We recently helped another organization recover from a significant ransomware attack. There’s something about witnessing a disaster firsthand that changes how you look at everything. At PEOPLEIT, we’ve had our share of moments that make you step back, breathe deeply, and truly assess your preparedness. We won’t share any specific details to help maintain confidentiality, but we can tell you this: what we’ve learned along the way has been invaluable.
Recovering from ransomware isn’t just a matter of restoring a few files and moving on. It’s a deep dive into everything you thought you had covered, every assumption you made, and, quite frankly, it’s a stressful reality check for any organization. Here are five key insights from our experiences—hard-earned lessons learned alongside our clients.
1. Documentation Means Nothing If You Can’t Access It
This is easy to overlook: if your systems are locked down and you can’t access your documentation, it doesn’t matter how meticulously you prepared it. We’ve seen this happen— teams scrambling to retrieve passwords or access essential details, only to find their password management tool locked within compromised servers.
Having documentation accessible outside of your network is key. Ensure you can get to the passwords and details that are vital to kickstart your recovery process. Without it, you’re stuck at square one.
2. Your Backups Aren’t Safe Unless They’re Immutable
Another hard reality: just because you’ve been diligent with backups doesn’t mean they’re safe from a ransomware attack. If your backups are connected to your operational systems, they will be targeted by the hackers and get hit just like everything else.
We learned that the best way to protect your backups from compromise is to make sure they’re immutable— cannot be changed or deleted until a set time has expired. Better still, if you can ‘air-gap’ backups to fully isolate them from your network. That immutable configuration might just be the difference between a smooth recovery and an extended nightmare.
3. You Need to Know Where You’ll Restore Your Infrastructure
The moment you realize your infrastructure has been compromised is not the moment to start thinking about where or how you’ll restore it. You need to have a plan before disaster strikes.
We recently faced this question head-on during a recovery. Where do you restore your backups if you can’t use the production server hardware? How do you make sure that forensic investigations can continue without wiping out critical evidence? These are questions you need to have answers for in advance. You can’t afford to be making these decisions when the clock is ticking, and your systems are down.
4. A Disaster Recovery Team is Essential
This isn’t just about IT. A ransomware attack impacts the whole business, and you need more than technical experts in the room. Who’s handling PR? Who’s deciding whether to notify customers? What’s the plan for financial decisions, or whether to send employees home?
One of the biggest takeaways from our recent experience was the value of having a disaster recovery team in place. A core group of decision-makers with a clear plan and contact information readily accessible when systems go dark. And don’t just assume everyone has each other’s cell phone numbers. Verify it. Set up a communication protocol that works without relying on your main IT systems.
5. Prioritize Critical Systems to Keep the Business Running
In the chaos of a ransomware attack, one of the toughest questions to answer is how you’ll keep the business running. What needs to be restored first? Which systems are most critical to your operations?
From our experience, it’s usually not a matter of getting everything back online at once—it’s about prioritizing. Should customer service be up first? Or do you need to focus solely on shipping products? Sometimes, the best option is to go manual—like printing shipping labels or queuing incoming orders without your usual tools. You need to know what your critical systems are and be ready to pivot when necessary.
The Hard Truth: You Can’t Prepare Alone
Our experience shows that disaster preparation isn’t a solo effort. You need someone who isn’t buried in the day-to-day of your business to come in, facilitate, and guide you through the tough questions. At PEOPLEIT, we’ve found that nothing replaces a good practice run. Talking it through, setting up scenarios, and practicing as if it’s real is the best way to prepare.
That’s why we offer a Tabletop Ransomware Exercise. We walk through real ransomware scenarios and help you develop a recovery strategy tailored to your business. This isn’t just about talking through ideas—it’s about practicing the response. When a crisis hits, preparation makes all the difference.
If you want to ensure your team is ready, schedule a meeting with our team to plan a disaster preparedness tabletop. Having the right team in place could make all the difference when a real-world ransomware attack hits.
Because you don’t want to figure out how to recover when you’re hit—you need to know how to recover before it happens.