuring the attack cannot happen again. Most ransomware attacks exploit one of a small number of common entry points: phishing emails, unpatched software vulnerabilities, exposed remote access services (particularly RDP), and compromised credentials.
Address the specific vulnerability that enabled the attack, then implement broader security improvements. Key measures include enforcing multi-factor authentication on all remote access and cloud services, implementing endpoint detection and response (EDR) on all devices, ensuring all systems are patched promptly with a particular focus on internet-facing services, reviewing and restricting administrative privileges, implementing network segmentation to limit lateral movement, deploying email filtering with advanced threat protection, and conducting regular phishing simulation training for all staff.
Consider pursuing Cyber Essentials certification if you have not already done so. The certification process systematically addresses the most common attack vectors and provides a framework for ongoing security maintenance that significantly reduces your risk of future ransomware attacks.
Building Ransomware Resilience
The best time to prepare for a ransomware attack is before it happens. Implement a robust backup strategy following the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite or in the cloud. Ensure at least one backup is immutable — meaning it cannot be modified or deleted even by an administrator — so that ransomware cannot encrypt or destroy it.
Test your backups regularly. A backup that has never been tested is not a backup — it is an assumption. Schedule quarterly test restores of critical systems to verify that your data can be recovered within acceptable timeframes. Document the restoration process so that it can be followed under pressure during an actual incident.
Conclusion
Ransomware attacks are frightening, disruptive, and costly — but they are survivable. The businesses that recover fastest and with the least damage are those that have invested in proper backups, have a tested recovery plan, and respond methodically rather than in panic. The investment in backup infrastructure and security hardening is a fraction of the cost of a successful ransomware attack, making it one of the clearest return-on-investment calculations in IT.
Protect Your Business from Ransomware
Cloudswitched provides comprehensive backup and disaster recovery solutions for UK businesses, including immutable cloud backup, tested recovery plans, and incident response support. Whether you are recovering from an attack or want to ensure you never have to, our team can help. Contact us for a free backup assessment.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.