ransomware recovery

Ransomware recovery is top of mind for executives and IT pros alike, for good reason: Devastating attacks are pummeling organizations of all sizes and in all sectors around the globe. In fact, the estimated cost of ransomware attacks soared to $20 billion in 2021 — and is projected to reach $265 billion by 2031.

But exactly what is a ransomware attack? What is the average ransomware payout? What is ransomware data recovery? How long does it take to recover, and how much does it cost? What are the key ransomware recovery best practices to implement?

Read on to learn the answers to all these questions, and more.

What is a ransomware attack?

Ransomware is a particularly insidious type of malware, or malicious code, that dates back to at least 1989. Basic ransomware blocks access to as much of your data and systems as it can, and demands a ransom payment to restore access. More sophisticated attacks encrypt your data to block access, and even copy the data and threaten to publish it unless the ransom is paid.

It’s critical to understand ransomware does not target only financial spreadsheets, marketing presentations, databases and other data files. It can also render applications and operating systems useless by encrypting their executables, configuration records, registry files and so on. In fact, a key target of ransomware is Active Directory — software that runs on your domain controllers (DCs) and provides vital authentication and authorization services across your IT ecosystem. Indeed, by taking down Active Directory on your domain controllers (DCs), ransomware can bring your business to a standstill in moments.

Attackers use many different strategies to get their ransomware into a victim’s network. One popular option is to send a phishing email that appears to be from a legitimate source and trick a company’s employees into opening a malicious attachment or clicking a link to a malicious website. Other attacks exploit vulnerabilities in operating systems or other software; the best-known example is the WannaCry ransomware attack in May 2017. Even more alarming, cybercriminals are now enticing employees to deliberately unleash ransomware into their employer’s network in exchange for a percentage of the ransom payout.

What is the average ransomware payout?

It’s tough to say with much accuracy what the average ransom demand is, much less how much the average payout is. Organizations are reluctant to admit that they’ve been breached and even more reluctant to admit paying a ransom. Moreover, cybercriminals usually demand the ransom be paid in cryptocurrency, such as Bitcoin, which makes the transactions very difficult to trace.

Still, researchers are doing their best to answer these questions. One report found that the average ransomware demand in 2020 was $847,344, with the highest being a staggering $30 million; it pegged the average payout in 2020 at $312,493, an increase of 171 percent from the previous year. Another study reports that overall, ransomware victims paid over $406 million to attackers in 2020.

How much does ransomware recovery cost and how long does it take?

The average cost of remediating a ransomware attack more than doubled in 2021 and now stands at $1.85 million. The costs of a ransomware attack include:

  • IT team costs — A big part of the cost of ransomware recovery is getting your systems back up and running. This can take a lot of time from your IT pros and can require engaging costly external experts.
  • Additional personnel costs — The ransomware recovery effort will by no means be limited to IT pros. Marketing, communications, finance, legal and HR teams will all be swamped with dealing with the fallout: communicating with customers and partners, handling press inquiries, conducting ransom negotiations, fielding employee questions, and much more.
  • Lost revenue due to business interruption — The average downtime from a ransomware attack has been increasing; it now stands at 23 days. Not being able to do business for more than three weeks is devastating even for large enterprises and can easily put smaller organizations out of business altogether.
  • Legal expenses and settlement costs — If a ransomware infection involves sensitive or regulated data, the legal bills will mount up quickly. Not only will your legal teams have to deal with oversight bodies, you might be hit with lawsuits, which is likely to result in a steep settlement, a costly protracted legal battle or both.
  • Fines — In 2022, the UK Information Commissioner’s Office (ICO) handed down its first monetary penalty related to ransomware under the General Data Protection Regulation (GDPR), in the amount of £98,000 (about US$129,000). Fines will likely become more common.
  • Damage to your reputation — Suffering a ransomware attack can cause lasting damage to your organization’s reputation, since consumers and partners alike will have good reason to wonder if they can trust you to protect their sensitive data. The longer the ransomware recovery takes, the worse the damage is likely to be.

How can an organization recover from a ransomware attack?

At first blush, the simplest way to recover from a ransomware attack would seem to be to simply pay the ransom and wait for the hackers to hand over the decryption key. However, research reveals that only 8 percent of organizations that pay the ransom actually manage to get back all of their data; in fact, three in ten (29%) get back half or less. Moreover, a staggering 80% of organizations that paid ransom suffered a second attack — and nearly half of them believe it was at the hands of the very same hackers.

What is a ransomware recovery plan?

A ransomware recovery plan is an organizational strategy used to combat the immediate threat of ransomware. It typically includes a response team, directions to recover data from backups, and communication plans to make sure all affected are informed. It’s vital for every organization to establish a solid ransomware recovery plan, as a slow response can lead to financial and reputational loss.

A great way to get started is to review the key best practices below.

Five ransomware recovery best practices

Here are five critical best practices that will help you establish a truly effective ransomware recovery strategy.

1. Air gap your backups — and your backup plan.

Arguably the core best practice in any ransomware recovery strategy is to make regular backups — including Active Directory backups needed to restore your domain controllers — and test them to ensure they’re good. In fact, that best practice is so fundamental that I’m going to assume everyone knows it and move on to how to store those backups.

Ransomware actors know that you can’t restore from backup if your backups have been corrupted. That’s why many ransomware strains are designed to actively seek out and destroy all the backups they can reach — attackers want to maximize the chances that you’ll have to pay the ransom instead of being able to restore your data yourself.

