Ransomware Response Plan: 6 Phases From Attack to Recovery

Learn how to build a ransomware response plan that your team can actually execute under pressure.

A ransomware attack at 2am is the worst time to figure out who makes decisions. The average breach costs $5.08 million (IBM Cost of a Data Breach 2025). Much of that cost comes from delayed response and poor coordination.

Organizations with tested response plans recover faster. Those without one waste critical hours improvising while ransomware spreads across the network.

The difference isn’t just technical controls. It’s knowing exactly who does what, in what order, before the pressure hits.

This guide walks you through building a six-phase response plan, from detection through recovery.

Why Do You Need a Ransomware Response Plan?

A ransomware attack at 2am is not the time to figure out who makes decisions, which systems get isolated first, or where your backups actually live.

The numbers tell the story. According to Veeam’s 2025 Ransomware Trends Report, 69% of organizations experienced at least one cyberattack in the past year. Of those attacked, 64% paid the ransom. But here’s the painful part: only 49% of those who paid actually recovered their data.

Meanwhile, 25% of attacked organizations recovered without paying at all. What separated them from the paying victims? Clean, immutable backups and tested response plans.

A response plan gives you three critical advantages. First, it reduces panic. When everyone knows their role, you waste less time on “who should handle this?” Second, it speeds containment. Pre-defined isolation procedures stop ransomware from spreading to backup systems. Third, it preserves evidence. Documented steps ensure you collect forensic data before wiping systems.

Most organizations already have the technical controls. What they lack is the coordination to use them under pressure.

Who Needs a Ransomware Response Plan?

Every organization that relies on computers to operate needs one. That’s not hyperbole.

Small businesses often assume they’re not targets. The Verizon 2025 DBIR shows 88% of SMB breaches involve ransomware. Attackers know smaller companies have weaker security and often pay faster to avoid extended downtime.

Large enterprises face different challenges. Complex environments mean more attack surface and intricate dependencies between systems. A ransomware infection in one subsidiary can cascade across shared infrastructure.

Regulated industries face compliance pressures on top of operational risks. Healthcare organizations must maintain patient data access. Financial services have strict notification requirements. Critical infrastructure operators may face national security implications.

The question isn’t whether you need a response plan. It’s whether you’ll build one proactively or learn why you needed one during an actual attack.

But before we get into the response steps, let’s address the detection gap most organizations miss entirely.

How Do Ransomware Attacks Actually Start?

Ransomware doesn’t appear out of nowhere. Most attacks follow a predictable chain: credential theft, access sale, reconnaissance, data exfiltration, then encryption. This process takes days to weeks, not hours.

According to Beazley Security, nearly 50% of ransomware attacks in Q3 2025 used stolen VPN credentials as the entry point. These credentials came from infostealer malware that harvested them weeks earlier.

For a detailed breakdown of how the infostealer-to-ransomware pipeline works, see our ransomware trends analysis. The key point for response planning: attackers are usually inside your network longer than you think. Your response plan needs to account for that.

What Are the Six Phases of a Ransomware Response Plan?

The response process breaks into six distinct phases. Each builds on the previous, and skipping steps creates problems downstream.

Phase 1: Detection and Initial Analysis

Speed matters here. The faster you detect the attack and isolate systems, the less damage spreads.

Immediate isolation steps:

• Identify which systems show signs of ransomware activity
• Disconnect affected systems from the network immediately
• If multiple subnets are infected, take down those networks at the switch level
• For systems you can’t disconnect, power them down as a last resort (this destroys volatile memory evidence)
• Take snapshots of infected cloud systems for forensic investigation

Communication protocol: Assume attackers are monitoring your communications. They often gain access to email and collaboration tools before deploying ransomware. Use out-of-band channels like personal mobile phones or a separate communication platform for coordination.

Critical questions to answer:

• Which systems are confirmed infected?
• What’s the ransomware variant? (Check ransom notes and encrypted file extensions)
• Are backups accessible and unaffected?
• When did the encryption start? (Establish a timeline)

Document everything from this point forward. You’ll need this information for law enforcement, insurance claims, and post-incident analysis.

Phase 2: Triage and Prioritization

Not all systems are equally critical. Triage helps you focus recovery efforts where they matter most.

Build your critical asset list before an incident:

• Systems essential to daily operations
• Customer-facing services
• Revenue-generating platforms
• Safety-critical systems (especially in manufacturing, healthcare, and infrastructure)
• Backup and recovery infrastructure

Having this list pre-defined saves hours during an actual incident. Update it quarterly as your environment changes.

Examine your security tools: Your antivirus, EDR, IDS/IPS, and SIEM should help identify additional infected systems. Look for:

• Systems communicating with known malicious IPs
• Unusual encryption activity on file servers
• Lateral movement indicators
• Evidence of precursor malware like Emotet or QakBot

Precursor malware often arrives weeks before ransomware deployment. If you find droppers, assume the attack has been underway longer than the encryption suggests.

Phase 3: Active Threat Hunting

Don’t assume the ransomware binary is the only problem. Attackers establish multiple persistence mechanisms to survive partial remediation.

Hunt for these indicators:

• Newly created Active Directory accounts, especially with escalated privileges
• Anomalous logins (off-hours access, impossible travel, unfamiliar locations)
• Unexpected service accounts or scheduled tasks
• Boot configuration changes
• Presence of adversarial toolkits (Cobalt Strike, Mimikatz, NTDSutil. exe)
• Abuse of legitimate Windows tools (PowerShell, BITSAdmin, CertUtil, WMIC)

Check for data exfiltration: Most modern ransomware groups steal data before encrypting. Look for:

• Unusual outbound traffic volumes
• Use of file transfer tools (Rclone, MegaSync, WinSCP)
• Web shells or unusual HTTP POST activity
• DNS tunneling indicators

Review cloud configurations: If you use cloud infrastructure, verify:

• IAM permissions haven’t been modified
• Security group rules are intact
• No unauthorized user accounts were created
• Billing alerts haven’t been disabled (attackers sometimes spin up cryptomining instances)

Document every indicator of compromise you discover. You’ll need these for the eradication phase and for threat intelligence sharing.

