The bad morning
The ransomware call rarely starts with “our files are encrypted.” It starts with something more immediate: “the phones are down, the door badges stopped working, and we cannot see the cameras.”
When Uvalde CISD confirmed ransomware in September 2025, the district canceled four days of classes because the attack disrupted phones, air-conditioning controls, security cameras, visitor management, and Skyward. That is what a modern district attack looks like. It does not just take data hostage. It takes Tuesday hostage.
The attack before the attack
Your backups are usually the first target. Modern ransomware crews do not encrypt on arrival. They map the environment, escalate access, and find the recovery infrastructure first. If the backup plane trusts the same identity system the attacker controls, one stolen administrator account can compromise production and recovery together.
The fix is architectural. At least one recovery copy must be immutable inside its retention window and inaccessible through production credentials. If every copy can be changed by the same administrator, every copy is inside the blast radius.
The only numbers that matter
“We have backups” is not an operating commitment. Leadership needs two approved numbers for every critical workload, and IT needs a timed test proving the environment can meet them.
Recover in a sequence. Not in a panic.
The first 72 hours decide whether this is a hard week or a lost month. These are illustrative targets, not promises: your real recovery time comes from rehearsing your own environment with a stopwatch.
01 T+0 Contain and declare
Isolate the affected network. Call your insurer, counsel, and incident-response firm. Move communication to a channel the attacker cannot see.
02 T+0–4h Restore the foundation
Recover identity and core networking into a clean environment. Nothing else can come back safely until trust and connectivity are restored.
03 T+4–24h Reopen operations
Bring back the systems that determine whether school opens and public services continue. Use the immutable copy as the source of truth.
04 T+24–72h Recover in order
Restore the remaining environment in a business-approved sequence. Validate every workload before reconnecting it to production.
05 T+72h+ Validate and close
Service comes back before trust does. Confirm eradication with your forensics team, rotate every credential, and keep heightened monitoring in place until the environment has re-earned normal operations.
Isolate affected systems and restore from a clean, offline backup. CISA's StopRansomware guidance recommends maintaining offline backups and regularly testing their availability and integrity. Read the CISA guide →
Back online is not the same as recovered
The restore sequence ends in days. Full recovery takes weeks, and most of it is invisible: proving the attacker is out, proving the data is right, and closing the door they came through. Re-entry through leftover access is how a two-day outage becomes a repeat incident.
So full recovery is declared, not assumed. It ends with evidence: a forensic close-out, validated data, rotated credentials, a documented timeline for the insurer and the state, and an after-action review that changes the plan instead of shelving it.
Recovery already standing by
A district can build all of this in-house. The honest question is whether a lean IT team can maintain a second recovery environment, protect it from the production blast radius, rehearse it on a schedule, and keep the documentation current while still running everything else. That is why ModernOps runs recovery two ways.
Your infrastructure, run with discipline.
We run the recovery side for you.
| Recovery requirement | Built during the incident | Run by ModernOps |
|---|---|---|
| Clean environment | Designed under pressure | Pre-staged and isolated in advance |
| Recovery copy | May share production trust | Locked, immutable snapshots |
| RTO and RPO | Assumed until tested | Defined, tested, and timed |
| Bad-morning support | Start with a new ticket | Call an engineer who knows the environment |
| Documentation | In one engineer's head | Runbooks and test evidence kept current |
In either model, recovery stops being a binder and becomes an operation. Replication runs continuously. Restores are tested on a schedule and timed. Documentation stays current because keeping it current is the job. The results become evidence for leadership, auditors, and insurers — not a promise buried in a runbook. Backup is delivered as BaaS on enterprise storage with immutability built in, and failover is covered by DRaaS with defined RTO and RPO.