Ransomware Recovery: How to Restore Your Business After an Attack

A ransomware attack is one of the most devastating events a UK business can experience. In the space of minutes, your files become encrypted, your systems become unusable, and a ransom demand appears on your screens — typically requesting payment in cryptocurrency in exchange for a decryption key that may or may not work. The UK's National Cyber Security Centre (NCSC) reports that ransomware remains the single most significant cyber threat to UK businesses, with SMEs increasingly targeted because they often lack the security infrastructure and incident response capabilities of larger organisations.

If your business has been hit by ransomware — or if you want to prepare for the possibility — this guide provides a practical, step-by-step recovery framework. It covers immediate response actions, data restoration from backups, system rebuilding, and the crucial steps needed to prevent a recurrence. Throughout, we reference UK-specific guidance from the NCSC, the Information Commissioner's Office (ICO), and the National Crime Agency (NCA).

The most important message is this: ransomware is survivable. Businesses with proper backups and a tested recovery plan can be back up and running within hours or days. Those without can face weeks of downtime and, in the worst cases, permanent data loss that threatens the very survival of the business.

The scale of the ransomware problem facing UK businesses cannot be overstated. According to the UK Government's Cyber Security Breaches Survey, approximately one in three UK businesses experienced a cyber attack in the past twelve months, with ransomware accounting for a growing proportion of the most damaging incidents. The threat is not confined to large corporations — in fact, SMEs are increasingly attractive targets because they typically hold valuable data whilst lacking the dedicated security teams and sophisticated defences of larger organisations. Criminal groups recognise that a small business with twenty employees and no dedicated IT security staff is far more likely to pay a ransom than a FTSE 100 company with a full security operations centre.

Understanding how ransomware typically enters a business is essential context for both recovery and prevention. The most common infection vectors in the UK are phishing emails containing malicious attachments or links, exploitation of unpatched vulnerabilities in internet-facing systems (particularly VPN appliances and remote desktop services), compromised credentials obtained through data breaches or brute-force attacks, and supply chain compromises where a trusted software vendor or service provider is used as a conduit to reach their customers. Knowing which vector was used in your specific attack is critical information that will guide your recovery and hardening efforts.

Immediate Response: The First 60 Minutes

The actions you take in the first hour after discovering a ransomware attack significantly influence your recovery outcome. Speed and discipline are essential — panic and ad hoc responses make the situation worse.

Step 1: Isolate Affected Systems

Immediately disconnect affected machines from the network. Unplug Ethernet cables, disable Wi-Fi, and if possible, isolate affected network segments at the switch level. Ransomware spreads laterally across networks, and every minute an infected machine remains connected gives it more opportunity to encrypt additional systems. Do not shut down affected machines unless specifically advised to do so — some ransomware variants can be analysed from memory, and forensic evidence may be lost if machines are powered off.

For organisations with more complex network environments, consider isolating affected segments using VLAN reconfiguration at the switch level rather than simply unplugging cables. This approach allows you to contain the spread whilst maintaining some network connectivity for unaffected systems, which may be critical for your recovery effort. If you have a firewall with network segmentation capabilities, use it to create isolation zones. The goal is surgical containment — stopping the ransomware from spreading further whilst preserving as much operational capability as possible for systems that remain unaffected.

During the isolation phase, pay particular attention to any systems that connect to external networks or cloud services. If the ransomware has compromised credentials stored on affected machines, the attackers may attempt to pivot to cloud environments such as Microsoft 365, Azure, or AWS. Immediately review sign-in logs for your cloud services and consider temporarily disabling any service accounts or synchronisation tools that connect your on-premises environment to the cloud until you can confirm they have not been compromised. Cloud-to-on-premises synchronisation tools, such as Azure AD Connect, can inadvertently propagate compromised credentials if not disabled promptly.

Step 2: Assess the Scope

Determine how far the attack has spread. Which machines are displaying ransom notes? Which file shares have been encrypted? Are your backups accessible and intact? Is your email system affected? Is your phone system operational? Document everything you observe, including timestamps — this information will be needed for incident reporting and potentially for law enforcement.

Step 3: Notify Key Stakeholders

Alert your IT support provider, your senior management team, and your cyber insurance provider (if you have one). If personal data may have been compromised, your Data Protection Officer or the person responsible for GDPR compliance needs to be informed immediately, as the 72-hour notification window to the ICO starts from the moment you become aware of the breach.

Step 4: Establish Out-of-Band Communication

If your email system has been compromised or encrypted, you need an alternative communication channel. Many businesses discover during a ransomware attack that their entire communication infrastructure depends on systems that are no longer available. Establish out-of-band communication using personal mobile phones, a messaging platform such as WhatsApp or Signal, or a pre-arranged conference bridge. Ensure your incident response team knows how to reach each other through channels that are entirely independent of your corporate IT infrastructure. This is something that should ideally be arranged in advance as part of your incident response planning, but if it has not been, set it up now as an immediate priority.

