Ransomware is no longer a question of if — it is a question of when, how prepared you are, and how fast you recover. Sophos, Coveware, and IBM all report that the average SMB experiences a ransomware-related event within a five-year window, and the median ransom demand crossed $1.5 million in 2025. The businesses that survive are not the ones that avoid the attack — they are the ones that detected it within hours, contained it within a day, and recovered without paying. This guide is the practical playbook for getting your organization to that outcome.
Why Ransomware Looks Different in 2026
The threat has matured significantly since the WannaCry days:
- Double and triple extortion. Modern operators steal data first, then encrypt. They demand a ransom for the decryption key and a separate ransom to not publish stolen files. Some now also threaten customers and regulators directly.
- Initial access brokers. Specialized groups sell pre-compromised network access on dark-web markets — credentials, VPN access, vulnerable appliances. A separate ransomware affiliate then buys access and executes.
- Faster dwell-to-encryption. Median time from initial access to encryption fell from 5+ days in 2020 to under 24 hours by 2025. Some affiliates encrypt within hours.
- Backup-aware operators. Modern ransomware groups specifically search for and destroy backups before launching encryption. Immutable, offsite backups are now the difference between recovery and capitulation.
- Targeted victim selection. Operators research victim ability to pay and regulatory exposure. Healthcare, legal, and financial-services SMBs are disproportionately targeted because of HIPAA / state breach notification leverage.
Before the Attack — The Controls That Decide the Outcome
The single biggest determinant of ransomware recovery cost is the strength of your pre-attack controls. The seven below are the highest-leverage:
| Control | What It Does | Recovery Impact |
|---|---|---|
| Immutable, offsite backups (3-2-1-1-0) | Cannot be deleted by attacker even with admin credentials | Decides whether you can recover without paying |
| EDR/MDR with 24×7 SOC | Detects pre-encryption activity (lateral movement, privilege escalation) | Cuts dwell time from days to hours |
| Phishing-resistant MFA on email + admins | Stops the most common initial access vector | Prevents most attacks from starting at all |
| Network segmentation | Limits the blast radius once an attacker is in | Reduces scope of recovery from “whole company” to “one segment” |
| Patching SLA (critical <14 days) | Closes the appliance/server CVEs initial-access brokers exploit | Prevents the second-most-common initial vector |
| Privileged access management + LAPS | Stops one phished credential from becoming domain-wide admin | Limits encryption scope dramatically |
| Tested incident response plan | Defines who does what, when, with what authority | Cuts response time from 48+ hours to under 24 |
If your organization is missing more than two of these, focus on the gaps before reading the rest of this guide. The post-attack playbook only works if these are in place.
The 6 Phases of Ransomware Response
NIST SP 800-61 defines incident handling as a four-phase model. For ransomware specifically, we extend it into six phases that map to what actually happens in the room:
| Phase | Goal | Typical Duration | Key Decisions |
|---|---|---|---|
| 1. Detect & Triage | Confirm incident; assess scope | 1–4 hours | Is this ransomware? What systems are affected? Has data left? |
| 2. Contain | Stop the spread; preserve evidence | 2–8 hours | Network isolation; account disabling; preserving forensic state |
| 3. Eradicate | Remove attacker access; close the gap | 1–4 days | Identity rotation; patching; clean rebuilds; firewall changes |
| 4. Recover | Restore systems; bring users back online | 3–14 days | Restore order; data integrity verification; staged user re-enrollment |
| 5. Notify | Regulatory and contractual disclosure | 1–60 days (legally bound) | State breach laws, HIPAA OCR, SEC, customer contracts, cyber carrier |
| 6. Lessons Learned | Hardening; root cause; revised playbook | 2–4 weeks | What worked, what failed, what to fix permanently |
Phase 1 — Detect & Triage (the first 4 hours)
The first signals of ransomware are often subtle and easy to dismiss: a user complaining about slow file access, an EDR alert about unusual PowerShell, a backup job failing without explanation, a help desk ticket about strange file extensions appearing on a shared drive. Train your help desk and your SOC to escalate these immediately. The first 4 hours of focused triage decide whether you contain a single segment or watch the whole environment encrypt.
- Confirm the incident. Verify with EDR, file shares, and at least two independent signals before declaring.
- Identify scope. Which endpoints, servers, file shares, cloud tenants, identity providers are showing IoCs?
- Open the bridge. Stand up a dedicated communications channel (typically a separate Teams/Slack workspace or out-of-band conference bridge) for the IR team.
- Notify the cyber carrier. Most policies require notification within 24–72 hours. The carrier’s panel often includes incident response, forensics, and legal.
- Engage legal and forensics. Outside counsel often runs IR under privilege; forensics preserves evidence.
Phase 2 — Contain (hours 4–12)
Containment is about stopping the spread without destroying the evidence you will need. Common containment actions:
- Network segmentation. Disable affected VLANs, block C2 destinations at the firewall, drop non-essential VPN sessions.
- Identity rotation begins. Disable compromised accounts; rotate service-account passwords; revoke OAuth tokens.
