Learn how to build a ransomware response plan that your team can actually execute under pressure.
• Nearly half of all ransomware victims still pay the ransom, according to the Sophos 2025 report. But 57% of all victims recovered less than half their data. Clean backups and a tested response plan are the difference between paying and recovering on your own terms.
• Most ransomware attacks start with stolen credentials purchased from infostealer logs. There’s a window of days to weeks between credential theft and ransomware deployment. Credential monitoring catches them in that window.
• Your response plan needs six phases: detection, triage, threat hunting, reporting, containment, and recovery. The order matters. Skipping threat hunting means you’ll miss the backdoors attackers left behind.
• A plan you haven’t tested is just a document. Run tabletop exercises quarterly. The first time your team executes the plan shouldn’t be during a real attack.
A ransomware attack at 2am is the worst time to figure out who makes decisions. The average breach costs $5.08 million (IBM Cost of a Data Breach 2025). Much of that cost comes from delayed response and poor coordination.
Companies with tested response plans recover faster. Those without one waste critical hours improvising while ransomware spreads across the network.
The difference isn’t just technical controls. It’s knowing exactly who does what, in what order, before the pressure hits.
This guide walks you through building a six-phase response plan, from detection through recovery.
A ransomware attack at 2am isn’t the time to figure out who makes decisions, which systems get isolated first, or where your backups actually live.
A ransomware response plan is a documented playbook that defines exactly how your team detects and contains ransomware attacks. It covers recovery too. The plan assigns roles and responsibilities, establishes communication protocols, and outlines step-by-step procedures for every phase of incident response. Without one, teams waste critical hours improvising while ransomware spreads.
The numbers tell the story. According to Veeam’s 2025 Ransomware Trends Report, 69% of companies experienced at least one cyberattack in the past year. Of those attacked, nearly half paid the ransom according to Sophos’s 2025 State of Ransomware report. But here’s the painful part: 57% of all victims recovered less than half their data. Only 10% got back more than 90%.
Meanwhile, 25% of attacked companies recovered without paying at all. What separated them from the paying victims? Clean, immutable backups and tested response plans.
A response plan does two things. It reduces panic because everyone knows their role. And it speeds containment because pre-defined isolation procedures stop ransomware from spreading to your backup systems. Without documented steps, teams often wipe systems before collecting forensic evidence.
Most companies already have the technical controls. What they lack is the coordination to use them under pressure.
Every company that relies on computers to operate needs one. That’s not an exaggeration.
Small businesses often assume they’re not targets. The Verizon 2025 DBIR shows 88% of SMB breaches involve ransomware. Attackers know smaller companies have weaker security and often pay faster to avoid extended downtime.
Large enterprises face different challenges. Complex environments mean more attack surface and tangled dependencies between systems. A ransomware infection in one subsidiary can cascade across shared infrastructure.
Regulated industries face compliance pressures on top of operational risks. If you’re in healthcare, you need patient data access restored fast. Financial services have strict notification deadlines. If you run critical infrastructure, government agencies will be involved.
The question isn’t whether you need a response plan. It’s whether you’ll build one before you need it or learn why you needed one during an actual attack.
But first, here’s how these attacks actually start. It changes how you plan.
Ransomware doesn’t appear out of nowhere. Most attacks follow a predictable chain: credential theft, access sale, reconnaissance, data exfiltration, then encryption. This process takes days to weeks, not hours. Our ransomware examples page shows how this played out in 15 real attacks.
Initial access brokers (IABs) are cybercriminals who specialize in breaking into corporate networks and selling that access to ransomware operators. They harvest credentials through phishing and infostealer malware, then sell network access on dark web marketplaces. Your stolen credentials can circulate for weeks before a ransomware group purchases them.
Stolen VPN credentials are the most common entry point for ransomware, according to multiple incident response firms. These credentials came from infostealer malware that harvested them weeks earlier.
