Ransomware Recovery Planning: What Every Business Must Do Before an Attack

The Ransomware Threat Is Not Going Away

Ransomware attacks increased by 48% in 2023 according to the Verizon Data Breach Investigations Report, and SMBs are disproportionately targeted because they are seen as easier victims than large enterprises with dedicated security teams. The average ransomware payment in 2024 exceeded $1.5 million — and that figure does not include downtime costs, regulatory penalties, reputational damage, or the cost of rebuilding systems.

The most dangerous misconception about ransomware is that recovery is primarily a technical problem. In reality, the organizations that suffer the most are those that had no documented plan, no tested backups, and no clear chain of command for incident response. When attackers strike at 2 a.m. on a Sunday — and they often choose off-hours deliberately — the difference between a 24-hour recovery and a three-week outage comes down to preparation.

The 3-2-1-1-0 Backup Rule

Every ransomware recovery plan starts with backup strategy. The modern best practice has evolved from the classic 3-2-1 rule to the 3-2-1-1-0 rule:

• 3 copies of your data
• 2 different storage media types
• 1 copy offsite
• 1 copy offline or immutable (air-gapped)
• 0 backup errors — all backups are verified

The critical addition is the immutable or offline copy. Sophisticated ransomware strains actively hunt for and encrypt network-accessible backup repositories. A backup stored in the same environment as your production data — or even in a cloud storage account accessible via the same credentials — can be destroyed in the same attack. Immutable backup storage (Azure Blob with immutability policies, or Veeam with hardened Linux repositories) ensures that no malware can delete or encrypt your recovery points.

Know Your Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Before designing a recovery plan, you must answer two business questions:

• RTO (Recovery Time Objective): How long can your business operate without its critical systems? Four hours? Twenty-four hours? One week? The RTO determines how quickly your recovery infrastructure must be able to restore service.
• RPO (Recovery Point Objective): How much data can you afford to lose? If your backups run nightly, your RPO is up to 24 hours — meaning you could lose an entire day of transactions. If you need an RPO of one hour, you need near-real-time replication or continuous data protection (CDP).

Document RTOs and RPOs for each critical system — ERP, email, file shares, customer database — and design your backup and replication strategy to meet them. The most common mistake is assuming that a nightly backup is sufficient without calculating what 24 hours of lost data actually means in dollars.

Build Your Incident Response Plan

An Incident Response Plan (IRP) is a documented, step-by-step guide for what to do when an attack is detected. It should include:

• Detection and triage: Who is alerted first? How is the scope of the attack assessed?
• Containment: What systems are isolated immediately? Who has the authority to take systems offline?
• Communication: Who notifies employees, customers, and regulators? What is the approved messaging?
• Eradication: How is the attacker's presence removed? Who conducts forensics?
• Recovery: In what order are systems restored? Who validates data integrity before going live?
• Post-incident review: What lessons are documented and implemented?

The IRP must be a printed document — not just a file on a server that may be encrypted during the attack. Store copies offsite, in email (in a personal account separate from corporate), and with your IT managed service provider.

Test Your Plan — Or It Does Not Exist

A backup that has never been restored is not a backup — it is a hypothesis. A recovery plan that has never been practiced is not a plan — it is a wish. Axiom IT Group recommends the following testing cadence:

• Monthly: Verify backup completion reports. Spot-check individual file restores.
• Quarterly: Full server restore test to isolated environment. Validate that the restored system functions correctly.
• Annually: Tabletop exercise simulating a ransomware attack. Walk the leadership team through the IRP, identify gaps, and update the plan.

Segment Your Network to Contain the Blast Radius

Ransomware spreads laterally through networks by exploiting trust between systems. Network segmentation limits this propagation by placing critical systems — domain controllers, backup servers, financial systems — on isolated network segments that are not directly accessible from workstations. Even a basic VLAN separation between employee workstations and servers dramatically reduces how far ransomware can spread before being detected.

"The question is not whether your business will face a ransomware attempt — it is whether you will be ready when it happens. Preparation is the only variable you control."

Cyber Insurance: Not a Replacement for Planning

Cyber insurance can cover ransom payments, legal costs, and some recovery expenses — but policies are becoming more restrictive and expensive. Insurers now routinely require evidence of MFA, EDR, tested backups, and documented IRPs before issuing coverage. More importantly, cyber insurance does not cover business reputation, customer trust, or the competitive damage from extended downtime.

How Axiom IT Group Can Help

Our team conducts Ransomware Readiness Assessments for Colorado businesses of all sizes. We evaluate your backup strategy, network segmentation, identity controls, and incident response planning, then deliver a clear remediation roadmap. We also manage backup infrastructure, EDR platforms, and 24/7 security monitoring for clients who want a fully managed approach.

Do not wait until after an attack to discover the gaps in your plan. Contact us today.