Accordingly, your ransomware recovery strategy needs to require backups to be kept in a state where they can’t be affected by an attack — a place that’s offline, disconnected and inaccessible from both your internal networks and the internet. One option is to go old-school: Write your backups to tape and send them to an off-site storage facility like Iron Mountain. However, that approach is cumbersome and costly on both the backup and the recovery ends of the process. In particular, it will significantly slow recovery from a ransomware infection, since retrieving, transporting, mounting and reading tapes requires a great deal of time. Every minute of delay increases the damage of the attack on your business — including longer downtime, more media scrutiny, and a bigger hit to your company’s reputation and future revenue.

Therefore, many organizations today are choosing to store their backups in the cloud with a trusted provider, giving an easy way to provide an alternate, off-site location for your backup data. This also adds the ability to recover to alternate locations if required to speed ransomware recovery. Options include Amazon Simple Storage Service (S3), Amazon S3 Glacier and S3 Glacier Deep Archive, and Microsoft Azure Blob Storage. If there is an intention to use cloud storage, ensure that any backup data is encrypted before it leaves the network perimeter of the business.

2. Plan for the worst-case scenario.

Unfortunately, many organizations make the mistake of limiting their ransomware recovery strategy to documents and applications. Your plan needs to assume that you will have no domain controllers and therefore no working IT environment at all. Since forest recovery is complicated, it’s wise to have a solution that automates the process. Also be sure to consider the impact of a ransomware attack on things beyond Active Directory and business applications, such as your network, routers, switches and VPN concentrators. Often overlooked is the need to protect your Microsoft cloud infrastructure, which is especially important considering that Microsoft reported more than 25 billion attempted attacks on Azure AD in 2021 alone. Your Microsoft 365 backup data stored in Exchange and SharePoint Online, OneDrive, Teams and Calendars is just as susceptible to user errors, accidental deletion, corruption and malware. But while Microsoft may be responsible for keeping the cloud services available, you are accountable for protecting your data.

Also remember that you need to store your ransomware recovery plan in a location where you can access it even if you’ve been hit by the most severe ransomware attack you can imagine. Printing it out is a tried and true tactic; another option is to store it in a separate cloud storage like Dropbox.

3. Assemble the right people and ensure they can collaborate effectively.

A ransomware recovery effort involves many different teams, such as:

  • Backup team to provide the backups and perform restores
  • Storage team to ensure you have enough storage to restore servers from backup
  • Network team to make sure that the servers being restored are sandboxed and that DCs can communicate
  • Server team to validate that the restore is correct and complete and also to install any additional antivirus or anti malware software that’s required
  • Security team to ensure that there is no ransomware on the restored servers
  • Application team to validate that applications are working
  • External parties, such as Microsoft, your backup and recovery vendor, and your cloud storage provider

It’s essential to have one person in charge who can direct and coordinate all these teams and make decisions on the fly. Make sure you have clearly documented all roles and responsibilities.

In addition, make sure your ransomware recovery playbook includes a virtual war room where these teams can come together and sub-groups can break out to strategize about particular issues. Options for implementing this set of virtual rooms include Microsoft Teams, Zoom and the Teamflow app.

4. Consider a phased recovery.

When a ransomware attack brings more than just an isolated part of your IT ecosystem, strategically recovering data and applications in phases is often the best way to get your business back up on its feet as soon as possible.

Reduce Active Directory recovery time by 90%

Accelerate Active Directory recovery

Recover Active Directory 5x faster than manual forest recoveries.
Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

During ransomware recovery planning, collaborate with your business counterparts to identify the applications that are most critical for core business operations. Then determine which domain controllers are essential for those applications; often, the key DCs are located in the data center rather than remote offices. Create a prioritized list to guide a phased recovery in which the Active Directory team restores the most critical DCs and then moves on to the other domain controllers while the application teams, database teams and others start their recovery work on the critical DCs.

5. Don’t sacrifice quality for speed.

While organizations are understandably anxious to get back to normal after a ransomware attack, it’s essential to ensure the recovery is done right, so you don’t immediately get reinfected. It’s smart to choose a recovery solution that gives you the flexibility to choose the best way to restore each of your domain controllers.

For example, while bare metal recovery (BMR) is comparatively simple, it requires the target machine to have the same physical disk layout as the DC where the backup was taken, and the backup includes components that aren’t needed for the restore operation, such as the Boot volume — giving ransomware plenty of places to hide and reinfect your organization. Accordingly, you want to have other options in addition to BMR, such restoring Active Directory onto a clean operating system on a new Windows server to minimize the risk of reinfection


Today, every organization needs to have a comprehensive ransomware recovery strategy that will enable them to quickly recover their key domain controllers and get back to business quickly.

Lessons learned from a recent ransomware recovery

Today’s headlines are filled with harrowing stories of successful ransomware attacks. Learn key ways to strengthen your ransomware and Active Directory disaster recovery strategies.

View the Whitepaper

About the Author

Bryan Patton

Bryan Patton is a Principal Strategic Systems Consultant at Quest Software. For nearly 20 years he has helped customers shape their Microsoft environments. With particular emphasis on Active Directory and Office 365 environments, Bryan specializes in Identity and Access Management, Data Governance, Migration, and Security, including Certified Information Systems Security Professional (CISSP) certification.

Related Articles