Recovering from Ransomware Attack

When to Use

• After ransomware has encrypted production systems and the decision has been made to recover from backups
• When building or validating a ransomware recovery runbook before an actual incident
• After receiving a decryption key (paid ransom or law enforcement provided) and needing to safely decrypt
• When partial recovery is needed alongside decryption of remaining systems
• Conducting a recovery drill to validate RTO commitments

Do not use before completing containment and forensic scoping. Premature recovery without understanding the attacker's access and persistence mechanisms risks re-infection.

Prerequisites

• Incident declared and containment phase completed (all attacker access severed)
• Forensic evidence preserved (disk images, memory dumps, network captures)
• Backup integrity verified (immutable/air-gapped copies confirmed clean)
• Clean build media available (OS installation media, golden images)
• Recovery environment prepared (clean network segment isolated from compromised infrastructure)
• Recovery priority list documented (Tier 1/2/3 systems in dependency order)