Ransomware Recovery: 72-Hour Plan in 5 Phases

· Category: NIS2· As of: 2026-05-02· Reading time: ~6 min
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Five phases: detection (0-2h), containment + BSI report (2-24h), forensics (24-48h), recovery (48-72h), lessons learned (weeks 2-4)
  • Median recovery time 2025: 18 days from encryption to critical-system restore (Sophos)
  • Best preparation cuts recovery to 3-7 days: immutable backups, documented IRP, recent tabletop
  • BSI strongly advises against paying ransom: 35% of payers receive no working decryption; sanctions risk applies
  • Three parallel notifications: BSI (NIS2), DPO/DPA (GDPR Art. 33), criminal complaint to police/state cybercrime unit

1. Phase 1: Detection (0-2 h)

Triggers: endpoint EDR alert, backup failure, user report. Activate the crisis team within 30 minutes. First containment: isolate affected network segment, take affected systems offline, preserve volatile evidence (memory captures, NetFlow).

2. Phase 2: Containment and BSI report (2-24 h)

Forensics team starts disk imaging. The 24-hour BSI early warning is mandatory under Section 32 BSIG. If personal data is implicated (typical), the GDPR Art. 33 72-hour clock also starts. Engage external forensics if needed (Mandiant, CrowdStrike, KPMG).

3. Phase 3: Forensics and assessment (24-48 h)

Identify the ransomware family (LockBit, BlackCat, etc.). Confirm or rule out data exfiltration. Locate and document the initial-access vector. Do not pay the ransom - BSI guidance is unambiguous; sanctions exposure under US OFAC and EU lists is real for groups like LockBit.

4. Phase 4: Recovery (48-72 h)

Restore from immutable backups. Reinstall, do not re-image, anything potentially compromised. Reconnect only after forensics clearance. Patch and harden the identified initial-access vulnerability before reconnection.

5. Phase 5: Lessons learned (weeks 2-4)

Post-incident review workshop. Action plan with owners and target dates. Update the IRP, the ISO 27001 SoA, and the awareness program. Brief management and the supervisory board.

6. Should you pay the ransom?

Four reasons not to: (1) 35% of payers receive no working decryption (Sophos 2025); (2) re-extortion within 6-12 months is common (60% in 2024); (3) sanctions exposure under US OFAC and EU lists; (4) it funds the next attack. Payment is only contemplated when backups are destroyed AND DR is impossible AND the business cannot survive otherwise - and even then with BSI consultation, counsel, and insurer involvement.

7. Cyber insurance

Top DACH carriers 2026: Allianz Cyber, AXA Cyber, Munich Re HSB, Hiscox CyberClear. Standard coverage EUR 1-5M; SME premiums EUR 3,000-15,000 per year. Underwriters increasingly require evidence of MFA on admin accounts, immutable backups, annual pen testing, and awareness training. Without these, coverage is denied or excluded.

Summary

A defensible ransomware program is the combination of immutable backups, a tested IRP, and an annual tabletop exercise. The 5-phase plan above is the playbook; the tabletop is what makes it executable at 2 a.m.

View NIS2 Kit →

Frequently Asked Questions

Should we pay the ransom?

The BSI categorically advises against it. Arguments against payment: 1) No guarantee of decryption (in 35% of cases, victims receive no working decryption after payment — Sophos Report 2025). 2) Re-extortion within 6-12 months is common (60% in 2024). 3) Sanctions-related risks (US OFAC and EU sanctions for payments to listed groups such as LockBit, BlackCat). 4) Reinforces the attackers' business model. When payment may nevertheless be considered: when backups are destroyed, disaster recovery is impossible, and the existence of the business is threatened. Even then: involve the BSI consultation, legal counsel, and your insurer.

Which cyber insurance policies cover ransomware?

Top providers in DACH 2026: Allianz Cyber, AXA Cyber, Munich Re HSB, Hiscox CyberClear. Standard coverage EUR 1-5 million. Payout prerequisites: a documented level of protection — MFA for admin accounts, immutable backups, annual penetration testing, and awareness training. Deductible: typically EUR 5-25k. What is NOT covered: intent, gross negligence (e.g., missing MFA), and fines from supervisory authorities. Premium for SMEs with 50-150 employees: EUR 3-15k/year. Without demonstrable security standards, insurers are increasingly rejecting applications (2025 trend).

Which authorities must be notified in a ransomware case, and when?

Three parallel reporting channels: 1) BSI under NIS2 Section 32 BSIG (German IT Security Act): initial report within 24h, update within 72h, 30-day report (for essential and important entities). 2) Data Protection Officer (DPO) under Article 33 GDPR: 72h notification where personal data is affected (which is the case in practically every ransomware incident). 3) Criminal complaint with the police and the State Criminal Police Office (LKA Cyber Crime Center): recommended, since prosecution of potential extortionists is possible. Plus: for listed companies, an ad hoc disclosure under MAR Article 17. For critical infrastructure (KRITIS): additionally the Federal Network Agency (BNetzA), the Federal Office for Economic Affairs and Export Control (BAFA) or similar, depending on the sector.

How long does a full ransomware recovery take?

2025 median: 18 days from encryption to restoration of critical systems (Sophos State of Ransomware 2025). Variability: with good preparation (immutable backups, a documented incident response plan, a tabletop exercise in the last 12 months) — 3-7 days. With moderate maturity — 14-30 days. Without backups or in case of disaster recovery infrastructure failure — 60-180 days, or going out of business. 23% of SMEs close down after a ransomware incident (Cybersecurity Ventures 2025). Forensics adds an additional 30-90 days before the environment is fully confirmed 'clean'.

Sources

Related Reading