Disaster recovery is the plan and the tooling that get your systems and your data back after something takes them down — a hardware failure, a flood, a bad deploy, or an attack. Ransomware is now the disaster that drives most of these plans, because it is the one most likely to hit a file system on purpose. Ransomware is malware that locks up your files (or steals them) and demands payment to give them back. This post explains how it works, what a recovery looks like step by step, and the few capabilities that decide whether you get your data back in minutes or weeks.
Two numbers run through every disaster-recovery conversation, so it helps to define them up front. RTO, the recovery time objective, is how long you can afford to be down before the data is back — measured in minutes, hours, or days. RPO, the recovery point objective, is how much recent data you can afford to lose — measured the same way, counting backward from the moment of failure. A backup taken every night gives you an RPO of up to 24 hours: if you get hit at 5 PM, you lose a day's work. The whole game in disaster recovery is pushing both numbers down toward zero.
For an IT team, the file system is one of the higher-value targets in a ransomware campaign. The file server holds the shared drives, the SFTP endpoint connects to every trading partner, and the file-transfer system holds the credentials for every system-to-system feed in the company. A successful attack on that layer is rarely just "the files are encrypted." It is also "partner deliveries are down," "the audit trail is suspect," and "every credential that system held has to be treated as compromised."
Most ransomware does not get in through clever hacking. It gets in through people. The common opening move is social engineering — tricking a human into handing over access. A phishing email that looks like it is from a coworker, an attachment that runs code when opened, or someone on the phone pretending to be IT and asking for a password. Once an attacker has one foothold, they move sideways across the network looking for the file servers and the credentials worth taking.
Older ransomware copied your data to the attacker's own servers, then deleted the originals. That worked, but it was slow for large datasets. Modern ransomware is faster and meaner: it encrypts your files in place and overwrites the originals, so the file still sits where it always did but is now unreadable. The attacker drops a ransom note in the affected folders demanding payment — usually in cryptocurrency — for a decryption key.
Paying is a gamble, not a fix. Some groups hand over a working key to keep their reputation intact for the next victim, but there is no guarantee the key works, and nothing stops the same group from coming back. Most response teams treat the ransom as the last resort, behind restoring from clean backups.
If you are in the middle of an attack, fast and deliberate action limits the damage. The steps below are the standard response sequence.
Disconnect and contain. Pull the affected systems off every network, including Wi-Fi, so the ransomware cannot spread to machines it has not reached yet. Work with security professionals to bring systems up in an isolated environment where you can assess the damage without risking the rest of the network.
Notify the authorities. Report the attack to the cybercrime authorities in your region. They can offer guidance, and identifying the specific ransomware variant sometimes opens up a known decryption path.
Restore from backups. If you have clean, recent backups, this is how you get your data back without paying. The catch is that a backup you never tested is a backup you do not actually have — restore drills are what tell you the backups are complete and current before you need them in an emergency.
Remove and purge the ransomware. Before any device goes back on the network, confirm it is fully cleaned. If you cannot be certain it is clean, wipe it and rebuild from scratch. A reinfection from a missed copy of the malware sends you back to the start.
Strengthen your defenses. Because most ransomware rides in on human error, the highest-leverage fixes are training people to spot social-engineering attempts, turning on multi-factor authentication everywhere, and keeping systems current on patches.
Backups are the floor, not the ceiling. A few specific capabilities are what separate a recovery measured in minutes from one measured in weeks.
Versioning means every change to a file is saved as a new version while the older versions stay intact and reachable. Object-storage systems like Amazon S3, Google Cloud Storage, and Azure Blob Storage all offer it. Picture a stack of paper where every edit adds a fresh sheet on top and the earlier sheets stay underneath — when ransomware encrypts the top version, the clean version from yesterday is still sitting in the stack. You roll back to it. Files.com keeps version history on the files it manages, so a file an attacker overwrote can be restored to its last good state.
Immutability means a file, once written, cannot be changed or deleted for a set period — not by you, not by an attacker, not even with stolen admin credentials. This is the single most important defense against ransomware, because the whole attack depends on overwriting or deleting your good data. If the good copy literally cannot be touched, the attacker has nothing to hold for ransom. Immutable backups (sometimes called write-once-read-many, or WORM, storage) are the clean copy you restore from when everything else has been encrypted.
Restoring files one version at a time is slow when thousands of them were hit. Point-in-time recovery fixes that by rolling an entire storage system back to a chosen date and time in one operation — say, 4 PM yesterday, just before the attack started. This is what pushes RTO down: instead of hunting through versions file by file, you pick a timestamp and the system returns to exactly how it looked then.
When you are recovering, you need to know exactly what the attacker touched and when. A complete audit log — a tamper-resistant record of every login, upload, download, and change — tells you the blast radius, which credentials to rotate, and which files to restore. Without it, you are guessing, and guessing during a recovery is how you reinfect yourself.
Most teams that have lived through a recovery stop treating ransomware resilience as a separate backup product and fold it into the platform that already moves their files. Files.com is the cloud-native File Orchestration Platform: one platform that replaces the stack of legacy tools IT teams run to move files — SFTP and FTP servers, MFT suites, file-sharing apps, and the scripts holding them together. Because it is delivered as a service, security patches ship automatically with nothing for you to install, which closes the patch window that the recent wave of file-transfer breaches exploited.
On the recovery side, the capabilities above are built in rather than bolted on. Files.com keeps version history and supports configurable data retention so an overwritten or deleted file can be restored to a known-good state, and the complete audit trail tells you exactly what to roll back and which credentials to rotate. The platform's ransomware-resilient backup approach is designed for an aggressive RTO of around 15 minutes and an RPO of zero — meaning a near-instant return to service with no data loss in the recovery window. Files.com runs on a 99.9% uptime guarantee with eight global data-residency zones, so the platform you recover onto is itself built to stay up.
If you want the architectural argument for why a self-patching platform beats a self-hosted box you have to patch yourself, why patch latency is breaking legacy MFT walks through the timeline of a real CVE.
Don't wait for an attack to find out whether your recovery plan works. See how ransomware-resilient backup fits your file infrastructure, or start a free trial — no credit card, live in minutes.
Google Cloud Storage is built for scalable object storage, not for file transfer workflows. Here are five common workflows GCS can't run on its own, and how teams add automation, orchestration, and secure transfer on top of it.
Financial institutions routinely move ACH files and transaction data between customers, core banking systems, and third-party processors. Learn how modern banking file transfer workflows operate and what IT teams should look for when managing secure, automated integrations across vendors.
As medical groups grow, file sharing turns into a compliance and operational problem. Here is how healthcare IT teams set up secure SFTP access, controlled upload pages, and automated transfers without a big infrastructure project.
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes