Ransomware Recovery by Design: Building Cyber Resilience That Works

Ransomware is now a business continuity problem in Australia, not just a security issue. Most Australian organisations overestimate their ability to recover 

The Annual Cyber Threat Report 2024–25 from the Australian Signals Directorate’s ACSC confirms that ransomware continues to increase in frequency and represents a disproportionate share of the most damaging incidents handled by the ACSC. 

The Ransomware: Rising Threats and Resilience (2024) survey by McGrath Nicol (with YouGov Australia) found that 69% of Australian businesses have experienced a ransomware attack within the past five years. 

Speaking in layman’s terms, ransomware today is like someone locking the doors to your factories, offices, and records all at once and then demanding payment to give you the keys back. The issue here isn’t really that you are locked out, it’s whether the business can still function after the attack. 

This typically resonates with senior management because it moves the discussion from attack methods to the actual business impact. It also highlights issues such as uptime, revenue, safety, and reputation as the real concerns. 

When speaking with customers who have had recent ransomware attacks, the common issues faced by the businesses were: 

• Operational shutdowns that were over a week or longer 

• Invoicing and payroll failures 

• Unable to meet customer expectations 

• Regulatory reporting obligations 

• Board and media scrutiny

In other words: The primary loss is no longer “information.” It’s time, trust, and the ability to operate. 

What you should be asking your customers: 

• How would you keep operating? 

• What absolutely must keep running if systems are unavailable? 

• How long can you tolerate outages of core systems, customer‑facing services and financial operations 

• What manual or degraded processes exist today? 

Customers should ensure ransomware is explicitly included in: 

• Business Continuity Plans (BCP) 

• Crisis management playbooks 

• Enterprise risk discussions 

If ransomware isn’t treated the same way as a natural disaster or major outage, it will be mishandled when it happens. 

Why recovery plans fail and the common gotchas organisations overlook

Customers think that they have sufficient backup mechanisms in place to restore their business operations in the event of an attack. In practice, restoring some or, if not all, of the core systems in any environment has many challenges that lead to extended recovery times. For example: 

Backups are often present but unusable at scale. Ask your customers if they’ve considered the following challenges? 

• Backups are online or domain‑connected and encrypted 

• Backup credentials are compromised with the same admin accounts 

• Restore processes haven’t been tested on production‑scale data 

• Restoring one system is easy; restoring 50 interdependent systems isn’t 

As a result, recovery speed is constrained less by backup existence and more by restore complexity and confidence. 

On top of backup restoration there are other core infrastructure to consider: 

• Ransomware frequently compromises Active Directory / identity infrastructure, which everything depends on. 

• Application recovery plans ignore system interdependencies 

• Assuming people can execute under crisis conditions 

• Legal and assurance checks pause recovery 

• Clean rebuilds take far longer than quick fixes 

What does recovery by design add that prevention alone can’t? 

Recovery by design changes the thought process from "how do we stop people from getting in" to "when they do get in how we ensure they can't stop us from operating?" 

What this means is that prevention focuses on blocking access, whereas recovery by design focuses on limiting control. 

• Backups are logically and operationally isolated 

• Restore authority is separated from day‑to‑day admin roles 

• Some recovery mechanisms are unreachable from the compromised environment 

This means: 

• Stolen credentials don’t equal total control 

• Attackers can encrypt production but cannot prevent restoration 

Prevention tries to block the intrusion. Recovery by design ensures intrusion does not equal complete control over a customer's environment. 

Good recovery‑by‑design organisations treat backups as a separate capability, not an extension of production IT. The key outcome is that an attacker can encrypt production but cannot prevent restoration. 

• Backups are isolated from production identity (logical or physical) 

• Restore permissions are separated from day‑to‑day admin roles 

• Attackers who compromise AD still cannot delete or encrypt all backups 

• Backups are immutable and inaccessible from compromised credentials 

• Restore workflows are documented and rehearsed, not tribal knowledge 

Most ransomware recoveries fail because identity is assumed to be recoverable by default. 

Recommended best practices include: 

• Identity systems (e.g. AD / Entra) are treated as Tier‑0 recovery assets 

• There is a clean rebuild or secure restore path for identity 

• Break‑glass accounts exist outside normal identity trust chains 

• Certificate authorities, service accounts, and keys are documented 

• Recovery does not require trusting a potentially poisoned directory 

Prevention‑centric recovery assumes you can “clean and reuse” existing environments. Recovery‑by‑design assumes you can’t. 

Recommended best practices include: 

• A pre‑defined clean recovery environment (on‑prem, cloud, or hybrid) 

• Known-good templates, images, and configurations 

• Ability to restore data before reconnecting to production 

• No dependency on compromised monitoring, logging, or tooling 

• Recovery can proceed while forensics run in parallel 

Good recovery‑by‑design organisations plan recovery by business capability, not by systems list. 

Recommended best practices include: 

• Critical business processes are mapped end‑to‑end 

• Dependencies between systems are explicit and documented 

• RTOs reflect actual operational outcomes, not IT optimism 

• Recovery sequencing is business‑driven (“What enables revenue/safety?”) 

• “System restored” is not considered success unless the process works 

Example assessment questions to ask a customer: 

If domain admin accounts were fully compromised today, what would still stop an attacker from deleting or encrypting every backup? 

If we had to assume admin accounts were compromised, how would we authenticate people and systems during recovery? 

Where would we restore systems and data if we decided not to trust the current environment at all? 

Which business process do we restore first, and which systems must all be working for that process to function? 

How partners can move the conversation from security tools to recovery outcomes customers can prove

The key partner takeaway here is: 

• Prevention reduces likelihood 

• Recovery determines impact 

• Evidence determines credibility 

Partners who help customers demonstrate recovery outcomes, not tool counts, will be the ones trusted when incidents happen. 

“In my conversations with partners, the biggest shift we’re driving is from reacting to ransomware to staying ahead of it. With NetApp’s Autonomous Ransomware Protection, the NetApp BU at Dicker Data are helping partners deliver solutions that not only detect threats early, but ensure customers can recover quickly and keep operating.” - Kate Davis, NetApp Business Manager, Dicker Data.

A concise framing that consistently works: 

"We’re not trying to sell you more security tools. We’re helping you prove to your board and insurers that ransomware cannot stop you from recovering.” 

That repositions the partner as: 

• A continuity advisor 

• A governance enabler 

• A risk‑outcome translator 

How Dicker Data supports your customers’ recovery needs 

Ransomware is now a business continuity issue, not just a security challenge and many organisations overestimate how quickly and confidently they can recover when systems, identities, and data are compromised. Dicker Data helps partners address this gap by shifting the conversation from security tools to proven recovery outcomes.

Through our vendor ecosystem, technical expertise, and partner enablement, we support recovery‑by‑design approaches that isolate backups and restore authority, prioritise business‑critical processes, and create clean recovery paths that stand up to real‑world ransomware scenarios.

This empowers partners to help customers demonstrate resilience to boards, regulators, and cyber insurers. proving that while prevention reduces likelihood, recovery determines impact. Please get in touch with our local team to find out more.