How Long Does It Take to Recover from a Ransomware Attack

The honest answer is: longer than most businesses expect. The optimistic answer from a vendor selling incident response services is “a few days.” The reality for a small business without tested backups and a documented recovery plan is two to four weeks of disrupted operations, with some functions taking months to fully restore.

Recovery time depends on factors that are mostly determined before the attack happens: whether you have clean backups, how fast you detected the intrusion, how complex your systems are, and whether someone has thought through the recovery process in advance. Businesses that invested in managed detection and response and tested backup recovery measure downtime in days. Businesses that did not measure it in weeks.

What the data says

Industry data on ransomware recovery timelines is consistent in one finding: recovery takes far longer than anyone plans for.

Coveware’s quarterly ransomware reports consistently show that the average downtime from a ransomware attack is 20 to 24 days for businesses that pay the ransom and 30+ days for businesses that do not pay and recover from backups (when those backups exist and work). The Verizon Data Breach Investigations Report reinforces that dwell time (how long the attacker is inside the network before being detected) adds to the total timeline because a longer dwell time means more systems are compromised and more data needs to be investigated.

These numbers are averages that include enterprises with dedicated security teams and incident response retainers. For a small business with 20 to 200 employees, limited IT staff, and no pre-existing relationship with an incident response firm, the numbers tend to be worse.

The breakdown of recovery phases helps explain why it takes so long.

Phase 1: Detection and containment (hours to days)

The clock starts when someone notices the attack. For ransomware that encrypts files and displays a ransom note, detection is obvious. For ransomware that exfiltrates data before encrypting (increasingly common), the attacker may have been inside the network for days or weeks before triggering the encryption.

Signs that your network has been compromised include unusual login patterns, disabled security tools, unexpected outbound traffic, and new admin accounts. The earlier these are caught, the shorter the recovery.

Containment means isolating affected systems to stop the encryption from spreading. This is the step described in our ransomware recovery guide: disconnect affected machines, shut down network connections, and prevent the ransomware from reaching backup systems. On a network without segmentation, containment may mean taking the entire network offline, which means immediate, total downtime for the business.

Typical timeline: 2 to 24 hours from detection to full containment, assuming someone is available to respond. If the attack happens at 2 AM on a Friday and nobody notices until Monday morning, containment does not start for 60+ hours.

This is the phase where 24/7 monitoring makes the biggest difference. An MDR provider detects the attack in progress, often during the pre-encryption reconnaissance phase, and contains it before the ransomware deploys. The difference between catching it at the reconnaissance stage and catching it after encryption is the difference between a contained incident (hours of disruption) and a full recovery scenario (weeks of disruption).

Phase 2: Assessment and forensics (days)

After containment, you need to understand what happened before you can start rebuilding. Skipping this phase and immediately restoring from backup risks reinfection because the entry point has not been identified and closed.

The assessment answers critical questions:

• How did the attacker get in? (Phishing, exposed RDP, unpatched vulnerability, supply chain compromise?)
• How long were they inside before deploying ransomware?
• Which systems are compromised?
• Was data exfiltrated before encryption?
• Are the backups clean, or did the attacker compromise those too?
• What credentials need to be rotated?

For businesses in regulated industries (HIPAA, PCI DSS), this phase also determines notification obligations. If patient data or payment card data was accessed, regulatory notification timelines start ticking.

Typical timeline: 3 to 7 days for a small to mid-sized business. Longer if the attacker had extended dwell time or if the environment is complex. A forensic investigation on a single compromised server takes a day. An investigation across 50 workstations, 5 servers, and 3 cloud services takes a week.

Businesses without an incident response retainer spend the first one to two days of this phase finding and engaging a forensics firm, which extends the timeline before any actual investigation begins.

Phase 3: Rebuilding and restoring (days to weeks)

This is the longest phase and where backup quality determines everything.

With clean, tested backups

If you have recent, clean backups stored separately from the production environment (following the 3-2-1 backup rule), the rebuild process is:

1. Wipe affected systems completely (fresh OS installations)
2. Harden the environment before restoring (close the entry point, rotate all credentials, enable MFA if it was not enabled)
3. Restore data from the most recent clean backup (bare-metal recovery from an image-level backup is the fastest path – see server backup best practices for details)
4. Verify the restored data is complete and functional
5. Reconnect systems to the network incrementally

Typical timeline with good backups: 3 to 7 days for core systems. Two to four weeks for full operational restoration including edge cases, testing, and verification.

The gap between “core systems restored” and “fully operational” is larger than people expect. Email and file access may be back in three days, but line-of-business applications – accounting software, CRM, ERP – along with integrations with third-party services, custom configurations, and user workstations take longer. Every system that was rebuilt from scratch needs to be reconfigured, tested, and verified.

Without clean backups

If backups do not exist, are encrypted by the ransomware, have not been tested and fail during restore, or are too old to be useful, recovery options narrow dramatically – and this scenario is more common than most businesses expect:

• Pay the ransom and hope the decryption works. Even when it works, decryption is slow (days for large file servers) and the attacker’s decryptor may only partially recover data. Studies show that organizations that pay recover an average of 65% of their data. The remaining 35% is lost or corrupted.
• Rebuild from scratch. Re-create everything that was not backed up. For some data (client records, financial history, proprietary documents), this may be impossible. The business loses everything that was not backed up elsewhere.
• Accept partial data loss. Recover what you can from partial backups, email archives, cloud services, and employee local copies, and accept that some data is permanently gone.

