Ransomware Recovery Planning: A Step-by-Step Guide

Why Prevention Alone Isn't Enough

Every Australian business should invest in ransomware prevention -- endpoint protection, email filtering, security awareness training, and patch management. But the reality is that sophisticated attacks can and do bypass even strong defences. A single compromised credential, an unpatched vulnerability, or a convincing phishing email can give attackers the foothold they need.

"According to the ACSC Annual Cyber Threat Report, Australian organisations reported over 94,000 cybercrime incidents in the 2023-24 financial year -- a 23% increase from the previous period. The average cost of a ransomware incident for a small business exceeds $46,000, not including reputational damage and lost productivity."

A recovery plan is your insurance policy. It does not replace prevention, but it ensures that when prevention fails, your business survives.

Step 1: Build Your Incident Response Team

Before an incident occurs, you need to know exactly who does what. Your incident response team should be documented, rehearsed, and accessible -- not buried in a file on the server that is now encrypted.

Key Roles and Responsibilities

• Incident Commander: A senior leader (often the business owner or operations manager) who makes final decisions on containment, communication, and recovery priorities. This person authorises any ransom-related decisions and coordinates with external parties.
• IT Lead / Managed Service Provider: The technical lead who isolates affected systems, assesses the scope of the attack, and executes the recovery plan. If you use a managed IT provider, they fill this role and bring incident response expertise.
• Communications Lead: Manages internal and external communications -- staff updates, client notifications, regulatory reporting, and any media enquiries. This role is critical for maintaining trust and meeting legal obligations.
• Legal / Compliance Advisor: Advises on reporting obligations under the Australian Privacy Act's Notifiable Data Breaches (NDB) scheme, engages with regulators if required, and reviews any ransom payment considerations from a legal perspective.

Escalation Contact List

Create a physical (printed) contact list with phone numbers for every team member, your IT provider's emergency line, your cyber insurance broker, your legal advisor, and the ACSC reporting hotline (1300 CYBER1 / 1300 292 371). Store copies at home and in the office -- not only on your network.

Step 2: Develop Backup Restoration Procedures

Your backups are the foundation of ransomware recovery. Without reliable, tested backups, your only options are paying the ransom (with no guarantee of recovery) or rebuilding from scratch. Here is how to ensure your backups are ready when you need them.

1. 1Verify backup integrity regularly: Do not assume your backups work because they ran without errors. Perform a test restoration of critical files and systems at least quarterly. Document the time it takes to restore each system -- this becomes your realistic Recovery Time Objective (RTO).
2. 2Maintain offline or immutable backups: Ransomware increasingly targets backup systems. Keep at least one backup copy offline (air-gapped) or use an immutable backup solution that prevents deletion or encryption. Cloud backups with versioning and deletion protection provide an additional layer of safety.
3. 3Prioritise restoration order: Not all systems are equally critical. Document which systems must be restored first based on business impact. Typically: email and communication first, then line-of-business applications, then file storage, then secondary systems.
4. 4Restore to clean environments: Never restore backups onto compromised systems. Wipe or rebuild affected machines before restoring data. If you are unsure whether a system was compromised, treat it as compromised -- it is faster to rebuild than to remediate a reinfection.
5. 5Document your Recovery Point Objective (RPO): Understand how much data you could lose based on your backup frequency. If you back up daily, your RPO is 24 hours -- you could lose up to one day of work. If this is unacceptable, increase backup frequency for critical systems.

Step 3: Create a Business Continuity Plan

While your IT team works on restoring systems, your business still needs to operate. A business continuity plan defines how your team keeps working during the recovery window.

Identify Critical Business Functions

List every business function and classify it by urgency:

• Critical (must operate within hours): Customer-facing services, payment processing, essential communications
• Important (must operate within days): Invoicing, project management, internal reporting
• Deferrable (can wait a week or more): Marketing, non-urgent administration, long-term planning

Manual Workarounds

For each critical function, document a manual workaround. Can your team take orders by phone and write them on paper? Can invoices be generated from personal devices using a cloud-based accounting tool? Can client communications continue via personal mobile phones? These workarounds do not need to be elegant -- they need to keep your business operational.

Step 4: Establish Communication Protocols

Clear, timely communication during a ransomware incident protects your reputation and maintains trust. Poorly handled communications can cause more lasting damage than the attack itself.

Internal Communications

1. 1Notify staff immediately: Tell your team what has happened, what they should and should not do (do not turn on or connect devices), and where to get updates. Use a communication channel outside your compromised network -- a personal WhatsApp group, SMS, or phone calls.
2. 2Provide regular updates: Even when there is nothing new to report, send brief status updates every few hours. Silence breeds anxiety and rumour.

External Communications

1. 1Notify affected clients: If client data may have been accessed, notify them promptly with clear information about what happened, what data was involved, and what you are doing about it. Transparency builds trust.
2. 2Report to regulators: Report the incident to the ACSC via ReportCyber (cyber.gov.au). If personal data was breached, notify the OAIC under the NDB scheme. Your legal advisor can help determine reporting obligations.
3. 3Engage your cyber insurance provider: Contact your cyber insurance broker immediately. Most policies require prompt notification and may provide access to incident response specialists, forensics teams, and legal counsel as part of your coverage.

Step 5: Plan for Post-Incident Review and Insurance

Once systems are restored and normal operations resume, the work is not over. A thorough post-incident review strengthens your defences and helps you recover costs through insurance.

Forensic Investigation

Determine how the attackers gained access, what systems were compromised, and whether data was exfiltrated (stolen) in addition to being encrypted. This investigation informs your remediation efforts and is often required by your cyber insurance provider. Your cyber security team or a specialist forensics firm can conduct this analysis.

Lessons Learned

1. 1Document what worked: Which parts of your recovery plan functioned as expected? What processes saved time or prevented further damage?
2. 2Document what failed: Where did the plan break down? Were backups as reliable as assumed? Was the escalation process clear? Did communication channels work?
3. 3Update your plan: Incorporate lessons learned into an updated recovery plan. Close the security gaps that allowed the attack. Increase backup frequency if the RPO was too long. Add missing contacts to the escalation list.

Insurance Claims Process

Cyber insurance can cover incident response costs, business interruption losses, data recovery expenses, regulatory fines, and legal fees. To maximise your claim, document everything from the moment the incident is detected: timestamps, decisions made, costs incurred, and business impact. Keep all invoices from third-party specialists and detailed records of staff time spent on recovery.