Ransomware Recovery: Options and Best Practices

Ransomware recovery isn’t something to be taken lightly.

The average total cost of a ransomware breach is $4.62 million. It includes ransom payouts, loss of business, and investigating and reporting incidents to relevant parties. Moreover, the world saw an alarming 105% surge in ransomware attacks last year.

It only goes to show that it isn’t a matter of if, but rather when a ransomware attack will take place.

It’s crucial for businesses to bake ransomware recovery into their cybersecurity strategy, bolstering their ability to recover quickly, with minimum disruption and data loss.

What is ransomware recovery?

Ransomware recovery is the process of getting IT systems up and running after a ransomware attack. A good business continuity and disaster recovery (BCDR) strategy is one of the best ways to recover from an incident.  

How much does ransomware recovery cost?

The cost of ransomware recovery is influenced by:

  • The severity of the ransomware attack: The severity of the threat is determined based on what the attacker does following the attack, which could be – not providing the decryption key even after payment, providing a faulty key or providing decrypted files that are corrupt and beyond saving.
  • Number of systems: The more systems encrypted on your network, the more resources will be needed to run the decryption utilities, to investigate and to troubleshoot issues. It might include unforeseen costs that stem from failing to accurately access the total number of infected systems.
  • Fixed assessment costs: Ransomware recovery specialists determine their charges after they evaluate the current affected systems. The charges increase in cases where the victims don’t have an incident response, disaster recovery or business continuity plan in place.

The average cost of ransomware recovery (forensic engagement) was $73,851 in 2021, with smaller and midsize businesses paying an average of $40,719 to recover, while enterprise costs averaged $207,875.   

How long does it take to recover from ransomware?

The time it takes to recover from ransomware will be determined by your recovery objectives. An effective RTO decides the quantity of time that an application or system can be down without causing significant damage to the business.

Can ransomware be removed?

Ransomware recovery goes beyond decrypting data. It includes forensic investigation, which evaluates how the ransomware got into the network and the impact on systems.

Here are some of the questions raised during the investigation:

Can systems impacted by ransomware be recovered?

Investigators check if a recent successful backup is available to spin up. Post decryption of data, you will need to restore it to the previous backup.

Does System Restore remove ransomware?

The answer is no. Malicious links are hidden all over the system. System Restore may not root out all parts of the malware. Moreover, a restoration will delete all your files since System Restore does not save old copies of your personal files as part of its snapshot.

Will reinstalling Windows remove ransomware?

Simply reinstalling Windows on an infected machine may not remove ransomware files completely but might permanently delete them. Do a complete hard reset, and after booting the system, restore files from the last successful backup.

Can ransomware files be decrypted?

The answer is not always. Certain ransomware variants with advanced encryption algorithms do not generate decryption keys after the ransom payout. Conversely, even if you decrypt the files, you still need to restore them from backup to ensure the files have zero traces of malware.

What are best practices for protecting against ransomware?

These are the four common best practices for ransomware protection:


Develop an understanding of what ransomware risks you need to manage for the scope of your assets, systems, data, people and capabilities. It includes systems or processes that are most likely to be targeted in a ransomware attack, and what the business impact would be if specific systems were rendered inoperable. It will help prioritize and focus efforts to manage risks.


An air-gapped backup and the ability to granularly restore data have emerged as one of the best practices for ransomware recovery. It means allowing the backup copies to be physically and logically separated from the rest of the network, ensuring at least one copy remains unaffected. It is strongly recommended to follow the 3-2-1 rule of backup — three (3) copies of your data, stored in two (2) different formats, with one (1) copy going offsite.


Early detection means faster recovery. Define continuous ways to monitor your organization and identify potential cybersecurity events or incidents. Predictive analytics and machine learning identify intrusion attempts by reporting abnormal activities in the network.


In response to an attack, consider the following steps:

  • Isolate affected systems: Keep suspicious systems distant from the main network. It mitigates risk from dormant-lying malware and other unidentified variants.
  • Identify ransomware strain: Understand how the malware behaves, what files it encrypts, where it hides its code within your device(s) and what options may exist for removal and recovery.
  • Report attack: The FBI encourages victims to report ransomware incidents regardless of the outcome. It provides law enforcement relevant information to ongoing ransomware cases.
  • Validate backups: In preparing for recovery, ensure you have clean, validated backups. Data recovery (DR) testing is an effective way to validate backups right down to the application level.
  • Determine options: After an attack, you have the following options to pick from – pay the ransom, do nothing and accept the data loss, try to remove malware, or wipe the entire system clean and rebuild from backups.

Ransomware Recovery with Unitrends

A sound cyber resilience strategy is vital to survive and thrive in this unpredictable, cyberthreat-laden business environment. Unitrends enables you to prepare for, respond to and recover from unforeseen disruptive events seamlessly.

Unitrends helps bolster your cyber resiliency strategy with:

Data loss prevention

The Unitrends Unified BCDR platform is augmented with AI-based features including an integrated Dark Web Monitoring feature designed to reduce the frequency and severity of security-related incidents. Some of these features include:

Data protection and recovery

Unitrends eliminates data loss and downtime from ransomware with AI-based detection, hardened Linux appliances and immutability safeguards. Recovery Assurance ensures 100% successful recovery with automated, application-level recovery testing.

Learn more on how Unitrends helps you eliminate ransomware, data loss and downtime without breaking a sweat.


Discover how Unitrends can help protect your organization's sensitive data