How to recover from a ransomware attack

Richard Ryan, who’s been in IT management for 20+ years and has handled BUI’s cyber incident response team since 2018, takes us through the dos and don’ts…

Johannesburg, 02 Mar 2022

“It normally starts with a phone call, typically in the middle of the night,” says Richard Ryan, National Account Manager at BUI. “They’ll say, ‘Customer XYZ has been compromised… can you help?’” 

In today’s hyperconnected world, no company is immune to ransomware attacks. But, Ryan says, companies with a clear prevention strategy and recovery plan always fare better if disaster strikes. “I like to compare it to a home break-in,” he explains. “Of course, it’s vital to have burglar bars, cameras and beams in your garden… but it’s also important to have thought about exactly what you’ll do and who you’ll phone if someone does get in.”

Prevention is always better than cure

Having a solid security strategy, coupled with an immutable backup and recovery plan, doesn’t just reduce the chances of a breach, it also makes recovering from an attack easier. If you don’t already know what a proper plan should look like, I strongly urge you to read All I want for Christmas is a foolproof data backup and recovery plan before reading the rest of this article.

You’ve been breached. What now?

The sad truth is that even the best security plan in the world doesn’t guarantee immunity. Over the years, Ryan has responded to many cyber attacks. He’s seen some companies go out of business as a result of the fallout, and others get back on their feet within a couple of weeks. This gives him a unique perspective on what works and what doesn’t. While he could probably fill an entire book with advice, he’s also distilled some of his learnings into this really handy five-step process.

  1. Don’t panic. It won’t change the fact that you’ve been breached, and it certainly won’t help. A structured approach and a problem-solving attitude will stand you in good stead in the days, weeks and months ahead.
  2. Don’t pay the ransom! You may well be tempted to pay the criminals to get your data back, but this is a bad idea for several reasons. Not only is there no guarantee they’ll actually return your data (these guys are crooks, remember), but paying the ransom validates the business model and encourages them to attack someone else. And remember, paying for the decrypt doesn’t improve your security posture or remove the malware!
  3. Set up a response team. It’s absolutely vital that you get executive management to assemble an experienced response team as early as possible. As any veteran detective will tell you, every second counts. For most small and medium-sized firms, this will entail enlisting the help of a company that specialises in cyber security response.
  4. Isolate the breached area. One of the first things the response team should help you with is finding out where the breach occurred, and taking steps to ensure that the criminals can’t use the same broken window or picked lock to get into your IT infrastructure again – and steal more data.
  5. Document, document, document. You’re dealing with a criminal break-in, and evidence is really important in understanding the nature of the attack and how to prevent further damage. Keeping accurate records and preserving evidence is one of the keys to an efficient recovery. Make copies of all logs and password databases as soon as you can.

Leave it to the experts

Most organisations will not have faced this type of scenario before, which is why Ryan stresses the importance of enlisting expert help as early as possible. Trying to respond to the breach on your own almost always ends in tears. Not only is it highly likely that you’ll leave the door open for a second, more disastrous breach, but there’s also a very good chance that early errors in the investigation will delay the recovery process and compromise any potential insurance claims. Make sure your company’s legal department is involved in the decision-making processes from the outset.

It might seem like a good idea to immediately wipe all the data that’s been encrypted and start afresh from backups. You might feel pressured to recover as quickly as possible, but this is probably the worst course of action. Here, once again, the housebreaking analogy is useful: don’t fix that broken window or touch the crowbar you find in the rose bed, until the police have been around! Legal factors should also be considered before starting any recovery process.

Don’t turn against your own people

Falling prey to a criminal attack is traumatic and Ryan urges victims not to react in anger. There’s also very little point in feeling sorry for yourself. Perhaps most importantly, he cautions against letting an attack turn you against your own people. Ryan says in many of the cases he’s been involved with, someone in IT has lost their job after an attack. “I find it terribly unfair,” he says. “Often it’s the very same person who’s been asking for better security all along!”

All attacks leave some scars

In his many years on the job, Ryan has come to realise that even the most seamless recovery from a cyber attack will leave some scars. We’ve already mentioned the emotional trauma it inflicts on your staff, but what about the reputational damage it causes your firm? Having a decent recovery plan makes it easier to recover data and get systems back up and running, but the reputational damage that follows a leak can be catastrophic. “I have seen some companies that never recover from an attack… typically companies that deal with personal customer data,” explains Ryan. “Once word gets out, their customers leave them in their droves. It’s very painful to watch.”

The bottom line

These days, no business is immune to ransomware attacks. Even tiny businesses should have a security budget and a carefully considered data backup and recovery plan. “It may seem an unjustifiable expense,” says Ryan. “But ask yourself this: can you afford not to have a backup and recovery plan?”



BUI is an award-winning IT consultancy delivering security solutions, specialised cloud services, and data-centre support to mid-market and enterprise-level customers worldwide.

Founded in 2000, BUI is a Microsoft Azure Expert MSP, a member of the Microsoft Intelligent Security Association, and a Gold Microsoft Partner with offices in the UK (London, England), the US (Irvine, California), South Africa (Cape Town, Durban and Johannesburg), and Kenya (Nairobi).

BUI’s recent accolades include:

  • 2021 Microsoft Security Partner of the Year
  • 2021 Microsoft Azure Infrastructure Partner of the Year
  • 2020 Microsoft Security Partner of the Year
  • 2020 Microsoft Modern Workplace Partner of the Year
  • 2020 Microsoft Azure Infrastructure Partner of the Year
  • 2020 Microsoft Country Partner of the Year – South Africa
  • 2019 Microsoft Cloud Partner of the Year
  • 2019 Microsoft Security Partner of the Year
  • 2019 Microsoft Services Partner of the Year
  • 2019 Microsoft Azure Consumed Revenue of the Year

BUI website:

BUI on LinkedIn:

BUI on Facebook:

BUI on Twitter:

BUI on YouTube:

Editorial contacts

Tayla Carstens
Marketing Manager, BUI
(087) 740 2400