- Endpoint isolation. Use EDR to isolate suspect hosts (still allows IR team access while blocking other network traffic).
- Cloud tenant lockdown. Force sign-out across Microsoft 365 / Google Workspace; disable conditional-access exclusions; lock admin actions.
- Backup posture. Verify immutable backups are intact. Disconnect backup networks from production to prevent attacker pivot.
Common mistake at this phase: powering off infected machines. This destroys volatile memory artifacts that forensics needs to determine the attack vector. Use EDR isolation instead — keeps the host on the network for analysts but blocks lateral movement.
Phase 3 — Eradicate (day 1–4)
Eradication closes the door behind the attacker. The minimum eradication checklist:
- Identify and patch the initial access vector (credential theft, vulnerable VPN, public RDP, malicious email)
- Reset every privileged credential — domain admin, global admin, root, service accounts, KRBTGT account (twice)
- Re-issue MFA factors; revoke all current MFA tokens; disable inactive admin accounts
- Rebuild any system that ran adversary tooling; do not “clean” — wipe and rebuild
- Update EDR signatures and detection rules to catch the specific tooling observed
- Review firewall rules and remove any attacker-introduced changes
Phase 4 — Recover (day 3–14)
Recovery returns systems and users to operation in a deliberate, prioritized order. Recovery sequence matters — restore identity systems first, then collaboration, then production workloads, then user devices.
| Order | System | Why First |
|---|---|---|
| 1 | Active Directory / Entra ID identity | Everything else depends on identity working cleanly |
| 2 | DNS, DHCP, certificate services | Foundation for every other service |
| 3 | Email and collaboration (M365, Workspace) | Restores ability to communicate during recovery |
| 4 | File shares | Highest-touch user surface |
| 5 | Critical line-of-business apps | Per business priority — finance, EHR, ERP, etc. |
| 6 | Endpoint reimaging in waves | Staged user re-enrollment with new credentials and MFA factors |
| 7 | Non-critical and dev/test systems | Last; often used for verification |
Always restore to known-clean dates before encryption began. Most operators dwell silently for 24–72 hours; restoring to “yesterday” can re-introduce attacker persistence. Cross-check restore point integrity using EDR or hash comparisons before bringing users back.
Phase 5 — Notify (day 1–60, regulator-bound)
Notification timelines are set by law, not by you. The most common regimes for U.S. SMBs:
| Regime | Trigger | Timeline |
|---|---|---|
| HIPAA Breach Notification Rule | Unsecured PHI compromised > 500 individuals | HHS within 60 days; affected individuals within 60 days; media if > 500 in a state |
| State breach notification laws (all 50 states) | Personal information of state residents | Varies — most “without unreasonable delay,” some 30 or 45 days; some require AG notice |
| SEC cybersecurity disclosure (public companies) | Material cybersecurity incident | Form 8-K within 4 business days |
| FTC Safeguards Rule | Unauthorized acquisition of customer information at financial institutions | FTC within 30 days for incidents affecting 500+ consumers |
| Cyber insurance carrier | Any incident likely to lead to a claim | Per policy — typically 24–72 hours |
| Customer contracts / DPAs | Per contract | Often 24–72 hours |
This is the phase where outside counsel earns its keep. Notifications are legally binding statements; getting language wrong can amplify liability. Have counsel review every customer-facing communication before it goes out.
Phase 6 — Lessons Learned (week 3–6)
Every incident produces a forensics report. The discipline is to convert that report into permanent hardening. A productive lessons-learned cycle includes:
- Root-cause confirmation — exactly how the attacker got in, how they escalated, and how they reached the encryption stage
- Detection gap analysis — what signals existed but were not actioned, and what telemetry was missing
- Control updates — specific changes to EDR rules, conditional access policies, segmentation, patching SLAs
- Tabletop revision — replay the incident in tabletop format and harden the playbook
- Vendor and contract review — did the cyber carrier respond well? Did the IR firm? The MSP?
- Board / executive briefing — translate findings into business risk, budget asks, and policy changes
To Pay or Not to Pay
The decision to pay a ransom is legal, ethical, financial, and strategic — and it is increasingly fraught. Considerations:
- OFAC sanctions risk. Paying a sanctioned entity (some ransomware groups are designated) is a federal violation. Always run the wallet and group through OFAC sanctions screening before paying.
- Insurance constraints. Some policies restrict ransom reimbursement; some carriers exclude it entirely; most require their approval and use of their negotiator.
- Decryption reliability. Coveware reports that paid decryption keys recover roughly 60–70% of data on average. Some operators provide non-functional or partial decryptors.
- Re-victimization. Organizations that pay are statistically more likely to be attacked again, often by the same group or affiliates.
- Stolen data. Even if you have backups and do not need decryption, paying may not stop publication of exfiltrated data — operators often publish anyway.
The strong default position for U.S. SMBs is to recover from backups rather than pay. The exception is when business-critical data with no backup has been exfiltrated and publication would be terminal — and even then, the decision is made jointly with counsel, the carrier, and law enforcement.
