IT security engineer responding to ransomware attack on Melbourne business network
Cybersecurity Featured

Ransomware Recovery: What Happens After Your Melbourne Business Gets Hit

PN
Peter Nelson
· · 9 min read

A practical guide to what ransomware recovery actually looks like for Melbourne businesses — the timeline, the decisions, the costs, and what determines whether you pay or restore.

The ransomware call comes in at 8:47am on a Tuesday. A staff member cannot open files. Then another. Then someone notices a file called README_DECRYPT.txt on the desktop. By the time the pattern is recognised, the encryption has been running for four hours.

This is not a hypothetical. It is a representative composite of incidents we have responded to for Melbourne businesses. What happens next — the decisions made in the following hours, days, and weeks — determines whether this is a serious incident the business recovers from, or a potentially business-ending one.

This guide covers what ransomware recovery actually looks like: the timeline, the decisions, the costs, and what separates businesses that restore quickly from those that pay or do not recover at all.

Hour Zero: The First Response

The most important action in a ransomware incident is isolation. Every minute the infection continues running, more files are encrypted. Every connected device that has not yet been reached is an opportunity to limit the damage.

Immediate actions (first 15 minutes):

  • Disconnect affected devices from the network — physically unplug ethernet, disable Wi-Fi
  • Do not turn off the devices (preserves forensic evidence in memory)
  • Disconnect any connected backup drives or NAS devices from the network immediately
  • Identify the likely patient zero — the device where encryption appears to have started
  • Do not attempt to log in to systems that may be infected (credential theft often accompanies ransomware)

The critical mistake at this stage is hesitation. Businesses often wait to be certain before acting. Certainty comes at the cost of additional encrypted files, additional spread across the network, and additional risk that the ransomware has time to reach your backups.

The second critical mistake is turning off devices too quickly. Memory forensics can identify the ransomware variant, the encryption key (sometimes), the infection vector, and whether data has been exfiltrated before encryption. This information matters for recovery decisions and for any insurance claim or regulatory notification.

The First 24 Hours: Assessment

Once systems are isolated, the assessment phase begins. This is where you find out exactly what you are dealing with.

What needs to be determined:

Scope of infection. Which devices are encrypted? Which are not? Has the infection reached servers, cloud environments, or backup systems? This determines the complexity of recovery.

Ransomware variant. Different ransomware families have different characteristics — some are decryptable, some are not. Some exfiltrate data before encrypting. Some have known decryption tools (check nomoreransom.org). The variant also indicates the likely threat actor and their typical behaviour.

Backup integrity. This is the most consequential question. Are your backups intact and restorable? Are they isolated from the infected environment? When were they last verified? This single factor determines whether you will pay or restore.

Exfiltration. Has data been stolen before encryption? Some ransomware groups now operate double-extortion models — encrypting your data and threatening to publish it publicly if you do not pay. Log analysis and dark web monitoring can identify whether exfiltration occurred.

Notification obligations. The Privacy Act 2024 and applicable state legislation may require notification of affected parties and the OAIC within defined timeframes. Legal advice on notification obligations should be obtained within the first 24 hours.

The Decision: Pay or Restore?

The question every ransomware victim faces is whether to pay the ransom or restore from backup. This decision is determined almost entirely by backup quality, not negotiating preference.

When paying becomes a consideration

Paying is considered when:

  • Backups are unavailable, corrupted, or also encrypted
  • The data encrypted is critical and irreplaceable
  • The business cannot survive the time required for alternative recovery
  • The ransomware variant is not decryptable by known tools

Even then, paying is not a clean solution. Industry data consistently shows:

  • Approximately 40% of businesses that pay receive a decryption tool that does not fully recover their data
  • Paying confirms you are a viable target and may invite repeat attacks
  • Recovery time after paying is still measured in days to weeks (the decryption process is slow)
  • Paying does not address the exfiltration component of double-extortion attacks
  • Cyber insurance coverage for ransom payments is increasingly restricted

When restoration is viable

If your backups are intact, isolated, and regularly tested, restoration is almost always preferable to paying. The timeline is longer but the outcome is more reliable and the business integrity is preserved.

Recovery via restoration is viable when:

  • Backups are stored with immutability (cannot be encrypted or deleted)
  • Backups are verified clean (pre-dating the infection)
  • Recovery Point Objective (RPO) — how much data you lose — is acceptable
  • Recovery Time Objective (RTO) — how long restoration takes — the business can tolerate

This is why backup architecture decisions made before an incident matter so much. Immutable storage, air-gapped copies, and tested monthly restores are not bureaucratic security theatre — they are the direct determinants of whether a ransomware incident becomes a recovery exercise or a crisis.

