What are the recovery times for ransomware?

Ransomware attacks have become increasingly common in recent years. These cyber attacks infect a computer system and restrict access to files and data until a ransom is paid. Recovery times after a ransomware attack can vary greatly depending on the specific strain of ransomware, the extent of the infection, and steps taken by the victim organization.

What is ransomware?

Ransomware is a type of malicious software (malware) that encrypts or locks computer files and demands payment of a ransom in order to decrypt or unlock the files. It is distributed through various methods, such as phishing emails containing infected attachments or links, compromised websites, and exploit kits. Once installed on a system, ransomware encrypts important files and prevents normal access to the computer system until the ransom is paid. The ransom demand is generally issued with a deadline and threats of permanent data loss if unpaid. Attackers typically demand ransom payments in cryptocurrency, such as Bitcoin, which helps hide their identity.

How does ransomware infect systems?

There are several common infection vectors that allow ransomware to infiltrate computer systems:

  • Phishing emails – Malicious emails containing infected attachments or links are designed to look legitimate. Opening attachments or clicking links unleashes the ransomware code.
  • Compromised websites – Websites compromised by hackers may trigger ransomware drive-by downloads. Even legitimate sites can sometimes serve malware if hacked.
  • Out-of-date software – Unpatched, outdated software often contains vulnerabilities that are exploited by ransomware attackers.
  • Remote Desktop Protocol (RDP) – Exposed RDP ports allow remote access to networks. Attackers can brute force weak credentials or exploit other vulnerabilities to gain access and deploy ransomware across a network.

Once inside the system, ransomware seeks out and encrypts high-value files such as documents, media files, databases, and backups. The encryption algorithms used by ransomware variants are often robust and extremely difficult to crack without the decryption key.

How much ransom do attackers demand?

Ransom demands vary widely based on the ransomware strain, the victim, and the size of the target organization. Some key factors impacting demanded ransom amounts include:

  • Targeted vs broad campaigns – Attacks targeting larger, high-value organizations tend to demand larger ransoms, sometimes upwards of millions of dollars. Broad mass infection campaigns typically demand ransoms in the range of hundreds to thousands of dollars.
  • Negotiations – Many ransomware groups are open to negotations, sometimes lowering demands substantially if the victim engages with the threat actors.
  • Strain differences – More advanced strains with robust encryption and higher infection success rates tend to demand higher ransoms.
  • Reputation – Established ransomware groups often develop a reputation for following through on threats, increasing leverage in ransom negotiations.

Typical ransom demands often fall in the $200 to $2,000 range for smaller targets like individuals or small businesses. Larger organizations see average demands between $10,000 to $150,000. However, multi-million dollar ransom demands are becoming increasingly common, especially for ransomware strains like Ryuk, REvil, and DarkSide which focus on larger enterprise targets.

How do victims pay the ransom?

If the victim decides to pay the ransom demand, the ransomware attackers typically provide instructions on how to pay through cryptocurrency, such as Bitcoin. Common payment methods include:

  • Bitcoin wallets – Each victim is provided with a unique BTC wallet address to send payment to.
  • Tor sites – Some ransomware groups host Tor hidden services that allow anonymous ransom payments.
  • Negotiation sites – Many ransomware operators host dark web negotiation portals for communicating with victims and facilitating payments.

The ransomware decryption key is usually provided once payment is confirmed through the blockchain. Threat actors often partially decrypt a few files first as proof before sharing the full decryption tool. Some ransomware groups have also adopted ransomware-as-a-service models and provide affiliate groups with infrastructure for accepting and managing ransom payments.

What is the average recovery time?

Recovery timelines after a ransomware attack vary substantially based on the severity of the infection, the strain of ransomware, and whether the victim pays the ransom. Some general timeframes include:

  • Immediate response – The initial investigation, containment and remediation of ransomware typically takes at least 24-48 hours by IT security teams.
  • Complete recovery without payment – Weeks or longer may be required to fully restore encrypted files without paying the ransom, depending on backup availability.
  • With ransom payment – Recovery time is generally faster if the ransom is paid, with full decryption possible within 1-2 days.

According to various studies, the average recovery time for organizations that refuse to pay ransom demands can range from 2 to 6 weeks. This involves restoring data from backups, rebuilding systems, and implementing additional security measures.

For victims that do opt to pay, access to encrypted files is usually regained within 1-3 days following confirmed ransom payment and receipt of the decryption software. However, additional time is still required to fully restore all affected systems and data. Paid recovery timeframes generally fall in the 1 to 2 week range.

What affects the recovery timeline?