The key point for response planning: attackers are usually inside your network longer than you think. Your response plan needs to account for that. For a detailed breakdown of how this pipeline works, see our ransomware trends analysis.
The process breaks into six distinct phases. Each builds on the previous, and skipping steps creates problems downstream.
Speed matters here. The faster you detect the attack and isolate systems, the less damage spreads.
Immediate isolation steps:
Communication protocol: Assume attackers are monitoring your communications. They often gain access to email and collaboration tools before deploying ransomware. If your email, Slack, or Teams are compromised, you can’t use them to coordinate your response. Set up contingency communication channels before you need them: a separate Signal group, personal cell numbers printed on paper, or a dedicated out-of-band platform that doesn’t touch your corporate network.
Critical questions to answer:
Document everything from this point forward. You’ll need this information for law enforcement, insurance claims, and post-incident analysis.
Not all systems are equally critical. Triage helps you focus recovery efforts where they matter most.
Build your critical asset list before an incident:
Having this list pre-defined saves hours during an actual incident. Update it quarterly as your environment changes.
Examine your security tools: Your antivirus, EDR, IDS/IPS, and SIEM should help identify additional infected systems. Look for:
Precursor malware often arrives weeks before ransomware deployment. If you find droppers, assume the attack has been underway longer than the encryption suggests.
Don’t assume the ransomware binary is the only problem. Attackers establish multiple persistence mechanisms to survive partial remediation.
Hunt for these indicators:
Check for data exfiltration: Most modern ransomware groups steal data before encrypting. Look for:
Review cloud configurations: If you use cloud infrastructure, verify:
Document every indicator of compromise you discover. You’ll need these for the eradication phase and for threat intelligence sharing.
Most companies underestimate the communication burden during a ransomware incident.
Internal notifications: Follow your incident response plan’s escalation procedures. Engage:
External notifications: Depending on your jurisdiction and industry:
Use communication templates: Pre-drafted notifications save time and reduce legal risk. Prepare templates for:
Avoid stating anything as fact until you’ve confirmed it. Early communications often prove inaccurate as the investigation progresses.
This is where you remove the attacker’s access and prepare for recovery.
Preserve evidence first:
Check for decryption tools: Before deciding on the recovery approach, search for known decryptors:
Eradicate attacker access:
Rebuild affected systems: Don’t try to clean infected machines. Rebuild from known-good images or infrastructure-as-code templates. Ensure rebuilt systems:
Recovery isn’t just restoring systems. It’s restoring operations without reinfection.
Check for backup poisoning first. Attackers often sit in your network for weeks before deploying ransomware. During that time, they may have corrupted or encrypted your backups too. Before you try to restore anything, verify that your backups are clean. Restore to an isolated environment and test before connecting to production. If your most recent backups are compromised, you may need to go back further. This is why immutable backups (write-once, can’t be modified or deleted) are worth the investment.
Restore from backups:
Monitor for reinfection: The first few weeks after recovery are high-risk. Attackers may have left backdoors you missed. Increase monitoring for:
Conduct post-incident review: Within two weeks of resolution, document:
Share intelligence: Consider sharing indicators of compromise with:
This sharing helps the broader community defend against the same attackers. Reviewing monthly ransomware reports during post-incident analysis helps you benchmark your experience against broader attack trends.
Recovery is often the longest phase. The ransomware incident response plan gets you through the crisis. The recovery plan gets you back to normal operations.
Define your recovery timeline targets. Know your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for every critical system before an incident. RTO is how fast you need to restore the system. RPO is how much data loss you can tolerate. If your RPO is 4 hours but your last clean backup is 3 weeks old because of backup poisoning, you have a problem.
Plan for partial recovery. You probably can’t restore everything at once. Prioritize: revenue-generating systems first, then customer-facing services, then internal tools. Communicate realistic timelines to leadership. Saying “we’ll be back online in 48 hours” when the real answer is two weeks destroys trust.