The Recovery Timeline: What to Expect

For a Melbourne SMB that has proper backups and a tested recovery procedure, here is what recovery actually looks like:

Day 1–2: Triage and isolation. Assess scope, isolate all affected systems, secure the backup environment, engage forensic support if needed, notify insurer and legal counsel.

Day 2–4: Environment rebuild. Build clean infrastructure — either physical replacement, VM redeployment, or cloud failover. This takes longer than most businesses expect. You are not restoring to the infected environment; you are building a new clean one.

Day 4–10: Restoration. Restore data from verified clean backups to the new environment. Test restored data and applications. Validate that business-critical systems are functional before bringing staff back.

Day 8–14: Return to operations. Staged return of staff, starting with critical functions. Not all systems return simultaneously — prioritise by business impact.

Day 14–30: Post-incident work. Root cause analysis, attack vector remediation, security hardening, insurance claim documentation, regulatory notification if required, and lessons-learned review.

Total downtime for a well-prepared Melbourne SMB: 3–7 business days for partial operations, 10–20 days for full recovery.

For a business with inadequate backups: this timeline extends significantly. We have seen Melbourne businesses spend 6–10 weeks on recovery from ransomware incidents where backups were unavailable or unusable.

What Ransomware Recovery Actually Costs

The ransom itself is rarely the dominant cost. For Melbourne SMBs, ransoms are typically AUD $10,000–$150,000. But total incident costs — even for businesses that restore rather than pay — regularly exceed the ransom amount through:

Direct costs:

  • Forensic investigation: $5,000–$30,000
  • New hardware (if devices are replaced): $2,000–$20,000 depending on scope
  • IT recovery labour (100–400 hours for a 20-seat business): $20,000–$80,000
  • Legal advice and regulatory notification: $5,000–$20,000
  • PR or communications if client notification is required: $5,000–$15,000

Indirect costs:

  • Lost revenue during downtime: highly variable, often the largest cost component
  • Staff overtime and productivity loss during recovery: $10,000–$50,000
  • Client attrition if service disruption is significant
  • Cyber insurance premium increases post-incident

For a Melbourne 20-person professional services firm, total ransomware incident costs — even with good backups and no ransom paid — typically range from $50,000 to $200,000.

This is the number to hold in mind when evaluating whether investing in proper backup architecture, tested recovery procedures, and proactive security controls is worthwhile.

How to Be Prepared Before It Happens

The businesses that recover quickest from ransomware share common characteristics. They did not prepare for ransomware specifically — they built general IT resilience that happens to handle ransomware well.

Immutable backups. Backups stored with object lock enabled cannot be encrypted by ransomware, even if the attacker gains access to the backup portal. This single architectural decision is the most impactful ransomware preparedness measure available to Melbourne SMBs.

Tested recovery procedures. A documented, practised recovery runbook. Staff who have walked through the steps before. Not just a backup — a tested ability to rebuild and restore under pressure.

Network segmentation. Systems that cannot communicate with each other cannot spread ransomware to each other. Segmented networks containing an infection to one area rather than allowing it to traverse the entire environment.

EDR (Endpoint Detection and Response). Modern EDR tools like SentinelOne can detect and roll back ransomware encryption in real time — stopping an attack after the first few encrypted files rather than after hours of silent propagation. This is categorically different from traditional antivirus.

Privileged access controls. Ransomware runs with the permissions of the user it infects. Limiting administrative rights means limiting what the ransomware can reach. Staff who do not need admin access should not have it.

Incident response plan. A documented, rehearsed plan covering who to call, what to isolate, when to engage a forensic provider, and what regulatory notifications are required. The hour after discovery is not the time to figure this out.

What to Do Right Now

If you do not have confidence in the answers to these questions, ransomware recovery will be unnecessarily painful and expensive:

  1. Are our backups stored with immutability — can ransomware reach them?
  2. When was the last time we tested a restore from our backups?
  3. What is our Recovery Time Objective — how long can the business survive without IT?
  4. Do we have a documented incident response plan?
  5. Does our cyber insurance cover ransomware, and what are the conditions?

If any of these are unclear, our cyber security services and backup and disaster recovery services are starting points. We also offer a free cyber security assessment for Melbourne businesses that want to understand their current exposure before an incident forces the issue.

Written by Peter Nelson Founder & Managing Director

26 years IT experience. ASD Cyber Security Partner. Essential Eight and SMB1001 specialist. Deep expertise in accounting and legal practice management software.

Last updated: Reviewed by: CX IT Services Editorial Team

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts