Ransomware always starts quietly.
Someone in IT notices a monitoring alert and assumes it’s just noise. A user calls to say they can’t access a shared drive, which could be anything. By the time the second call comes in about something unrelated that turns out to be related, you’re already twenty minutes into an incident nobody has formally declared yet. And by the time most organisations confirm they’re dealing with ransomware, the attackers have typically been inside the network for days – sometimes months – mapping systems, locating backups, and positioning their payload for maximum effect.
The first 24 hours
Containment comes before everything else. That means taking systems offline, isolating affected segments, and stopping the spread before it reaches infrastructure you haven’t yet lost. Every minute spent hesitating is time the encryption process continues running.
Containment requires decisions, and decisions require information that nobody has yet assembled. Which systems are affected, which aren’t, whether backups have been reached, whether data was exfiltrated before encryption triggered a UK GDPR disclosure obligation – all that needs establishing simultaneously, while the business is already demanding to know when it will be back online.
Without a defined incident response process already in place, the first 24 hours become a series of improvised calls with no clear owner and no agreed communication chain. Senior leadership wants a timeline. The supply chain wants to know if orders will ship. Legal is already asking about regulatory disclosure. Your IT team is trying to contain an active breach while fielding all of it at once.
One decision that cannot wait is whether to bring in specialist incident response support. Ransomware recovery at scale is not something most internal IT teams handle regularly, and the evidence gathered in the first few hours – logs, memory dumps, network traffic – can be destroyed by well-intentioned but uninformed actions. Getting that forensic picture right matters, as it tells you how the attackers got in, what they reached, and whether the same access route is still open.
Easy mistakes that turn days into weeks
The next set of problems comes from a single flawed assumption: that your backups are clean.
Attackers who have had days inside a network know exactly where your backups live. Targeting them before triggering encryption is standard practice, not a worst-case scenario. According to Sophos’s State of Ransomware in Critical Infrastructure 2024, in energy, oil, gas and utilities organisations, 98% reported that attackers had attempted to compromise their backups during the attack. Four in five of those attempts succeeded, the highest rate of backup compromise across any sector studied. The figures vary by sector, but the intent is consistent: backup infrastructure is a primary target.
Organisations that go straight to restore without verifying backup integrity can end up restoring encrypted or compromised data, effectively re-infecting their own environment. It extends recovery by days, sometimes longer, and introduces real uncertainty about whether the environment is clean when it comes back up.
The second common mistake is treating initial operational restoration as full recovery. Getting core systems back online is not the finish line. Data consistency checks, security hardening, and hunting for any persistence mechanisms the attackers left behind all take time. Skipping them often leaves the original access point intact.
Excluding ransom payments, the average cost of recovering from a ransomware attack reached $2.73 million in 2024, according to Sophos. A significant share of that figure comes not from the attack itself but from the extended recovery period that avoidable mistakes create.
Your backups aren’t enough
Backups are necessary, but not sufficient.
The architecture matters as much as the existence of a backup. Data held on network-connected storage that shares authentication with the rest of the environment is reachable. The credentials that gave attackers access to your file servers can, in many configurations, get them into your backup infrastructure too. This is one of the things we examine closely in a backup and resilience review, because finding that gap before an attack is considerably less expensive than finding it after one.
Immutable backups – where data is written once and cannot be modified or deleted, even by an administrator – remove that attack surface entirely. Air-gapped copies, held separate from the network, go further still. The practical question is whether those backups have been tested against a realistic recovery scenario recently. An untested backup is an assumption.
Preparation determines the outcome
Two organisations hit by the same ransomware variant can end up with very different outcomes. The difference is the depth of their preparation.
Those with documented response playbooks, tested backup architectures, defined communication protocols, and established relationships with specialist incident response teams start their clock at a different point. They contain faster, restore from known-good infrastructure, and avoid the improvised decisions that drag out downtime. Organisations without that preparation spend the first 24 hours constructing the process under pressure, with incomplete information and a growing audience expecting answers.
According to Sophos’s State of Ransomware 2024, for the first time, more than half of organisations whose data was encrypted admitted to paying the ransom to recover it. That figure reflects how many arrive at that decision point with no better option available. Paying does not guarantee recovery, and it does nothing to close the gap that made the attack possible in the first place.
If you want to understand where your own gaps sit before an incident forces the question, Syscomm’s IT gap assessment is a practical starting point.
The decisions that determine your outcome in a ransomware incident are made long before the attack happens.
Watch the recovery process live
On 27th April, Syscomm and IBM are hosting a live ransomware recovery demonstration in London. You’ll see exactly what recovery looks like from a prepared position, from the architecture to the process, and the decisions that separate a contained incident from an extended crisis.