Communication with employees is equally important. Staff will be anxious about the situation, and rumours can spread quickly. Provide a brief, factual update as soon as possible, letting people know what has happened, what is being done, and what they should and should not do. Instruct staff not to attempt to use any corporate systems until they are told it is safe, not to click on any suspicious links or open unexpected emails, and to report anything unusual they noticed in the hours or days before the attack was discovered — this information may help identify the initial entry point.

Phase 1: Containment and Assessment

Once the immediate crisis response is underway, the next phase focuses on fully containing the attack and understanding its impact.

Identify the Ransomware Variant

Knowing which ransomware variant has attacked you can help determine whether free decryption tools are available. Upload the ransom note and a sample of encrypted files to the No More Ransom project (nomoreransom.org), an initiative supported by Europol and numerous security vendors. For some older or less sophisticated ransomware variants, free decryption tools exist that can recover your files without payment or backups.

Verify Backup Integrity

Before you begin restoration, verify that your backups have not been compromised. Sophisticated ransomware attacks often target backup systems specifically — encrypting or deleting backups to eliminate the victim's ability to recover without paying. Check your cloud backup repositories, offsite copies, and any air-gapped backups (backups stored on media that is physically disconnected from your network).

When assessing backup integrity, pay particular attention to the timestamps and consistency of your backup data. Ransomware can lie dormant on a system for days or even weeks before activating its encryption payload — a tactic known as a delayed activation or time-bomb approach. This means that recent backups may themselves contain the ransomware in its dormant state. You may need to restore from an older backup that predates the initial compromise, accepting some data loss in exchange for a clean restoration. This is precisely why maintaining extended retention periods — ideally 30 to 90 days of backup history — is so important for ransomware resilience.

If you discover that all of your backups have been compromised or encrypted, do not despair entirely. Contact your backup provider, as they may maintain additional copies or have recovery options that are not immediately visible to you. Cloud backup providers, in particular, often use immutable storage or versioning behind the scenes that may preserve clean copies of your data even if the backup interface suggests otherwise. Additionally, check whether any of your critical data exists in cloud services such as Microsoft 365, Google Workspace, or cloud-based line-of-business applications — data stored natively in these platforms is typically protected by the provider's own backup and versioning mechanisms and may be recoverable independently of your local backup infrastructure.

Phase 2: Recovery and Restoration

With the attack contained and backups verified, the restoration process can begin. The approach depends on the extent of the damage and the type of backup infrastructure you have in place.

Server Recovery

For servers that have been encrypted, the safest approach is a complete rebuild from a known-good backup or a clean installation. Attempting to "clean" a ransomware infection without rebuilding carries the risk that persistence mechanisms remain on the system, allowing the attackers to re-encrypt your data or maintain access for future attacks.

If you are using cloud-based backup solutions such as Veeam Cloud Connect, Datto, or Azure Backup, restoration typically involves provisioning a new server (or the same server after wiping) and restoring from the most recent clean backup point — meaning the last backup taken before the ransomware was introduced. Identifying this clean point is critical and may require checking multiple backup snapshots to find one that predates the infection.

Investigating Potential Data Exfiltration

Modern ransomware attacks increasingly employ a tactic known as double extortion. Before encrypting your files, the attackers exfiltrate sensitive data and threaten to publish it unless the ransom is paid. This means that even if you have perfect backups and can restore every file, you may still face the threat of sensitive business data, client information, or employee records being leaked publicly. According to UK cyber security firms, double extortion is now involved in the majority of ransomware incidents targeting British businesses.

Work with your IT provider or a forensic specialist to review network logs for any unusual outbound data transfers in the days or weeks before the ransomware was deployed. Large data transfers to unfamiliar external IP addresses, particularly outside of normal business hours, may indicate exfiltration. Check your firewall logs, proxy logs, and any data loss prevention tools you have in place. If your organisation processes sensitive personal data or is subject to professional confidentiality obligations — as many UK law firms, accountancy practices, and healthcare providers are — the possibility of data exfiltration significantly escalates the severity of the incident and may trigger additional notification requirements under UK GDPR.

If exfiltration is confirmed or suspected, this must be factored into your ICO notification and may require direct notification to the affected individuals. Seek legal advice promptly, as the obligations and potential consequences become considerably more complex when data has left your network entirely. In some cases, businesses may need to offer credit monitoring services to affected individuals or take other remedial steps to mitigate the risk of harm.

Workstation Recovery

For user workstations, the most efficient approach is usually to reimage the machine using your standard deployment image and then restore user data from backups. If you use Microsoft 365, most user data (email, OneDrive files, SharePoint documents) is already stored in the cloud and may be unaffected by the local ransomware infection. Check OneDrive version history and SharePoint recycle bins — these can often recover files that were encrypted by ransomware running on the local machine.

