Eight essential steps to ransomware recovery

1. Activate your Cyber Security Incident Response Plan (CSIRP)

Every organisation should have a documented Cyber Security Incident Response Plan – a practical playbook for when the pressure is on.

This isn’t about ticking compliance boxes. It’s about knowing who makes decisions, who communicates, and what happens first, second, and third. The organisations that recover fastest are the ones that don’t waste time debating what to do – they already know.

If a formal plan doesn’t yet exist, this guide is a strong starting point. But the most effective plans are built with a trusted managed IT or security partner who understands how your business actually operates. 

2. Call your insurance provider & managed security or IT provider – immediately

If you work with a managed IT or security provider, they should be your first call.

In many cases, reputable providers will already have detected suspicious activity before ransomware fully deploys. From there, they work alongside your team to investigate, contain the threat, and activate recovery steps.

This is not the moment to go it alone. Calm, expert guidance early can save days – even weeks – of disruption later.

3. Contain the incident and gather the facts

At this stage, the priority is control.

You know something has happened – but not yet the full story. The focus should be on isolating affected systems, preventing further spread, and gathering accurate information, including:

• Which systems and devices are impacted
• Whether data has been encrypted, accessed, or exfiltrated
• System logs that reveal how the attackers entered
• The type and variant of ransomware involved

This investigative phase informs every decision that follows – from recovery to reporting.

4. Report the incident to the Australian Federal Police (AFP)

Australian authorities strongly encourage businesses to report ransomware attacks as early as possible.

Early reporting gives law enforcement the best chance to disrupt criminal activity, gather evidence, and potentially protect other organisations from the same attackers – even when they operate offshore.

Your IT or security partner can help guide this process and ensure the right information is provided.

5. Communicate clearly with stakeholders and meet breach obligations

Transparency matters – legally and reputationally.

Under Australia’s Notifiable Data Breach scheme, organisations are often required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days – and sooner where possible.

Customers must be told:

• Who was affected
• What happened
• What information was involved
• What steps they should take next

Clear, timely communication builds trust – even in difficult moments. Silence or delay does the opposite.

6. Recover data – carefully, not recklessly

Restoring systems isn’t as simple as switching everything back on.

Ransomware recovery typically takes weeks, not days. Many organisations experience reinfection because compromised data is restored without proper scanning or staging.

That’s why modern recovery strategies prioritise immutable backups and verified restoration processes.

A widely accepted best-practice approach is the 3-2-1-1-0 rule:

• 3 copies of your data
• Stored on 2 different media
• With 1 copy kept off-site
• 1 copy offline or immutable
• And 0 errors – verified through testing

When done properly, this approach gives organisations real confidence – not hope – during recovery.

7. Decide on ransom payments with eyes wide open

The decision to pay a ransom is complex, emotional, and high-stakes.

While fewer organisations are paying ransoms than in previous years, payment still doesn’t guarantee full data recovery – or prevent future attacks. Insurance coverage is also becoming more restrictive and conditional.

What’s clear is this: organisations with strong backups and tested recovery plans are far less likely to feel cornered into paying at all.

Preparation creates choice. Choice creates leverage.

8. Learn, strengthen, and move forward

Once systems are stable, the real work begins.

Understanding how attackers gained access – and why – is essential. With the help of security experts and law enforcement, organisations can identify weaknesses, close gaps, and strengthen defences.

The most successful businesses treat ransomware not as a failure – but as a turning point. An opportunity to improve resilience, sharpen processes, and build confidence for the future.