ransomwareready

Building a ransomware recovery plan that works under pressure

Updated 2026-07-06 2 min read

When ransomware hits, the organisations that recover fastest aren’t the luckiest — they’re the ones who decided what to do in advance. A recovery plan turns chaos into a checklist.

Decide the roles before the crisis

Name who leads the response, who can authorise major decisions (like taking systems offline), and who owns technical, legal and communications tasks. In an incident there’s no time to work out the org chart.

The core phases

  1. Detect & declare — recognise the incident and formally trigger the plan.
  2. Contain — isolate affected systems and networks to stop the spread.
  3. Assess — determine what was accessed, encrypted and exfiltrated.
  4. Notify — meet legal and regulatory obligations, including tight reporting clocks.
  5. Recover — restore from clean, offline backups in a prioritised order.
  6. Review — learn from it and close the gaps that let it happen.

Communications and legal

Prepare holding statements for staff, customers and regulators, and know your reporting deadlines in advance — under NIS2, in-scope entities must submit an early warning within 24 hours of a significant incident. Line up legal counsel and, where relevant, law enforcement and your cyber-insurer.

Restore in the right order

  • Prioritise the systems the business needs most to function.
  • Restore to a known-clean environment — don’t reinfect from a compromised image.
  • Verify integrity before reconnecting to production.
  • Confirm the entry point is closed before bringing systems back online.

Rehearse it

A plan you’ve never run is a guess. Tabletop the scenario at least annually with the real decision-makers, and adjust based on what breaks. Rehearsal is what makes the plan fast and calm when it’s real.

FAQ

Related questions

What should a ransomware recovery plan include?

Defined roles and decision-makers, containment steps, an assessment process, legal and regulatory notification (including reporting deadlines), a prioritised restore procedure from offline backups, and a post-incident review.

How fast must we report a ransomware incident?

It depends on your jurisdiction and sector. Under the EU NIS2 Directive, in-scope organisations must submit an early warning within 24 hours of becoming aware of a significant incident, with fuller reports following.

Why rehearse the plan?

Because a plan that has never been tested tends to fail under real pressure. A tabletop exercise reveals gaps, clarifies decisions and makes the response faster and calmer during an actual incident.