Ransomware is the incident that turns a security problem into a business problem in the space of an hour. Operations stop. Data may be gone, or worse, quietly copied and about to be published. And the decisions come fast, under pressure, usually at the worst possible time. Having been in the room for these, we can tell you that the organisations which recover in days rather than weeks aren't the lucky ones. They're the ones who got the first few hours right.
This is a plain-language account of what actually happens, and what actually helps, when ransomware hits a UAE business.
The first hours are about containment without self-sabotage
The instinct when you see ransomware spreading is to rip everything offline as fast as possible. Understandable, but done carelessly it destroys the very information you'll need to recover properly. The goal in the opening hours is to contain the spread while preserving the evidence — and those two aims pull against each other, which is exactly why improvising it goes badly.
In practice the priorities are: isolate affected systems to stop the encryption spreading, but do it in a way that preserves forensic artefacts rather than wiping them. Establish scope quickly — what's encrypted, what may have been exfiltrated, and, critically, what's still clean and worth protecting. Activate your incident-response plan and your escalation contacts, so the right people are making the right calls instead of whoever happened to be online. And begin preserving evidence immediately, because you will need it — for forensics, for the regulator, and quite possibly for the insurer.
Every one of those is far easier if it was decided in advance. Deciding them live, while the business is down and everyone's adrenaline is up, is where hours leak away.
Should you pay the ransom? Almost never, and here's the honest reasoning
This is the question every executive asks, and the answer deserves more than a slogan. Paying is a last resort, not a strategy, for reasons that are practical rather than moral.
It funds the next attack, on you or someone else. It offers no guarantee — decryptors provided by criminals are often slow, buggy, or incomplete, and "we paid and got most of our data back eventually" is a common and miserable outcome. It marks you as an organisation that pays, which invites a repeat. And it may carry legal and regulatory consequences depending on who's on the other end of the transaction. Professional recovery — containment, then restoration from validated backups, plus decryption where it's genuinely possible — is almost always the better path, and it's the path that doesn't leave you dependent on a criminal keeping their word.
There are rare situations where the maths changes, and if you're in one, you want that decision made with legal counsel, your insurer, and specialists in the room — not alone at 3am. Which is, again, an argument for having those relationships in place before you need them.
How professional recovery actually works
Recovery isn't a single action; it's several disciplines running in coordination, and skipping any of them tends to cause a relapse.
Containment and eradication come first — not just stopping the spread, but finding and removing the attacker's persistence, so they can't simply come back. Then digital forensics, to establish how they got in and how far they got, which matters both for closing the door and for the report you'll owe. Then recovery itself: restoring operations from clean backups, in the right order, verifying integrity as you go rather than trusting that a backup is good because it exists. And finally hardening — closing the entry point that let this happen, because restoring into the same weakness is how organisations get hit twice in a month.
The single grimmest moment in any ransomware engagement is the one where a client goes to their backups and finds them encrypted too — online, reachable, and hit along with everything else. Validated, isolated, tested backups are the difference between a bad week and an existential one, and they are worth every inconvenience of maintaining them properly.
The regional dimension
In the UAE, ransomware isn't only an operational crisis; it can be a regulatory one. Depending on your sector and the data involved, there are reporting obligations with real clocks attached — Central Bank expectations for financial institutions, ADHICS considerations in healthcare, and the PDPL where personal data has been exfiltrated. Handling the incident well technically but fumbling the disclosure can turn a contained event into a compliance failure on top of the operational damage. This is another reason the communication and legal decisions belong in your rehearsed plan, not in the panic.
Readiness is cheaper than recovery, every time
Everything above is what recovery looks like when it goes as well as it can. But the cheapest ransomware incident, by an enormous margin, is the one you were ready for — the intrusion your 24/7 monitoring caught before the encryption started, the backups you'd validated and isolated, the plan your executives had actually rehearsed. Recovery is what you do when prevention and early detection have already failed, and while good recovery can save the business, it's always more expensive and more traumatic than the readiness that would have blunted it.
What good looks like in the first day
It helps to have a rough picture of how a well-run recovery unfolds, if only so you can recognise when yours is going off the rails. In the first hour or two, the focus is containment and scoping — stopping the spread, understanding what's hit, and standing up the response team, not restoring anything yet. Through the first several hours, forensics runs in parallel with planning: establishing the entry point and whether data left the building, while the recovery sequence is worked out and the backups are verified as clean before anyone relies on them. Only once you understand root cause and have confirmed good backups does restoration begin in earnest, prioritised by what the business needs most, with the known entry point closed first so you're not rebuilding into the same hole. Communications — to staff, customers, and where required the regulator — run alongside all of it on their own clock, not as an afterthought. If instead your first day is a frantic wipe-and-restore with no forensics, no root-cause work, and no idea whether the backups are trustworthy, that's the pattern that leads to reinfection a week later. Calm, sequenced, evidence-preserving — that's what good looks like, and it's almost always the product of preparation rather than heroics on the night.
If you're facing an active incident right now, don't work through it alone — reach our response line. And if you're reading this in calmer times, that's the smart moment to make sure you'd be ready: book a readiness assessment before you need one.
