Skip to content
Home / Blog / How to Develop a Ransomware Recovery Plan & Prevent an Attack

February 21, 2024 | Matt Pacheco

How to Develop a Ransomware Recovery Plan & Prevent an Attack

A ransomware recovery plan is essential in todays digital age, as an attack can infiltrate a business in many ways and cybercriminals are continuing to find new entry points to breach IT defenses rapidly. Cybercriminals may use phishing messages to build trust and work their way in, they may find a software vulnerability and sneak in the back door, or find another way to gain access, such as malware. The most common attack vectors identified in Q2 2023, according to Coveware, were email phishing and remote desktop protocol (RDP) compromise. Some criminals are even purchasing kits to implement ransomware through ransomware as a service (RaaS).

Once a ransomware attack occurs, the clock starts on recovery. If your business doesn’t have a ransomware recovery plan, the fallout can be costly, resulting in a loss of revenue, productivity, and even trust in your organization. We’ll talk about the significance of ransomware recovery to your business and the essential components that should be included within your recovery plan.

What is a Ransomware Recovery Plan? 

A ransomware recovery plan is a framework that empowers businesses to regain control and restore business continuity, ideally, without succumbing to ransom demands from cybercriminals. It is best done long before a threat arises and should include any and all steps get your business back to normal after an attack. When creating a ransomware recovery plan it should outline all systems and data critical to your business, define a process for backing up your data, determine how ransomware will be found and removed, detail a plan for restoring systems and data, and dictate a communication plan that can be used to inform all key contacts about what to do during and after a ransomware attack.

This proactive approach not only protects critical data but also avoids the financial and reputational risks associated with ransom payments. Keep in mind that while paying the ransom may seem like the quickest solution, it’s a gamble with no guarantee of complete data recovery and further vulnerabilities down the line. So, the most empowering and ultimately cost-effective strategy lies in a robust ransomware recovery plan.

Why a Ransomware Recovery Plan is Essential

You may think that creating a ransomware recovery plan is excessive. Maybe you think your organization is small and will fly under the radar of bad actors. This is where most businesses go wrong. While the median size of companies that have been attacked by ransomware is increasing, according to Coveware, two-thirds of companies that are victims of ransomware have fewer than 1,000 employees, with 30% of companies having under 100 employees; and per a recent Business Impact Report, 73% of small business owners in the US reported a cyberattack in 2022. Regardless of your size, having a recovery plan for ransomware is essential.

How a Ransomware Recovery Plan Works?

Incident Response (IR) Plan

There should be no question about what your business will do next after discovering an attack. An incident response (IR) plan should include short-term and long-term actions you will take in response to an attack and reduce the likelihood of future attacks. Develop a plan of action, including immediate containment, to respond to an attack.

Make sure the IR plan answers the following questions:

  • What steps will you take to collect the necessary data to understand the source, nature, and scope of the ransomware attack?
  • How will you communicate the incident to internal and external stakeholders?
  • What are you legally required to do after a ransomware attack to stay compliant?
  • How will you keep business functions moving forward, and what will you need to do to restart or shift other functions?
  • How will you decide what improvements need to be made to your security measures to keep these attacks from happening in the future?

After containment, the plan should also include steps for communications, analysis, and mitigation. Consider including answers to the following questions:

  • Who needs to be informed about an attack?
  • What needs to be audited?
  • How can the negative impacts of the attack cause the least amount of fallout possible? 

Identifying and Isolating the Incident

With an IR plan, you need to understand the source of the ransomware attack and the full scope of the situation before disconnecting anything or taking any kind of drastic action. How did cybercriminals infiltrate? What machines are infected? Once the attack has been properly categorized, your organization can move on to disconnecting any systems that have been impacted to limit the harm done.

Disaster Recovery Plan

The end goal of any incident is to return to normal operations as quickly as possible. Determine your strategy to restore capabilities and services that were impacted by the attack. To ensure everything will work as planned, test your disaster recovery plan frequently and modify as you go, making improvements based on lessons learned.


A good ransomware recovery plan will ideally have at least two backups in place, and one ready to go quickly if an incident happens. Some organizations may choose to have two systems running at the same time for virtually instantaneous failover. Others may require additional steps to fill in where the primary environment left off. The bottom line is to keep data backups isolated to remain safe during an attack, and make them incrementally so that you don’t lose any data that hasn’t been backed up since the last session.

Data Recovery Software and Decryption

Even if something doesn’t go to plan, or if you’ve missed something in the ransomware recovery process, you may be able to restore some data to a set recovery point using other system tools native to a particular operating system, for example. However, this isn’t a good method to rely on, as ransomware may also impact the effectiveness of a tool like Windows System Restore.

Some software and decryption tools may also be able to restore data or undo the damage done by encryption. Not all versions of ransomware respond to these methods, either, so it’s good to include more than one method in your recovery plan to restore your workloads.

Boost Your Security

Make sure your ransomware recovery plan includes best practices for keeping security measures strong, organization-wide. This may include enacting two-factor authentication, requiring regular password changes, centralizing logging across your systems, and educating employees through cybersecurity training – more on that in the next section.

5 Steps to a Ransomware Recovery Plan Template

As you can see, ransomware recovery, incident response, and disaster recovery plans all share similar traits. However, when you’re thinking particularly about ransomware recovery, remember these steps.

