To recover from a ransomware attack in 30 days, work in four weekly stages: contain and preserve evidence (days 1 to 7), eradicate the threat and rebuild clean systems (days 8 to 14), restore operations from verified backups (days 15 to 21), and close the gaps that let the attacker in (days 22 to 30). The fourth stage is the one most teams skip, and it is why so many get hit twice. A ransomware continuous remediation approach treats recovery as the start of an ongoing cycle, not a one-time cleanup, so the same hole never gets used against you again.
I have spent 30-plus years in this work, and I have watched the same pattern over and over. Companies rush to get back online and never fix the root cause. Below is the plan I would hand a recently-breached IT lead today.
The 30-day recovery at a glance
Before you touch anything
Two rules before the clock starts.
First, do not pay anything or wipe anything in the first hour. Preserve evidence. You will need it for insurance, for legal, and for figuring out how the attacker got in.
Second, assume the attacker is still inside. Ransomware that fires is usually the last step, after an intruder has often been in your network for weeks. Recovery that ignores that just resets the timer for the next attack.
Do not pay, do not wipe, and do not power down infected systems in the first hour. Pull them off the network instead. Memory holds evidence you will need for insurance, legal, and root-cause analysis. The single most expensive mistake in the first hour is destroying the trail that tells you how they got in.
The 30-day recovery plan
Week 1 (Days 1 to 7): Contain and preserve
The goal this week is to stop the spread and keep a clean evidence trail.
- Isolate infected systems from the network. Pull them off, do not power them down (memory holds evidence).
- Preserve logs, disk images, and ransom notes before anything changes.
- Notify your cyber insurance carrier and legal counsel. Most policies require fast notice, and the carrier often brings an incident response team.
- Stand up out-of-band communication. Assume email and chat are compromised. Use phones or a clean channel.
- Identify the scope: what is encrypted, what is exfiltrated, what is still clean.
You do not need every answer in week 1. You need containment.
Week 2 (Days 8 to 14): Eradicate and rebuild clean
Now you find the attacker and remove every trace, not just the obvious one.
- Hunt for the initial access point. Phishing, an exposed remote service, stolen credentials, an unpatched edge device.
- Find and remove persistence: backdoors, new accounts, scheduled tasks, malicious mail rules.
- Reset credentials across the board. Treat every password and key as burned.
- Rebuild from known-clean images. Do not "clean" an infected box and trust it.
- Deploy active endpoint detection so you can see if anything reawakens during the rebuild.
This is the week where rushing costs you the most. If you miss one backdoor, you are back to day one in a month. (When the initial access point turns out to be a social-engineered help desk, the Storm-1811 / Black Basta pattern is worth reading before you reset credentials.)
Week 3 (Days 15 to 21): Restore operations
With clean systems and the attacker evicted, bring the business back.
- Restore data from backups you have verified are clean. Test the restore before trusting it.
- Bring systems back in priority order: revenue-critical first, then the rest.
- Keep active monitoring running on everything you restore.
- Validate that restored data is complete and that applications actually work, not just that files came back.
Week 4 (Days 22 to 30): Close the gaps for good
This is the difference between recovery and just surviving until the next one.
- Fix the root cause. Patch it, harden it, retire it, reconfigure it. Whatever let them in gets closed and proven closed.
- Add multi-factor authentication everywhere, especially remote access and admin accounts.
- Lock down backups so they cannot be encrypted: offline or immutable copies.
- Stand up continuous monitoring and a remediation process, so the next risk gets found and fixed before it becomes an incident.
- Run a real post-incident review and write down what changed.
By day 30 you should be back online and harder to hit than you were before the attack. That is the bar. Anything less leaves the door open. For the full breakdown of why this stage matters more than the cleanup, see ransomware prevention vs. response.
Why most recoveries fail (and how to avoid it)
Most tools and most providers stop at the alert. They monitor, they tell you something is wrong, then they hand you a ticket and walk away.
Continuous Remediation stops breaches. Not alerts. The fix is not more notifications. It is actually closing the findings and proving they are closed.
