Free resiliency assessment

Expert guidance, applied to what you already own

← Field Notes index No. 02 Resilience & Recovery Filed · July 2026 9 min read

When ransomware hits, the district stops.

A recovery playbook for schools and local government. Backups are not the plan. This is the sequence that gets identity, phones, payroll, transportation, and critical services back online in hours instead of weeks.

Recovery sequence ready
01Incident brief

The bad morning

The ransomware call rarely starts with “our files are encrypted.” It starts with something more immediate: “the phones are down, the door badges stopped working, and we cannot see the cameras.”

When Uvalde CISD confirmed ransomware in September 2025, the district canceled four days of classes because the attack disrupted phones, air-conditioning controls, security cameras, visitor management, and Skyward. That is what a modern district attack looks like. It does not just take data hostage. It takes Tuesday hostage.

02Threat model · Why the restore path fails

The attack before the attack

Your backups are usually the first target. Modern ransomware crews do not encrypt on arrival. They map the environment, escalate access, and find the recovery infrastructure first. If the backup plane trusts the same identity system the attacker controls, one stolen administrator account can compromise production and recovery together.

The fix is architectural. At least one recovery copy must be immutable inside its retention window and inaccessible through production credentials. If every copy can be changed by the same administrator, every copy is inside the blast radius.

Shared trust
Production and backup administration use the same identity plane.
One compromise. Two environments.
Untested recovery
A successful backup job proves data was written. It does not prove operations can return on time.
Green check. Unknown outcome.
Vendor blast radius
The PowerSchool incident showed how one third-party credential can expose data across many districts.
Your plan must include their failure.
03Metrics

The only numbers that matter

Backups answer whether. RTO and RPO answer when and how much.

“We have backups” is not an operating commitment. Leadership needs two approved numbers for every critical workload, and IT needs a timed test proving the environment can meet them.

RTO
Recovery time objective · hours
How long can the service stay unavailable before the district or municipality cannot operate?
RPO
Recovery point objective · lost data
How much recent data can the organization accept losing between the last safe copy and the attack?
04Recovery clock · The first 72 hours

Recover in a sequence. Not in a panic.

The first 72 hours decide whether this is a hard week or a lost month. These are illustrative targets, not promises: your real recovery time comes from rehearsing your own environment with a stopwatch.

Recovery sequenceT+0 → T+72h+
01 T+0 Contain and declare
Minutes, not meetings

Isolate the affected network. Call your insurer, counsel, and incident-response firm. Move communication to a channel the attacker cannot see.

Cut lateral movementPreserve evidenceActivate out-of-band communications
02 T+0–4h Restore the foundation
Tier 0 systems

Recover identity and core networking into a clean environment. Nothing else can come back safely until trust and connectivity are restored.

Identity servicesDNS, DHCP, and core networkPrivileged access controls
03 T+4–24h Reopen operations
Tier 1 systems

Bring back the systems that determine whether school opens and public services continue. Use the immutable copy as the source of truth.

SIS and payrollPhones and transportationSafety and visitor systems
04 T+24–72h Recover in order
Tier 2 systems

Restore the remaining environment in a business-approved sequence. Validate every workload before reconnecting it to production.

Department applicationsFile servicesValidation and monitoring
05 T+72h+ Validate and close
From restored to recovered

Service comes back before trust does. Confirm eradication with your forensics team, rotate every credential, and keep heightened monitoring in place until the environment has re-earned normal operations.

Forensic close-out and root-cause fixFull credential rotationAfter-action review and plan updates
Recovery principle

Isolate affected systems and restore from a clean, offline backup. CISA's StopRansomware guidance recommends maintaining offline backups and regularly testing their availability and integrity. Read the CISA guide →

05Definition of done · Beyond the first 72 hours

Back online is not the same as recovered

The restore sequence ends in days. Full recovery takes weeks, and most of it is invisible: proving the attacker is out, proving the data is right, and closing the door they came through. Re-entry through leftover access is how a two-day outage becomes a repeat incident.

So full recovery is declared, not assumed. It ends with evidence: a forensic close-out, validated data, rotated credentials, a documented timeline for the insurer and the state, and an after-action review that changes the plan instead of shelving it.

Eradication proven
Forensics closes the entry point, persistence is hunted down, every credential is rotated, and monitoring watches for re-entry.
The attacker is out — and you can show it.
Data validated
System owners check restored records against known-good points. Grades, payroll, permits: the departments confirm the data is correct, not just present.
Restored is not the same as right.
Readiness rebuilt
A fresh immutable baseline, replication re-enabled, the runbook rewritten with what the incident taught, and the next timed failover on the calendar.
Recovery ends where rehearsal restarts.
06Operating model · Managed recovery, two ways

Recovery already standing by

Do not build the lifeboat after the ship starts sinking.

A district can build all of this in-house. The honest question is whether a lean IT team can maintain a second recovery environment, protect it from the production blast radius, rehearse it on a schedule, and keep the documentation current while still running everything else. That is why ModernOps runs recovery two ways.

Model A · Managed DR

Your infrastructure, run with discipline.

Keep the backup and DR investment you already own. ModernOps operates and documents it: immutability verified, restore order written down, restores tested and timed on a schedule, and evidence reports that leadership and insurers can read.
Co-managed on your equipment
Model B · Hosted DRaaS

We run the recovery side for you.

Replication flows to a recovery environment ModernOps hosts and operates: pre-staged, isolated from district credentials, and rehearsed with your team. On the bad morning, failover starts with a call to an engineer who already knows the environment.
Hosted BaaS & DRaaS in PA and AZ
Recovery requirementBuilt during the incidentRun by ModernOps
Clean environmentDesigned under pressurePre-staged and isolated in advance
Recovery copyMay share production trustLocked, immutable snapshots
RTO and RPOAssumed until testedDefined, tested, and timed
Bad-morning supportStart with a new ticketCall an engineer who knows the environment
DocumentationIn one engineer's headRunbooks and test evidence kept current

In either model, recovery stops being a binder and becomes an operation. Replication runs continuously. Restores are tested on a schedule and timed. Documentation stays current because keeping it current is the job. The results become evidence for leadership, auditors, and insurers — not a promise buried in a runbook. Backup is delivered as BaaS on enterprise storage with immutability built in, and failover is covered by DRaaS with defined RTO and RPO.

07Assessment

Could you prove recovery is ready?

The 60-second check
0/5Not yet measured
This is a quick screen, not a resilience score. Any unchecked item belongs in the recovery plan.
08Primary reading

Sources

Ryan Beglau
Filed from Conshohocken, PA · July 2026
09Before you need it

Find your real recovery window before someone else does.

The free Rapid Infrastructure Resiliency Assessment scores backup, recoverability, immutability, and failure tolerance in a few hours. It is remote-first, carries no obligation, and ends with a prioritized gap list you can act on.

Or call 484-429-9328 — you'll talk to the engineer who would take the bad-morning call.

← All field notes Field Notes · No. 02 · Ryan Beglau · ModernOps, LLC