Phase 4: Reporting and Notification

Most organizations underestimate the communication burden during a ransomware incident.

Internal notifications: Follow your incident response plan’s escalation procedures. Engage:

• Executive leadership
• Legal counsel
• Communications/PR
• HR (if employee data is affected)
• Business unit leaders for affected systems

External notifications: Depending on your jurisdiction and industry:

• Report to the FBI via IC3 (ic3.gov) or your local field office
• Report to CISA (cisa.gov/report or 888-282-0870)
• Notify your cyber insurance carrier immediately
• Contact your sector-specific ISAC
• Notify affected customers per breach notification laws

Use communication templates: Pre-drafted notifications save time and reduce legal risk. Prepare templates for:

• Employee communications (what happened, what to do, what not to do)
• Customer notifications (what data was affected, what you’re doing)
• Media statements (if the incident becomes public)
• Regulatory notifications (specific to your compliance requirements)

Avoid stating anything as fact until you’ve confirmed it. Early communications often prove inaccurate as the investigation progresses.

Phase 5: Containment and Eradication

This is where you remove the attacker’s access and prepare for recovery.

Preserve evidence first:

• Capture memory dumps from infected systems before wiping
• Preserve relevant logs (firewall, proxy, endpoint, authentication)
• Image affected systems if possible
• Document the ransomware variant and any indicators of compromise

Check for decryption tools: Before deciding on the recovery approach, search for known decryptors:

• No More Ransom Project (nomoreransom.org)
• ID Ransomware (id-ransomware. malwarehunterteam.com)
• Consult with law enforcement who may have access to decryption keys

Eradicate attacker access:

• Disable compromised accounts and terminate active sessions
• Remove identified malware, web shells, and persistence mechanisms
• Disable VPN and remote access until you’ve verified credentials haven’t been compromised
• Block known malicious IPs and domains at the firewall
• Reset the passwords for all affected accounts (do this after the environment is clean)

Rebuild affected systems: Don’t try to clean infected machines. Rebuild from known-good images or infrastructure-as-code templates. Ensure rebuilt systems:

• Have all current patches applied
• Run updated endpoint protection
• Use new credentials
• Connect to a clean, isolated network segment for verification before rejoining production

Phase 6: Recovery and Post-Incident Review

Recovery isn’t just restoring systems. It’s restoring operations without reinfection.

Restore from backups:

• Verify backup integrity before restoration
• Restore to isolated network segments first
• Test restored systems before reconnecting to production
• Prioritize critical systems identified during triage

Monitor for reinfection: The first few weeks after recovery are high-risk. Attackers may have left backdoors you missed. Increase monitoring for:

• Outbound connections to previously blocked IPs
• Repeated malware detections
• Suspicious authentication activity
• Signs of lateral movement

Conduct post-incident review: Within two weeks of resolution, document:

• Timeline of the attack (initial access through resolution)
• What worked well in your response
• What failed or caused delays
• Gaps in detection, response, or recovery capabilities
• Specific improvements needed

Share intelligence: Consider sharing indicators of compromise with:

• CISA
• Your sector ISAC
• Peer organizations
• Threat intelligence platforms

This sharing helps the broader community defend against the same threat actors.

How Can You Detect Ransomware Before Encryption?

Response plans focus on what happens after detection. But the best outcomes come from catching attacks earlier.

Stolen credentials appear on dark web marketplaces and infostealer channels before attackers use them. If you’re monitoring these sources, you can reset compromised credentials before ransomware operators exploit them.

For a complete detection strategy, see our guide on detecting ransomware early. The short version: monitor for your credentials in dark web markets, watch ransomware leak sites for your vendors, and treat any credential exposure as urgent.

How Often Should You Test Your Response Plan?

A plan that sits in a drawer is not a plan. It’s documentation.

Recommended testing cadence:

• Quarterly tabletop exercises: Walk through scenarios with your response team. Test decision-making, not just procedures.
• Annual full simulation: Conduct a realistic drill that tests technical response, communication, and recovery procedures.
• Post-incident reviews: After any security incident, review whether your plan worked and update accordingly.

What to measure: CISA and KELA recommend tracking these metrics:

• Mean time to detect (MTTD): How long from initial compromise to detection?
• Mean time to respond (MTTR): How long from detection to containment?
• Recovery time objective (RTO): How quickly did you restore critical systems?
• Recovery rate: What percentage of data was successfully restored?
• Incident cost: Total cost including downtime, response, and remediation

If you’re not measuring, you can’t improve. Track these metrics across exercises and real incidents.

How Breachsense Supports Your Response Plan

A response plan works best when you know what’s already exposed. During Phase 5 (Containment and Eradication), you need to reset compromised credentials. But which ones?

Breachsense gives you visibility into credentials that have already leaked through infostealer logs and dark web marketplaces. Third-party breaches expose credentials too. When an incident hits, you’re not guessing which accounts are compromised.

For ongoing protection, credential monitoring alerts you when employee credentials appear on criminal marketplaces. This lets you reset them before attackers use them, reducing the incidents your response plan has to handle.

Book a demo to see how Breachsense fits into your ransomware defense.