60 Days After Ransomware: Why IT Foundation Determines Recovery Speed

Most of the attention around ransomware focuses on the first few hours. Containment, forensics, the scramble to understand what happened. But the initial crisis is just the beginning. The real test plays out over the next 60 days, and how fast your business recovers depends almost entirely on what your IT infrastructure looked like before the attack hit.

We covered what the first 48 hours actually look like in a previous post. This one picks up from there and walks through the full recovery arc, from initial triage through hardening, showing where the gap between prepared and unprepared companies gets widest.

Days 1-3: Incident Response and Triage

The first 72 hours are about stopping the bleeding. Your incident response team needs to isolate affected systems, identify the attack vector, and determine the scope of the compromise. Every hour of delay at this stage extends the total recovery timeline by multiples.

Companies with a managed IT provider typically have an incident response process already documented and tested. The SOC team is already monitoring the environment, asset inventories are current, and communication chains are established. When the call comes in, response starts immediately because the groundwork was laid months ago.

Companies without managed IT face a different reality. They need to find a response team, explain their environment from scratch, and reconstruct basic information that should already exist: what systems they run, where backups are stored, who has admin credentials. IBM’s 2024 Cost of a Data Breach Report found that organizations with an incident response team and regularly tested IR plans saved an average of $2.66 million per breach compared to those without.

That gap in the first three days sets the trajectory for everything that follows.

Week 1: Forensics and Containment

Once immediate containment is in place, the forensic investigation begins. Your response team needs to determine exactly how attackers got in, how long they had access, what data they touched, and whether they left backdoors for re-entry.

This phase relies heavily on logging and monitoring data. If you have a managed SIEM collecting and correlating logs across your environment, your forensic team has the evidence they need. Firewall logs, authentication records, endpoint telemetry from tools like SentinelOne, and email activity all feed into the investigation. An EDR platform does more than detect threats in real time. It records endpoint activity that forensic analysts use to reconstruct the full attack chain after the fact.

Without centralized logging, forensic work slows to a crawl. Investigators spend days requesting access to individual systems, pulling logs manually, and working around gaps where data was never collected. We have seen forensic investigations take three weeks at organizations with no monitoring infrastructure compared to five days at organizations with managed detection and response in place.

The forensic findings also determine your legal obligations. If the investigation confirms that personal data was accessed, breach notification timelines start running. Under Texas law (HB 4), you have 60 days from discovery to notify affected individuals. HIPAA carries a similar 60-day notification window. Having clear forensic evidence accelerates this process and reduces your legal exposure.

Weeks 2-4: Restoration and Rebuilding

This is where many recovery efforts stall. The crisis is over, the forensic report is in progress, and now the real work begins: getting your business fully operational again.

Restoration speed depends on your backup and disaster recovery infrastructure. Companies with tested, air-gapped backups and documented recovery procedures can begin restoring critical systems within days. Companies that discover their backups were also encrypted, untested, or incomplete face a rebuilding process measured in weeks.

The Verizon 2025 Data Breach Investigations Report found that ransomware was present in 44% of breaches. Among those, median downtime has been steadily increasing as attackers specifically target backup systems. Backups alone are not enough if they are not isolated from the network and regularly validated through disaster recovery testing.

During weeks two through four, a managed IT provider handles the restoration sequence: domain controllers first, then critical line-of-business applications, then email and file servers, then user workstations. Each system gets rebuilt from clean images or verified backups, patched to current levels, and validated before reconnecting to the network. This sequenced approach prevents reinfection and ensures dependencies are restored in the right order.

Companies rebuilding without an existing IT partner are simultaneously trying to hire help, document their environment, source replacement hardware, and restore data, all while their business sits idle. Coveware’s Q4 2024 ransomware report found that average ransomware-related downtime for businesses without incident response plans exceeded 22 days.

Days 30-60: Hardening and Prevention

The final phase is where recovery becomes improvement. Once operations are restored, the focus shifts to ensuring the same attack cannot succeed again. This is also where many companies first engage a managed IT provider, because the breach exposed gaps they did not know existed.

The hardening roadmap typically includes:

• Endpoint protection deployment. Every endpoint, including previously unmanaged personal devices, gets EDR coverage. SentinelOne or equivalent tools are deployed across the environment with centralized management and 24/7 SOC monitoring.
• Network segmentation. Flat networks allow ransomware to spread laterally without resistance. Segmenting the network by function and sensitivity limits blast radius.
• Backup architecture review. Backups are moved to air-gapped or immutable storage. Recovery procedures are documented and tested on a quarterly schedule.
• Identity and access controls. Multi-factor authentication is enforced on all remote access, email, and admin accounts. Privileged access is restricted and audited.
• Patch management. Automated patching covers operating systems, firmware, and third-party applications. Unpatched systems were likely part of how the attackers got in.
• Security awareness training. Employees receive targeted training on phishing recognition and credential hygiene.
• Policy documentation. Incident response plans, acceptable use policies, and access control procedures are written, approved, and distributed.

This 30-day hardening phase addresses both the security failures that enabled the breach and the IT infrastructure gaps that slowed the recovery. Most companies that go through a significant breach end up investing in both managed security and managed IT because the incident reveals that those two needs are inseparable. You cannot maintain security controls without stable infrastructure, and you cannot maintain infrastructure without security built into every layer.

Post-Incident Recovery Checklist

Use this checklist to track your recovery milestones after a ransomware incident.

Days 1-3: Immediate Response

• [ ] Incident response team engaged
• [ ] Affected systems isolated from the network
• [ ] Attack vector identified
• [ ] Scope of compromise documented
• [ ] Legal counsel and cyber insurance carrier notified
• [ ] Employee communication sent with clear instructions

Week 1: Forensics and Containment

• [ ] Forensic investigation underway with log evidence
• [ ] Backdoors and persistence mechanisms identified and removed
• [ ] Breach notification obligations assessed
• [ ] Law enforcement contacted (FBI IC3 or local field office)
• [ ] All credentials rotated, admin accounts first

Weeks 2-4: Restoration

• [ ] Backup integrity verified with clean, unencrypted copies confirmed
• [ ] Critical systems restored in priority order
• [ ] Each restored system patched and validated before network reconnection
• [ ] Line-of-business applications tested by end users
• [ ] Data integrity checks completed

Days 30-60: Hardening

• [ ] EDR deployed to all endpoints with SOC monitoring
• [ ] Network segmented by function and sensitivity
• [ ] Backups moved to air-gapped or immutable storage
• [ ] MFA enforced on all remote access and admin accounts
• [ ] Automated patch management implemented
• [ ] Security awareness training completed for all staff
• [ ] Incident response plan written and tested
• [ ] 90-day security roadmap documented

What the Timeline Reveals

The 60-day arc makes one thing clear: companies with an existing IT foundation recover in weeks, while companies without one recover in months, if they recover at all. The National Cyber Security Alliance reports that 60% of small businesses close within six months of a cyberattack. The businesses that survive are the ones that had monitoring, backup infrastructure, and recovery procedures in place before the incident, or that moved quickly to build them afterward.

If you have recently experienced a breach, or if reading this made you realize your recovery plan has gaps, the time to address them is before the next incident, not during it.