Ransomware Recovery Without Paying the Ransom
Most businesses that pay a ransomware ransom didn't have to. Here's what recovery without payment actually looks like — the three scenarios, what each requires, and how long each takes.
The question every business owner asks immediately after a ransomware attack is: "Can we get our data back without paying?"
The answer depends entirely on one thing: the state of your backup before the attack. Not whether you had backup software installed — but whether your backup was clean, current, off-network, and tested. Those four characteristics determine whether payment is avoidable or unavoidable.
This article walks through the three recovery scenarios in honest detail: what each one requires, what it costs, and how long it takes.
Scenario 1: Clean Immutable Backup — Full Recovery Without Payment
This is the scenario that proper backup preparation delivers. You have a cloud backup stored in immutable, off-network storage. The backup retention window extends beyond the ransomware's dwell period — your most recent clean recovery point predates the compromise. You have tested the restore procedure within the past 90 days and know it works.
What recovery looks like:
Within hours of detecting the attack, your IT team or managed backup provider initiates a restore from the last clean backup point. Encrypted files on servers are wiped and restored from the cloud copy. Employee devices are rebuilt from endpoint backup. Microsoft 365 data is restored to the pre-attack state from the SaaS backup.
Depending on data volume and connection speed, full restoration of a mid-sized SA business environment typically takes 4–24 hours. During this window, staff may have limited access to some systems; most operations can resume in parallel with restoration.
Total cost: Operational disruption during the restoration window. Forensic investigation to determine the entry point and confirm the attacker has been evicted (R80,000–R150,000 for most SMEs). POPIA breach notification if personal information was accessed during the dwell period. No ransom. No data loss beyond the period since the last clean backup.
Key requirement: The backup must pre-date the compromise. A 90-day retention window that contains a clean recovery point is sufficient for most ransomware variants. Immutability ensures the backup itself was not corrupted during the dwell period.
This recovery path is available to every South African business that has made the investment in a properly architected backup strategy. It is not reserved for large enterprises with dedicated security teams.
Scenario 2: Standard Mutable Backup — Partial Recovery With Complications
You have backup, but it is stored on a NAS device, a connected server, or cloud storage that is accessible from your network. The ransomware has encrypted some or all of the backup, but not all of it — perhaps older backup snapshots on a separate media type survived, or the attacker did not reach a particular backup target before being detected.
What recovery looks like:
Forensic analysis to determine which backup copies are clean and which are compromised. Restoration from the oldest available clean backup — which may be weeks old. Reconstruction of the gap between the last clean backup and the attack from alternative sources: email archives, client-provided documents, paper records, employee recollection.
This process is slow, expensive, and incomplete. Data created or modified between the last clean backup and the attack is permanently lost unless it can be reconstructed from other sources. For many businesses, this gap represents significant operational data: invoices, project work, client correspondence, financial records.
Total cost: Forensic investigation (R100,000–R250,000). IT labour for backup triage and partial restore. Business disruption costs during extended recovery period (typically 1–3 weeks for a partial recovery). Data reconstruction costs. Legal and POPIA notification costs. Potentially: payment of a partial ransom if critical data from the gap period is unrecoverable by other means. Total exposure: R500,000–R2,000,000+ depending on business size and data loss severity.
Key requirement for improvement: Architectural separation of backup from production network. Immutable cloud storage. These changes convert Scenario 2 into Scenario 1 for future incidents.
Scenario 3: No Viable Backup — The Hard Choices
Your backup was on the same network and has been fully encrypted. Or the backup was never properly configured and has been silently failing for months. Or there was no backup at all.
In this scenario, recovery without payment depends on technical alternatives that have significant limitations.
Technical recovery options (without payment):
Decryption tools from security researchers. For some ransomware variants — particularly older or less sophisticated strains — security researchers and organisations like No More Ransom (nomoreransom.org) have published free decryption tools. These are available for a limited and decreasing subset of active ransomware strains. Modern enterprise ransomware targeting South African businesses is generally not covered by public decryptors.
Shadow copy recovery. Windows Volume Shadow Copies (VSS snapshots) may contain previous file versions. However, most enterprise ransomware variants specifically delete shadow copies before triggering encryption. If shadow copies survived (rare in sophisticated attacks), partial file recovery may be possible.
File carving from unencrypted sectors. Specialised forensic tools can sometimes recover data from disk sectors that were not reached by encryption before the attack was stopped. Success rates are low and recovery is typically incomplete.
Partial recovery from unaffected systems. Devices that were offline during the attack, systems in a network segment the ransomware did not reach, and data in external systems (email servers, cloud platforms with independent retention) may contain recoverable data.
What this process looks like in practice:
Engage a professional forensic recovery firm. Expect the triage and recovery attempt to take 2–4 weeks. Expect a bill of R200,000–R500,000 regardless of the outcome. Expect to recover some percentage of your data — the percentage is unpredictable and cannot be guaranteed in advance.
At the end of this process, if critical data remains unrecovered and the business cannot operate without it, payment may be the last remaining option — with no guarantee of receiving a working key even then.
Total cost in this scenario: Forensic recovery attempt (R200,000–R500,000). Extended business disruption (weeks to months). Potential ransom payment (R150,000–R5,000,000+). POPIA notification and regulatory exposure. Customer and reputational losses. Potential business failure if the data is irreplaceable and cannot be recovered. Total exposure: R1,000,000–R10,000,000+.
The Lesson Each Scenario Teaches
Scenario 1 is not luck. It is the outcome of a specific set of decisions made before the attack: choosing immutable cloud backup, configuring a retention window longer than typical ransomware dwell times, testing restore procedures, and keeping backup storage architecturally separate from the production environment.
Scenario 3 is also not bad luck. It is the outcome of a different set of decisions: treating backup as a compliance checkbox rather than a recovery capability, accepting unknown backup quality because the jobs were running, and not investing in the architectural properties that ransomware specifically defeats.
The cost difference between Scenario 1 and Scenario 3 for a mid-sized South African business is typically R1,000,000–R9,000,000 in a single incident. The cost difference in monthly backup investment between the two approaches is a few thousand rand.
If you are not certain which scenario you are currently in, our free security assessment includes a backup readiness evaluation that will tell you specifically.