Application and Database Recovery

Restoring servers and workstations is only part of the challenge. Line-of-business applications — your accounting software, CRM system, practice management system, or industry-specific applications — often require careful attention during recovery. These applications may have their own databases, configuration files, licence activation records, and inter-system integrations that must all be restored correctly for the application to function. Work with your application vendors during the recovery process, as they can often provide guidance on the correct restoration sequence and any post-restore steps that are required.

Database recovery deserves particular care. If your business runs SQL Server, PostgreSQL, or another database engine, simply restoring the database files from backup may not be sufficient. You may need to apply transaction logs to bring the database to a consistent state, reconfigure replication or clustering if applicable, and verify referential integrity before allowing users to access the data. If your databases contain financial records, client records, or other regulated data, document the recovery process thoroughly — you may need to demonstrate to auditors or regulators that the integrity of the data was maintained throughout the recovery process and that no records were lost or altered.

Recovery Priority Order

Not all systems are equally critical. Establish a recovery priority order and restore the most important systems first.

Priority	Systems	Target Recovery Time
Critical	Active Directory / Azure AD, email, core line-of-business applications	4–8 hours
High	File servers, accounting systems, CRM	8–24 hours
Medium	User workstations, printers, secondary applications	1–3 days
Low	Development systems, archives, non-essential services	3–7 days

Phase 3: Reporting and Compliance

UK businesses have specific legal obligations following a ransomware attack, particularly if personal data has been affected.

ICO Notification

Under UK GDPR, if the ransomware attack has resulted in a breach of personal data that is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of the breach. The notification must include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach and mitigate its effects.

Law Enforcement Reporting

Report the attack to Action Fraud (the UK's national reporting centre for fraud and cybercrime) on 0300 123 2040 or via actionfraud.police.uk. For significant attacks, the National Crime Agency may become involved. Reporting helps law enforcement track ransomware groups and may assist in the eventual recovery of funds or the prosecution of attackers.

Cyber Insurance Claims

If you have cyber insurance, notify your insurer as early as possible — ideally within the first few hours of discovering the attack. Most cyber insurance policies include access to specialist incident response services, forensic investigators, and legal advisers at no additional cost to you. These resources can be invaluable during the recovery process, and early engagement with your insurer ensures that you do not inadvertently take actions that could complicate your claim. Your insurer may also cover the costs of business interruption, data recovery, regulatory fines, and third-party claims arising from the breach.

Even if you do not currently have cyber insurance, a ransomware attack is a powerful motivator to obtain cover once you have recovered. The UK cyber insurance market has matured significantly, and policies are available for businesses of all sizes. Premiums have increased in recent years as claims have risen, but a comprehensive cyber policy typically costs considerably less than the daily revenue loss from a single day of ransomware-induced downtime. When selecting a policy, pay particular attention to the coverage for business interruption, the waiting period before coverage begins, the sublimits for different categories of loss, and whether the policy covers regulatory fines and penalties under UK GDPR.

Client and Supplier Communications

Transparency with clients and suppliers during a ransomware recovery is essential, though the degree of detail shared should be carefully considered. Clients who depend on your services need to know that you are experiencing disruption, what impact it may have on service delivery, and when you expect to resume normal operations. Vague or evasive communications erode trust far more quickly than honest acknowledgement of the situation. Prepare a clear, factual statement that can be shared with clients and key stakeholders, avoiding technical jargon and focusing on what matters to them: whether their data is affected, what you are doing to resolve the situation, and when they can expect normal service to resume.

For suppliers and partners who have network connectivity to your systems — for example, through VPNs, shared platforms, or API integrations — notify them immediately so they can assess whether the compromise could have spread to their own environment. This is not only good practice but may be a contractual obligation under data processing agreements or supply chain security requirements that your business has entered into.

Phase 4: Prevention and Hardening

After recovery, the priority shifts to ensuring the attack cannot happen again. Most ransomware attacks exploit one of a small number of common entry points: phishing emails, unpatched software vulnerabilities, exposed remote access services (particularly RDP), and compromised credentials.

Address the specific vulnerability that enabled the attack, then implement broader security improvements. Key measures include enforcing multi-factor authentication on all remote access and cloud services, implementing endpoint detection and response (EDR) on all devices, ensuring all systems are patched promptly with a particular focus on internet-facing services, reviewing and restricting administrative privileges, implementing network segmentation to limit lateral movement, deploying email filtering with advanced threat protection, and conducting regular phishing simulation training for all staff.