Communications During an Incident
| Audience | Owner | What They Need |
|---|---|---|
| Executive leadership / Board | CEO + CIO/CISO | Scope, financial impact, regulatory exposure, recovery ETA |
| Employees | HR + Communications | What they cannot use, what to say (or not say), how to verify “real” IT requests |
| Customers | Customer Success + Legal | What was affected, what is being done, when service will return |
| Regulators | Legal + Compliance | Per regime — see notification table |
| Cyber carrier | Legal + IT | Initial notice, then ongoing scope updates |
| Media (if applicable) | Communications + outside PR | Pre-approved statement only; never improvise |
| Law enforcement | Legal + Executive | FBI IC3 / local field office; voluntary but often beneficial |
Common Mistakes
- Powering off systems instead of using EDR isolation — destroys forensic evidence
- Restoring the day before encryption began — typically reintroduces attacker persistence
- Not engaging counsel and forensics under privilege — voluntarily creating discoverable internal documents
- Failing to rotate the KRBTGT password (twice) — leaves Golden Ticket attack potential intact
- Telling the carrier after acting — many carriers void coverage if not engaged within their notification window
- Promising customers a recovery ETA before forensics scopes the impact — sets up reputational fallout
- Letting the helpdesk reset compromised users back to old passwords — re-arms the attacker
Recovery Cost Reality
| Cost Bucket | Typical Range (SMB) |
|---|---|
| Forensics and incident response firm fees | $50k – $400k |
| Outside counsel | $25k – $200k |
| Notification (mail, call center, credit monitoring) | $5–$20 per affected individual |
| Regulatory fines (HIPAA, FTC, state AG) | $50k – $5M depending on scope and findings |
| Class-action defense and settlement | $100k – several million |
| Operational downtime (revenue loss) | 3–14 days × daily revenue impact |
| Ransom (if paid) | $50k – $5M+ for SMBs; median $1.5M in 2025 |
| Long-tail premium increases (cyber insurance) | +50–200% at next renewal |
The takeaway: the ransom — even if paid — is rarely the largest cost. Most of the real expense is forensics, legal, notification, regulatory, and class-action defense. This is exactly why robust pre-attack controls and a tested response plan have such enormous ROI.
Frequently Asked Questions
How long does ransomware recovery typically take?
For an SMB with strong backups and a tested IR plan, 3–7 days to restore core operations and 2–4 weeks for full normalization. For organizations with weak backups or no IR plan, 4–8 weeks is common, and a meaningful percentage never fully recover their pre-incident state.
Should we contact the FBI?
Yes — voluntary reporting to the FBI’s Internet Crime Complaint Center (IC3) or your local field office is generally beneficial. The FBI may have decryption keys for known variants, can share threat intelligence on the operator, and engagement may help with regulatory posture later. They will not seize your systems or take over your business.
Can our MSP run the IR for us?
An MSP can — and should — be on the bridge during an incident, but the deep forensics work usually goes to a specialized DFIR firm (CrowdStrike, Kroll, Mandiant, Arete, etc.). The MSP runs the recovery and the day-to-day operations. The DFIR firm provides court-defensible forensics. Your cyber carrier’s panel typically includes a vetted DFIR firm.
How do we know data was exfiltrated?
Forensics will analyze egress traffic, cloud audit logs, EDR file-access patterns, and any tooling left behind. Modern operators almost always exfiltrate before encryption — and increasingly post sample data on their leak site as proof. Assume exfiltration occurred until forensics confirms otherwise.
Are SaaS-only companies safer from ransomware?
Less exposed to traditional file-encryption ransomware, but not safer. SaaS-focused operators target Microsoft 365 / Google Workspace tenants — encrypting OneDrive / SharePoint files, mass-deleting mailboxes, and exfiltrating data via OAuth-based applications. The control set differs (focus on cloud audit logs, OAuth app review, conditional access) but the playbook above still applies.
What if backups also got encrypted?
This is the worst case and unfortunately not rare. Options narrow to: pay (with all the caveats above), rebuild from offline media or third-party copies, accept partial data loss, or in regulated industries, trigger continuity-of-business protocols. The lesson is upstream: immutable, offsite, recently-tested backups are not optional.
Who runs the response inside our company?
An incident commander is named in your IR plan — typically the CIO, CISO, or VP IT for SMBs. They have authority to declare an incident, engage the carrier, and direct cross-functional response. Below them, you have technical leads, communications lead, legal lead, and a scribe documenting decisions for later review.
Bottom Line
Ransomware is a survivable event for organizations that prepared. Strong pre-attack controls (especially immutable backups, EDR/MDR, MFA, segmentation) determine whether you have a bad week or a six-month recovery. A tested, named, rehearsed incident response plan determines whether the response is coherent or chaotic. Notification compliance determines whether the regulatory cost is a fine or an existential one. None of this is optional in 2026, and none of it is impossible to assemble.
Need help building or testing your ransomware response plan? ACS develops, documents, and rehearses incident response plans for U.S.-based SMBs and mid-market firms across healthcare, legal, and financial services. Contact us for a tabletop exercise or full IR plan engagement.