That is the gap ransomware lives in. An alert told someone something was off, and nobody had the time to chase it down. Recovery has to end with the root cause closed, or you are just buying time.
This is why I built Cyvatar around continuous remediation instead of alert noise. We do not just identify problems. We fix them and keep fixing them. Seven years. 229 customers. Zero major breaches or ransomware. That is not luck. It is what happens when remediation is the job, not an afterthought. (If you are weighing managed providers for recovery and ongoing coverage, we lay out the trade-offs in Cyvatar vs. Arctic Wolf for ransomware recovery and Cyvatar vs. Huntress: when to choose which.)
How Cyvatar approaches recovery: ICARM
Our methodology is called ICARM, and it maps cleanly onto a 30-day recovery.
- Installation. Our engineers deploy the security solution across your environment. We do not hand you a guide and disappear.
- Configuration. Tuning, policy enforcement, integrations, and exclusions so it works in your environment, not just in a demo.
- Assessment. Continuous assessment finds the real risks across endpoints, identities, cloud, and your exposure surface.
- Remediation. This is where everyone else stops and we keep going. We patch, harden, reconfigure, and retire the risk, then prove it is closed.
- Maintenance. Continuous monitoring, monthly reporting, and quarterly reviews. Then we cycle through assessment and remediation again. Forever.
Installation and Configuration are the one-time setup. Assessment, Remediation, and Maintenance are the continuous wheel that keeps you from getting hit again. Cyvatar delivers full lock down in 30 days or less. That is our delivery target on every engagement, measured at your Day 30 Posture Review. For the full picture of how this works against ransomware specifically, start with our ransomware reference page, and browse the rest of our hardening guides in the resource library.
Start by knowing where you stand
If you are mid-recovery, or you just want to know how exposed you are before something happens, get a baseline. Our free Business Scorecard at cyvatar.ai/business-scorecard gives you an honest read on your security posture in a few minutes. No sales call required. Know your gaps, then close them.
Know Your Gaps Before They Become an Incident
Cyvatar's free Business Scorecard gives you an honest read on your security posture in a few minutes. No sales call required. If you are mid-recovery, it is the fastest way to find what still needs closing.
Run a Free Scan → Read the Full Ransomware ReferenceFrequently asked questions
How long does it really take to recover from a ransomware attack?
A focused recovery can be done in about 30 days for many small and mid-sized environments: roughly one week each to contain, eradicate and rebuild, restore, and close the gaps. Larger or more complex environments can take longer. The timeline depends on how widely the attacker spread and whether you have clean, tested backups.
Should I pay the ransom?
That is a decision to make with your legal counsel and insurance carrier, not in a panic in the first hour. Paying does not guarantee you get your data back, and it does not remove the attacker from your network. Focus first on containment, evidence preservation, and notifying the right people.
How do I know the attacker is actually gone?
You do not assume, you verify. Hunt for the initial access point, remove every form of persistence (backdoors, rogue accounts, malicious rules), reset all credentials, rebuild from known-clean images, and run active detection during and after the rebuild. If you only remove the obvious malware, the intruder can still be inside.
What stops a second ransomware attack after recovery?
Closing the root cause that let them in, enforcing multi-factor authentication, protecting backups with offline or immutable copies, and running continuous remediation so new risks get fixed before they become incidents. Recovery that ends at "we are back online" without closing the gap is the single most common reason companies get hit twice.
What is continuous remediation?
Continuous remediation means a security program does not stop at detecting and alerting on problems. It actually fixes them, on an ongoing cycle, and proves they are closed. Most monitoring tools and providers stop at the alert and hand you a ticket. Continuous remediation closes the loop, which is what keeps a known weakness from being used against you again. We go deeper in what is ransomware continuous remediation.
Can a small team handle a 30-day recovery alone?
Sometimes, but it is hard. The eradication and root-cause stages are where small teams get stretched thin, and a missed backdoor undoes everything. A partner who handles remediation end to end, not just monitoring, lets your team keep the business running while the threat gets fully closed out.