Test full-system restores, not just file-level. Most backup tests verify that individual files can be recovered. That’s not the same as restoring an entire system with its configurations, dependencies, and integrations. Test full-system restores at least annually. You don’t want to discover during an active incident that your backup restores the data but not the application configs.
Budget for the long tail. The immediate crisis may pass in days. But full recovery often takes months. Forensic investigation, system rebuilds, security improvements, compliance reporting, and legal proceedings continue long after operations resume. Budget for it.
Response plans focus on what happens after detection. But the best outcomes come from catching attacks earlier.
Stolen credentials appear on dark web marketplaces and infostealer channels before attackers use them. If you’re monitoring these sources, you can reset compromised credentials before ransomware operators exploit them.
For a complete detection strategy, see our guide on ransomware detection. The short version: monitor for your credentials in dark web markets, watch ransomware leak sites for your vendors, and treat any credential exposure as urgent.
A plan that sits in a drawer is not a plan. It’s documentation.
Recommended testing cadence:
What to measure: CISA and KELA recommend tracking these metrics:
If you’re not measuring, you can’t improve. Track these metrics across exercises and real incidents.
During Phase 5, you need to reset compromised credentials. But which ones? If you don’t already know what’s been leaked, you’re guessing.
Credential monitoring scans infostealer logs and dark web marketplaces for your employees’ exposed passwords. During an active incident, this tells you which accounts to reset first. Outside of incidents, it catches the leaked credentials that ransomware operators buy before they deploy anything.
That’s the window. Credentials get stolen, sit in a marketplace for days or weeks, then get purchased by a ransomware affiliate. If you catch them in that window, you reset the password and the attack never happens. Your response plan never gets activated.
Check your exposure to see if your credentials are already circulating.
A ransomware response plan is a documented process for detecting and containing ransomware attacks, then recovering. It defines who does what when an attack hits, how to isolate infected systems, when to involve law enforcement, and how to restore operations. Without one, teams waste critical hours figuring out next steps while ransomware spreads.
Recovery time varies dramatically based on preparation. Companies with tested response plans and clean offline backups can restore critical systems within days. Those without? The Sophos 2025 report found nearly half of victims paid ransoms. Veeam’s data shows 57% recovered less than half their data. Many recoveries stretch beyond a year when backups are compromised.
There’s no universal answer. FBI and CISA advise against paying because it funds criminal operations and doesn’t guarantee recovery. The IBM 2025 report shows 63% of victims refused to pay. But for some organizations, paying is the least-bad option when backups fail and business survival is at stake. Key considerations: OFAC sanctions risk if the group is state-sponsored, whether your cyber insurance covers payments, and realistic recovery timelines without paying. Work with legal counsel and your insurance carrier before deciding.
Stolen credentials are the primary entry point. Nearly 50% of ransomware attacks in Q3 2025 used stolen VPN credentials (Beazley Security). Attackers buy these from initial access brokers who harvest them via infostealer malware. Phishing and unpatched vulnerabilities are also common. Exposed RDP remains a frequent target.
Your playbook needs incident response contacts with clear roles. Include isolation procedures for infected systems and backup restoration steps. Don’t forget communication templates for leadership and law enforcement contacts. Test quarterly with tabletop exercises.
Most cyber insurance policies cover ransomware, but the details matter. Some policies exclude ransom payments. Others require you to follow specific incident response procedures or use approved vendors. Check whether your policy covers business interruption, forensic investigation costs, and notification expenses. Contact your carrier before an incident so you know exactly what’s covered and what documentation they need.
Ransomware Threat Intelligence Dark Web Monitoring Cybersecurity Trends Infostealer
What Are the Current Ransomware Trends? Ransomware volume continues to climb. The Verizon 2025 DBIR found ransomware …
Remote Work Data Breach Cybersecurity
What Are the Biggest Remote Work Security Risks? Remote work doesn’t just move your employees out of the office. It …