Network Segmentation and Zero Trust

One of the most effective measures for limiting the damage of future ransomware attacks is network segmentation — dividing your network into isolated zones so that an infection in one area cannot spread freely to others. In a flat, unsegmented network, ransomware that infects a single workstation can potentially encrypt every file server, every database, and every other workstation on the network within minutes. With proper segmentation, the blast radius is contained to the compromised segment, giving you time to detect and respond before the attack spreads further.

Related to segmentation is the principle of zero trust, which assumes that no user, device, or network connection should be automatically trusted, regardless of whether it originates from inside or outside your corporate network. Implementing zero trust principles — such as requiring multi-factor authentication for all access, verifying device health before granting network access, and applying the principle of least privilege to all user accounts — significantly reduces the attack surface available to ransomware operators. For UK SMEs, full zero trust implementation may seem ambitious, but adopting its core principles incrementally provides meaningful security improvements at each stage without requiring wholesale infrastructure replacement.

Employee Awareness and Phishing Resilience

The human factor remains the single most common entry point for ransomware. Phishing emails that trick employees into clicking malicious links or opening infected attachments are responsible for the majority of ransomware infections in UK businesses. Technical controls such as email filtering and endpoint detection are essential, but they must be complemented by genuine employee awareness. This means going beyond annual compliance training — which research consistently shows to be ineffective in isolation — and implementing ongoing, practical security awareness programmes that keep ransomware risks at the forefront of daily operations. Monthly phishing simulations, brief team discussions about emerging threats, and a culture where reporting suspicious emails is encouraged rather than stigmatised are all proven approaches that significantly reduce the likelihood of a successful phishing attack.

Consider pursuing Cyber Essentials certification if you have not already done so. The certification process systematically addresses the most common attack vectors and provides a framework for ongoing security maintenance that significantly reduces your risk of future ransomware attacks.

Building Ransomware Resilience

The best time to prepare for a ransomware attack is before it happens. Implement a robust backup strategy following the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite or in the cloud. Ensure at least one backup is immutable — meaning it cannot be modified or deleted even by an administrator — so that ransomware cannot encrypt or destroy it.

Test your backups regularly. A backup that has never been tested is not a backup — it is an assumption. Schedule quarterly test restores of critical systems to verify that your data can be recovered within acceptable timeframes. Document the restoration process so that it can be followed under pressure during an actual incident.

Developing a Formal Incident Response Playbook

Beyond backup testing, every UK business should develop a ransomware-specific incident response playbook. This document should detail exactly what happens in the first 60 minutes, the first 24 hours, and the first week following a ransomware attack. It should identify the incident response team by name, with contact details that do not depend on corporate systems, and specify each person's role and responsibilities during a crisis. The playbook should include pre-drafted communication templates for staff, clients, regulators, and the media, so that communications can be issued quickly without the delays that come from composing messages under extreme pressure.

The playbook should be reviewed and updated at least annually, and whenever there is a significant change to your IT environment or team composition. Conduct tabletop exercises where your team walks through a simulated ransomware scenario, making decisions and identifying gaps in real time. These exercises consistently reveal assumptions, dependencies, and single points of failure that are not apparent from reading the plan on paper. The businesses that recover fastest from ransomware attacks are invariably those that have practised their response — just as fire drills prepare people to evacuate a building calmly and efficiently, incident response exercises prepare your team to handle a cyber crisis methodically rather than in panic. The NCSC provides free exercise-in-a-box resources specifically designed for UK organisations that make it straightforward to run effective tabletop exercises even without specialist security expertise.

Conclusion

Ransomware attacks are frightening, disruptive, and costly — but they are survivable. The businesses that recover fastest and with the least damage are those that have invested in proper backups, have a tested recovery plan, and respond methodically rather than in panic. The investment in backup infrastructure and security hardening is a fraction of the cost of a successful ransomware attack, making it one of the clearest return-on-investment calculations in IT.

If your business has recently experienced a ransomware attack, use the recovery process as an opportunity to fundamentally reassess your security posture and backup strategy. Every ransomware incident, however painful, provides invaluable intelligence about your vulnerabilities, your response capabilities, and the resilience of your infrastructure. Conduct a thorough post-incident review, document the lessons learnt, and implement the improvements identified. The businesses that emerge strongest from ransomware attacks are those that treat the incident as a catalyst for genuine, lasting improvement in their cyber resilience — not simply as a problem to be resolved and forgotten.

For UK SMEs that have not yet been targeted, the message is equally clear: the question is not whether your business will face a ransomware attack, but when. The threat landscape is not improving, and the criminal groups behind ransomware attacks are becoming more sophisticated, more targeted, and more destructive with every passing year. Investing in proper backups, security hardening, and incident response planning now — while you have the luxury of time and calm — is immeasurably easier and less costly than trying to build these capabilities in the midst of a crisis. A managed cloud backup solution with immutable storage, combined with regular testing and a practised incident response plan, provides a level of protection that makes ransomware a recoverable inconvenience rather than an existential threat.