Typical timeline without good backups: 2 to 6 weeks for core systems. Months for full recovery. Some data is never recovered.

The cost of this extended downtime is the part that exceeds the ransom demand itself. Lost revenue during weeks of partial operations, overtime for IT staff and the recovery team, emergency vendor costs, customer churn from inability to deliver services, and regulatory penalties in regulated industries all compound.

Phase 4: Hardening and verification (weeks)

Even after systems are restored and operational, the recovery is not complete. The environment needs to be hardened to prevent the same attack from succeeding again, and verification needs to confirm that the attacker does not still have access.

This phase includes:

• Implementing the security controls that were missing before the attack (EDR, MFA, network segmentation, email security)
• Rotating all credentials (every password, every API key, every service account)
• Patching the vulnerability that was exploited
• Monitoring the environment intensively for signs of re-compromise
• Running tabletop exercises to validate the updated incident response plan
• Completing compliance obligations (breach notification, insurer claims, regulatory filings)

Typical timeline: 2 to 4 weeks running in parallel with late-stage restoration.

What drives recovery time

Backup quality

This is the single largest factor. A business with daily backups stored offsite, tested quarterly, and covering all critical systems recovers in days. A business with untested backups that turn out to be corrupted, incomplete, or encrypted by the attacker recovers in weeks if at all.

The distinction between having backups and having tested, recoverable backups is critical. A backup that has never been tested is not a backup. It is a hope. The first time you test your backup should not be during an active ransomware incident.

For Microsoft 365 data specifically, built-in retention is not backup. An attacker with admin access to your M365 tenant can delete retention policies, empty recycle bins, and purge data in ways that Microsoft’s built-in protections cannot prevent.

Detection speed

The faster the attack is detected, the less damage is done. An attack detected during the reconnaissance phase (before encryption begins) may result in zero data loss and hours of downtime. An attack detected after full encryption of the file server, domain controller, and backup systems results in maximum damage and weeks of recovery.

Environment complexity

A 10-person company with one server, one cloud email provider, and a flat network recovers faster than a 200-person company with multiple servers, on-premises Active Directory, line-of-business applications, VPN infrastructure, and integrations with third-party services. Every additional system that needs to be rebuilt, reconfigured, and tested adds time.

Pre-existing incident response plan

Businesses with a documented, tested incident response plan know who to call, what to do first, and how to coordinate the recovery. Businesses without a plan spend the first days of the incident figuring out logistics while the clock runs.

Availability of expertise

Forensic investigators, incident response firms, and security consultants are in high demand. During periods of elevated ransomware activity, wait times for incident response firms can be days. Businesses with pre-existing retainers get priority. Businesses calling for the first time during an active incident go into a queue.

The hidden costs of extended recovery

Recovery time is not just an operational inconvenience. Every day of disrupted operations has a financial cost:

Lost revenue. If your business cannot process orders, serve clients, or deliver services, revenue stops. For a business doing $1 million in annual revenue, each day of total downtime costs roughly $2,740 in lost revenue. Three weeks of partial operations can easily exceed $30,000 in lost revenue alone.

Employee productivity. Staff who cannot access their systems, files, or email are either idle or working at reduced capacity. You are paying full salaries for partial output.

Emergency vendor costs. Forensic investigators, incident response firms, legal counsel, and breach notification services all charge premium rates for emergency engagements. A forensic investigation for a small business typically costs $10,000 to $100,000.

Customer impact. Clients who cannot reach you, receive deliverables, or access services during the recovery period may not come back. The trust damage compounds the longer the disruption lasts.

Insurance complications. Cyber insurance policies have specific notification windows and documentation requirements. Missing these during the chaos of a recovery can jeopardize coverage.

How to shorten recovery time before an attack happens

The businesses that recover in days instead of weeks have these things in place before the attack:

1. Tested backups following the 3-2-1 rule. Three copies, two different media, one offsite. Tested quarterly with documented restore procedures.

1. Managed detection and response. 24/7 monitoring that catches the attack during reconnaissance, not after encryption. The difference in recovery time is measured in weeks.

1. Network segmentation. A compromised workstation cannot reach the backup server, the domain controller, or every file share. Segmentation limits the blast radius.

1. Documented incident response plan. Who to call, what to do first, how to communicate with staff and clients, and how to coordinate with the forensic team. Written down and tested before it is needed.

1. Endpoint detection and response on every device. EDR provides the forensic data needed to understand the attack quickly, which shortens the assessment phase from a week to days.

1. Offline or immutable backups. Backups that the attacker cannot encrypt even if they compromise the network. Air-gapped, immutable, or stored in a separate environment with separate credentials.

The cost of implementing all of these is a fraction of the cost of a single ransomware recovery without them. The math is not close, and the data breach cost analysis makes this clear for any business willing to run the numbers.

Sequentur provides managed cybersecurity services that include MDR, backup management, incident response planning, and the security controls that shorten recovery time from weeks to days. If you want to understand your current recovery readiness and where the gaps are, reach out through our contact page and we can walk through your environment.