Recovering business data after ransomware: a straight-talking guide for UK SMEs

Ransomware is one of those events that feels like a slow-motion car crash: sudden, noisy and expensive. If you run a business of 10–200 people in the UK, your priorities in the first 48 hours are simple: get the business back trading, protect your people and records, and limit the damage to reputation and cashflow. This guide focuses on practical steps and realistic choices—less geek-speak, more what actually matters to proprietors, finance directors and ops managers.

First hour: stop the bleeding

When ransomware hits, the natural instinct is to panic. Instead, do three things immediately.

  • Isolate affected machines. Pull network cables, disable Wi‑Fi access for infected devices and, if necessary, remove a compromised server from the network. That limits spread.
  • Preserve evidence. Don’t wipe drives or reinstall systems unless an IT professional advises it—those images are useful for forensic work, insurers and potentially the police.
  • Call the right people. That might be your internal IT, a trusted local provider, or your insurer’s appointed adviser. You’ll need someone who can give a sober assessment quickly.

These are pragmatic steps you can take without deep technical knowledge. They buy you time and keep recovery options open.

Work out what you’ve actually lost

Not all data is equal. Start by listing what’s down and what you need to trade: payroll, customer orders, supplier contracts, compliance records. Prioritise by impact—what stops the tills, what stops people getting paid, what risks a regulatory fine?

At the same time, determine whether the attack affected personal data. If personal data has likely been exposed, the ICO expects notification within 72 hours in many cases. You should also consider reporting to Action Fraud and consulting your insurer. These are not box-ticking exercises; they influence legal exposure and restore credibility with customers and partners.

If your backups are unclear or you suspect gaps, now is the time to revisit your data backup plan so you can make recovery choices with facts rather than hope.

Recovery choices: the practical options

You generally have three routes to recovery, each with trade-offs.

  • Restore from backup. This is the cleanest route if you have recent, tested backups that aren’t compromised. It’s quicker, avoids ransom payments and preserves credibility—provided you can accept the data loss window between your last good backup and the attack.
  • Rebuild systems. If backups are incomplete, you may need to rebuild servers and re-enter data from paper or third-party systems. This is labour‑intensive and costly but often necessary for smaller firms with patchy backup discipline.
  • Negotiate or pay ransom. Paying is risky: there’s no guarantee of full decryption, it can be illegal in certain cases, and it creates a future target. UK police and cybersecurity authorities discourage payment; any consideration should involve the board, insurers and legal advice.

Decisions here are as much about cashflow and reputation as tech. A quick, honest update to key customers and suppliers often preserves relationships better than silence.

Legal, financial and reputational steps

There are non-technical consequences to consider. In the UK you must think about regulatory obligations (ICO), contractual obligations (customers and suppliers), and insurance. Contact your insurer early—many policies require notification within a strict timeframe and they can fund forensic work and legal advice.

Communications matter. A clear, factual message to affected parties reduces speculation. Say what’s affected, what you’re doing, and when you’ll update them. Keeping people informed protects trust—potentially your most valuable asset.

What recovery looks like in practice

Expect recovery to take hours to weeks depending on complexity. Restoring from a solid, recent backup can get core systems trading in a day or two. Rebuilding and data reconstruction can take substantially longer and cost several thousand pounds in consultant time alone. You’ll also need to validate systems thoroughly before putting them back online—rushed restorations can leave hidden problems.

I’ve seen firms in London, Manchester and smaller towns recover in phases: get invoices and payroll moving first, then customer portals, then internal document stores. That approach keeps the business functioning while longer-term integrity checks happen in the background.

How to reduce the chance of a repeat

Prevention is less glamorous than urgent recovery, but it’s the cheapest route overall. Focus on things that reduce downtime and restore confidence:

  • Use a simple, tested backup strategy: multiple copies, some offline and one offsite. Regularly test restores—backups you can’t restore are useless.
  • Segment networks so a single infected machine can’t easily ransom your whole office server.
  • Keep software and firmware updated and apply security basics—multi-factor authentication, least privilege for accounts, and regular patching.
  • Train staff. Many infections start with a click on a realistic-looking email. Regular, pragmatic training reduces that risk.

These measures cut downtime, reduce insurance premiums and protect credibility—the three outcomes any business owner cares about.

FAQ

Should we pay the ransom?

Generally no. Paying can encourage future attacks, offers no guarantee of full recovery, and can complicate insurance and legal issues. Treat payment as a last resort and discuss it with management, insurers and legal counsel before deciding.

How long does recovery usually take?

It varies. A clean restore from current backups can take a day or two for core services. Rebuilds and forensic checks can take weeks. The key is prioritising what must be working first—payroll and customer-facing systems typically top the list.

Do we have to tell the ICO?

If personal data has been affected you may need to report the breach to the ICO within 72 hours. Even if reporting isn’t required, documenting what happened and your remedial steps is sensible for insurance and compliance.

Can backups be trusted after an attack?

Not automatically. Ransomware sometimes targets backups. That’s why you should have at least one offline or immutable copy and routinely test restores. If there’s any doubt, get a professional to verify backups before relying on them for recovery.

Soft next step

If you’re dusting yourself down after an incident, focus on outcomes: reduce downtime, protect cashflow, keep customers and sleep better at night. A clear recovery path and a practised backup plan save time, money, credibility and deliver a lot of calm when you need it most.