5 Steps to a Ransomware Recovery Plan Template

Train a Ransomware Disaster Response Team

Your employees are your first line of defense against ransomware. The more they are able to identify potential ransomware attacks before they strike, the more likely it is they will be able to prevent these attacks. Each member of the disaster response team should have a clear defined role, the most common employee training will involve spotting phishing emails and maintaining password hygiene. Other employees may need to be trained on specific tools that identify software vulnerabilities and other potential side and back doors for cybercriminals.

Focus on Remediation and Prevention

Even if you have every cybersecurity tool in the world at your disposal to prevent attacks, you can still fall prey to ransomware. Prevention and remediation work best in combination. Immutable storage and disaster recovery are two remediating measures that can help you get your environments back to normal even if you don’t get your encrypted data back. You’ll also want to encrypt your data, so even if it’s intercepted, it’s less likely to be read by the attackers looking for a ransom.

Keep Data Resilience a Priority

The resiliency of your data is determined by how quickly you can return to usual operations after an attack. For some businesses, there may be some leeway on how resilient your data needs to be. Maybe there are some workloads you can do without for a day or two. For others, even a few minutes of downtime can harm the business. Resilience is all about prioritizing backup and recovery, as well as regularly testing these measures to make sure they work without a hitch in a critical moment.

Understand Your Critical Data

It may be that some applications and data are more valuable to you than others, and more essential for keeping your business moving. Understanding this, and prioritizing these workloads during an emergency, will help you develop a hierarchical action plan for ransomware recovery. For example, if you store your data in different tiers, you can put workloads that are less critical in less expensive tiers and focus more on recovering higher tiers when a ransomware attack strikes.

Create a Disaster Recovery Plan

One major part of your ransomware recovery plan will be drafting and regularly testing a disaster recovery plan. Figure out how often you need to back up your data and how it needs to be protected. You may want to follow the 3-2-1 system, for example: Having at least 3 copies of your data, 2 forms of storage media, and 1 version saved offsite in an isolated configuration. You’ll also want to figure out how often you need to back up your data. For some organizations, this may look like backing up every minute, whereas others can go a day or longer without a regular backup.

Testing this plan is a step that can’t be missed. When you test, you can verify that your recovery point objectives and recovery time objectives will be met in an actual ransomware attack, and it can help you find weak spots that may need to be revised to work properly after an attack.

Best Practices for Ransomware Attack Recovery

When a business experiences a ransomware attack, recovery comes down to the following five key steps: Preparation, prevention, detection, assessment, and recovery.

5 Best Practices for Ransomware Attack Recovery infographic


Businesses should prepare for ransomware attacks by thinking that it’s not a matter of if, but a matter of when. With that, preparation well before a threat is on the horizon is the first and most essential step to recovering from a ransomware attack.

Essential components within preparation should include modernizing your infrastructure with a Zero Trust approach and completeing a thorough cybersecurity assessment to identify any threats and weaknesses.


When you’re in the frame of mind that a ransomware attack will happen to you, the focus shifts to preventative measures, such as ensuring the latest OS is installed and patches have been updated. Third-party tools can identify ransomware attacks before they are able to do damage by noticing anomalies in user activity, finding attempts to access systems, flagging potential phishing emails, and so on.


These prevention tools can detect where a data breach has occurred, or where a ransomware attack has started to take hold. Robust monitoring and response capabilities efficiently gather, analyze, and respond to potential threats. For example, AI tools can be used to continuously monitor the environment and automatically send out alerts when an abnormality is first detected so efforts can be taken to quickly address and remove any threats.


Identify and document any threats, risks, and weaknesses. Decide ahead of time what pieces of your system are critical to your business. What data and applications need to be recovered first, and how long can you go without them working? Determine your recovery point objective (RPO) and recovery time objective (RTO), and note differences in these times based on your priorities.


Once you are sure that the ransomware has been contained and will not infect any new data, it’s time to put a recovery plan into action. If you have failback to another system, the plan will include steps to recover workloads and bring the main site to its normal operation.

Prevent and Isolate your Data from Ransomware Attacks with TierPoint

Ransomware attacks can strike without warning, which is what makes prevention so important. Prevention and remediation, working in tandem, can significantly limit your exposure to attacks and keep your business rolling. Learn more about TierPoint’s Disaster Recovery as a Service (DRaaS) and other solutions that can mitigate ransomware’s effects. Need help building your DR plan? Download our infographic to learn 13 steps that should be included within every resilient DR plan.


What is the 3 2 1 Rule for Ransomware?

The 3-2-1 rule for ransomware says that businesses should have at least 3 copies of their data, 2 storage media, and 1 copy kept offsite. Recently, the rule has expanded to 3-2-1-1-0, which includes 1 offline or immutable copy, and backups being completed with 0 errors.

How Can Backup Be an Effective Defense Against Ransomware?

Backup can be an effective defense against ransomware by restoring encrypted data and by creating an air-gapped backup that is stored away from the organization’s network. Backup solutions may also help identify and remove ransomware from backups thanks to special features.

How Can Disaster Recovery Be an Effective Defense Against Ransomware?

Disaster recovery (DR) is all about restoring systems post-disaster. A DR strategy can be effective against ransomware by having a plan to restore data from backups, getting operations back up and running quickly, and eliminating the need to pay a ransom because backup and disaster recovery efforts are in place.

Subscribe to the TierPoint blog

We’ll send you a link to new blog posts whenever we publish, usually once a week.