The ransomware recovery process takes longer than you think

Ransomware Recovery Process

Ransomware recovery time frames vary wildly. In the very best circumstances, where the infection is contained, disaster recovery plans have been religiously tested and the decryptor runs without a hiccup, some companies can get their systems up and running within a couple of days.

But that’s rare. On average, organizations that have been impacted by ransomware face 21 days of downtime1. In some instances, the recovery process can drag on for months.

Companies routinely underestimate the time involved with resolving a ransomware incident. While it’s easy to fall into the trap of thinking that recovery simply involves restoring the system from backups or, less desirably, paying the attacker for decryption, the truth is that there are a lot of variables that can prolong the recovery process.

In this blog post, we discuss why it almost always takes longer than expected for businesses to recover from a ransomware attack.

1. Lack of documentation

Lack of documentation is often a major cause of time loss during recovery. Many organizations work with antiquated systems or services for which the documentation is outdated, inaccurate or simply non-existent.

Without effective documentation, IT personnel are forced to improvise response procedures during what is sure to be a confusing and uncertain time, which will almost certainly result in errors and inefficiencies. Infections may be improperly contained, data may be compromised unnecessarily and compliance requirements may be overlooked. Depending on the maturity of the company’s IT team, this may be the first time personnel have been exposed to a large-scale cybersecurity incident.

2. Inadequate testing

Developing a clearly defined incident response plan is an essential part of any ransomware recovery plan. But it’s not enough to simply have a documented plan. Recovery strategies also need to be tested regularly to ensure that staff understand current security procedures and know exactly what to do and who to report to in the event of an incident.

For example, simulating a ransomware event via tabletop exercises can be a valuable way to gauge a company’s ransomware readiness and reveal holes in the recovery plan that can be strengthened accordingly. More than half (57 percent) of companies have not tested their disaster recovery plan within the past two months, according to a Veritas report.

3. Forensic investigation process

Before systems can be restored, the impacted company must undertake a comprehensive investigation in order to understand the extent of the attack and how the system was compromised.

Because the attack chain may have started weeks or even months ago, conducting a thorough analysis can be extremely time-consuming and may require the assistance of external digital forensic specialists, which can further draw out the recovery process.

4. Poor decryptor performance

Recovery can also be hindered by poor decryptor performance. Companies should be mindful that attacker-provided decryptors often do not work as advertised and, consequently, the total recovery time may be substantially longer than expected. In some instances, the decryptor may contain bugs that irrecoverably corrupt data during the decryption process.

5. Communication

While recovery is largely a technical undertaking, it also requires a lot of communication with internal staff as well as external service providers that may be brought on to assist with the incident:

6. Rebuilding and strengthening the system

Technically speaking, recovery is complete once the impacted systems have been restored and the organization is back up and operational.

However, “operational” isn’t the same as “secure”. To prevent similar events from occurring again in the future, companies will need to invest significant time in strengthening their security processes, resolving vulnerabilities and improving response procedures, based on the findings of the forensic analysis.

Investing in a proven antivirus solution like Emsisoft Business Security can help organizations reliably detect and stop ransomware threats before encryption can take place

1 Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial


Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next