How long does it take to recover from a ransomware attack?

It varies widely. Businesses with tested backups and an incident response plan can recover core operations within days. Without those, recovery can take weeks or months. The IBM 2025 Cost of a Data Breach Report found the average breach lifecycle is 241 days — preparation shortens that dramatically.

Will cyber insurance cover a ransomware attack?

Most cyber insurance policies cover ransomware-related costs, including forensic investigation, business interruption, and sometimes ransom payments. However, coverage depends on your specific policy and whether you met the security requirements outlined in it. Review your policy with your broker before an incident occurs.

Should I tell my customers about a ransomware attack?

If customer data was accessed or potentially compromised, you likely have a legal obligation to notify them. Washington state has breach notification requirements. Even when not legally required, transparent communication builds trust. Work with legal counsel to determine your obligations.

Can ransomware spread to cloud systems?

Yes. If attackers have credentials for cloud services, ransomware or data exfiltration can extend beyond your local network. This is why credential resets and MFA are critical during response.

What is the first thing I should do right now to prepare?

Start with two things today: verify that your backups are current and tested, and make sure you have your IT provider's emergency contact number written down somewhere accessible offline. Those two steps alone can dramatically change the outcome of an attack.

How Should a Small Business Respond to a Ransomware Attack?

If your business is hit by ransomware, your first move is to isolate affected systems from the network immediately — unplug Ethernet cables, disable Wi-Fi, and do not power off machines. Then call your IT provider or managed service provider. Do not attempt to negotiate with attackers, and do not pay the ransom without professional guidance. The next few hours matter more than you think, and there is a clear path forward.

If you are currently experiencing a ransomware attack, go to our emergency response page now.

What Should You Do in the First 15 Minutes?

The initial response window is critical. CISA’s ransomware response checklist recommends these steps in sequence:

Isolate affected systems immediately. Disconnect compromised machines from the network. If multiple systems appear affected, take the network offline at the switch level. Do not power off machines — forensic data on those systems may be needed later.
Switch to out-of-band communication. Assume attackers may be monitoring your email and internal messaging. Use phone calls or a messaging platform on a separate, unaffected network to coordinate your response.
Contact your IT provider or MSP. If you have a managed service provider, call them immediately. They should already have an incident response plan for your environment.
Do not click the ransom note or engage with attackers. Any interaction can give attackers additional information or escalate the situation.

What Happens in the First Few Hours?

Once systems are isolated and your IT team is engaged, the focus shifts to assessment and containment:

Determine the scope. Which systems are encrypted? Which are still clean? Are backups intact? Your IT team should examine detection systems, antivirus logs, and endpoint detection and response (EDR) tools to understand how far the attack has spread and identify the initial point of entry.

Preserve evidence. Do not wipe or rebuild systems yet. Forensic evidence is essential for understanding the attack, reporting to law enforcement, and filing insurance claims. Take system images if possible.

Check your backups. Verify that your backup systems were not also compromised. Attackers frequently target backups specifically to eliminate your recovery options. In our experience, businesses with properly segmented, offsite, and tested backups recover far faster than those without.

Notify your cyber insurance carrier. If you have a cyber insurance policy, contact your carrier early. Many policies require notification within a specific timeframe and may provide access to breach response resources including legal counsel and forensic investigators.

Should You Pay the Ransom?

The FBI and CISA strongly discourage paying ransoms. Here is why:

Payment does not guarantee recovery. There is no assurance that attackers will provide a working decryption key.
It funds future attacks. Every ransom paid finances the next attack on another business.
You may be targeted again. Paying signals to attackers that you are willing to pay, making you a repeat target.

The good news: according to the Verizon 2025 DBIR, 64% of victim organizations refused to pay ransoms, up significantly from 50% two years prior. The median ransom payment has also dropped to $115,000, down from $150,000, as more organizations invest in recovery capabilities instead of payment.

That said, some situations are genuinely complex. Consult with law enforcement and legal counsel before making any decision. The FBI may also be aware of free decryption tools for certain ransomware variants.

What Should You Do in the Days After an Attack?

Report the incident. File a report with the FBI’s IC3 and your local FBI field office. In Washington state, you may also have breach notification obligations depending on the data involved.

Begin recovery from clean backups. Work with your IT provider to rebuild affected systems from known-clean backups. This process should be methodical — restoring systems that were connected to the same network as the compromised ones without verifying they are clean can restart the infection.

Reset all credentials. Every password in your environment should be changed, starting with administrative and privileged accounts. Enable or re-verify multi-factor authentication on all systems.

Conduct a post-incident review. How did the attackers get in? Was it a phishing email, an unpatched vulnerability, or a compromised credential? Understanding the root cause is essential for preventing it from happening again.

Communicate with your team. Your employees need to know what happened, what is being done, and what is expected of them during recovery. Clear communication reduces panic and prevents well-meaning staff from taking actions that could cause further damage.

How Do You Prevent the Next Attack?

Ransomware appeared in 44% of all breaches in the Verizon 2025 DBIR, and 88% of small business breaches involved ransomware. Prevention is not optional — it is a business requirement.

Maintain tested, segmented backups. Follow the 3-2-1 rule: three copies, two different media types, one offsite.
Patch aggressively. Vulnerability exploitation surged to 20% of all breach entry points in 2025, overtaking phishing.
Train your employees. The human element played a role in 60% of breaches. Regular security awareness training makes your team a line of defense rather than a vulnerability.
Deploy endpoint detection and response. Traditional antivirus is not enough. EDR tools detect and contain threats in real time.
Build an incident response plan before you need one. Read our guide on creating an incident response plan.

If you are under attack right now, visit our emergency response page. If you want to prepare before an attack happens, contact ROI Technology Inc. to build your ransomware response plan.