There are a number of key factors that influence the recovery time following a ransomware attack:

  • Degree of infection – Recovery takes longer if ransomware has encrypted large numbers of endpoints across networks.
  • Ransomware strain – Some variants encrypt faster and spread more aggressively than others.
  • Network segmentation – Recovery is faster if ransomware is confined to properly segmented areas vs. affecting an entire network.
  • Backups – Recent, isolated backups make restoration much faster for victims refusing to pay.
  • Restoration prioritization – Mission critical systems and data are prioritized first during recovery efforts.
  • Ransom payment – Paying the ransom generally results in quicker decryption and restoration times.

Additionally, factors like quality of incident response planning, staff resources, cyber insurance coverage, and coordination with law enforcement can impact how efficiently an organization can recover from a ransomware event.

Steps to recover from ransomware

The specific recovery process after a ransomware attack may vary between organizations, but some general best practices include:

  1. Isolate and contain – Disconnect infected systems from networks to prevent further spread. Shut down internet access, Wi-Fi, VPNs, FTP, and other connections.
  2. Secure backups – Ensure all backups are disconnected from networks and uninfected so safe data is available for restoration.
  3. Investigate and analyze – Determine timeline of infection, impacted systems, ransomware variant, and ransom demands.
  4. Remove malware – Use anti-malware tools to scan and clean infected systems before restoring data.
  5. Restore data – Retrieve data from clean backups first, then decrypt files if ransom is paid.
  6. Rebuild systems – Completely rebuild and patch infected systems from the ground up.
  7. Enhance security – Update antivirus software, firewalls, VPNs and other protections to prevent reinfection.
  8. Test and validate – Confirm restored data integrity and system functionality before reconnecting to networks.

Organizations should have a documented incident response plan in place to facilitate smooth coordination and execution of these recovery processes after a ransomware attack. Detailed logs should also be kept of all actions taken during the response and recovery efforts.

How can recovery be accelerated?

Some measures that can help accelerate recovery from a ransomware attack include:

  • Network segmentation and Access Controls – Containment is faster when ransomware can’t easily spread across flat networks.
  • Backups – Recent, offline and immutable backups make restoration much easier.
  • Incident response plan – Having a detailed plan speeds decision making and coordinated actions.
  • Cyber insurance – Policies can offset costs and provide access to forensic experts.
  • Cloud infrastructure – Cloud-based backups and infrastructure facilitate faster rebuilding.
  • Automated recovery tools – Scripts and automated workflows accelerate system rebuilds and data restoration.
  • Paying ransom – Gains decryption key quickly, enabling faster data recovery.

Combining security best practices with detailed incident response planning and testing is key to minimizing downtime and accelerating recovery in the aftermath of ransomware and other cyberattacks.

Recovery options without paying ransom

For victims who refuse to pay ransom demands, recovery options include:

  • Backups – Restoring data from uninfected backups is the primary recovery method.
  • Shadow copies – Point-in-time data copies made by Windows can recover some files.
  • Decryption tools – Free decryption tools are sometimes released for older ransomware strains.
  • Decryption keys – Keys may be cracked/leaked, or obtained by law enforcement through takedowns.
  • Data recovery services – Specialists may be able to recover some encrypted data without decryption.
  • Rebuild systems – Fully rebuilding infected systems allows restored data to be remapped.

The viability of these options depends on the ransomware variant. Sophisticated modern strains without flaws or available keys often leave data backups as the only reliable path to recovery without paying the ransom.

Should ransom be paid for faster recovery?

There are pros and cons to paying ransom demands:

Pros Cons
  • Faster recovery of encrypted data
  • Prevents loss of invaluable data
  • Cheaper than data recovery costs
  • Avoids downtime affecting operations
  • No guarantee files will be decrypted
  • Rewarding/funding criminal actors
  • Possibility of repeat attacks
  • Potential legal liability issues

There are good arguments on both sides of the ransom payment debate. Each organization needs to consider their unique situation, applicable laws and regulations, and make the decision they feel is right for their particular case.

How can recovery times be improved in the future?

Organizations can take various steps to strengthen ransomware resilience and minimize recovery times in the event of future attacks:

  • Implement layered backups – Maintain regular, isolated and immutable backups to accelerate restoration.
  • Harden security controls – Reduce attack surface and infection risks through technologies like firewalls, email filtering, endpoint detection etc.
  • Staff training – Conduct security awareness training so staff can identify threats like phishing emails.
  • Incident response planning – Develop and test detailed response plans and procedures.
  • Network segmentation – Isolate and compartmentalize systems and access to limit spread.
  • System redundancy – Maintain fault tolerance and redundancy in infrastructure.
  • Cyber insurance – Offset costs of recovery and utilize policy services.

Preparing for potential ransomware attacks through measures like these before they occur is key to minimizing disruption and recovery time.


Recovery from ransomware attacks varies widely based on the severity of infection, strain, and restoration methods used. While paying the ransom can accelerate decryption timelines, organizations should weigh the risks. Those refusing payment face longer recovery periods relying on backups. Robust incident response planning, testing and security best practices are imperative to effectively respond to and recover from ransomware.