Ransomware Recovery for Construction Firms: The First 4 Hours That Make or Break You

It’s 3 AM. Your project manager calls in a panic. No one can access the shared drive. Files are encrypted. Ransomware has hit your construction firm.

What you do in the next 4 hours will determine whether you recover quickly or lose weeks of work—and potentially your business.

This guide walks you through the critical first steps of ransomware recovery specifically for construction firms, where downtime means missed deadlines, lost contracts, and serious financial damage.

Minute 1-5: Confirm the Attack

• Don’t assume it’s a technical glitch—check for ransom notes, encrypted files (.locked, .encrypted extensions), or unusual file names
• Look for ransom notes (often TEXT files on desktop or in folders)
• Take photos of ransom messages with your phone—don’t rely on screenshots

Minute 6-15: Isolate Affected Systems

• Disconnect from network immediately: Unplug ethernet cables, disable WiFi
• Don’t shut down infected machines—this can destroy forensic evidence and complicate recovery
• Disable any cloud sync services (OneDrive, Dropbox, SharePoint sync)
• Identify and isolate any other potentially infected devices

Minute 16-30: Alert Your IT Team or Managed Service Provider

• Contact your IT provider or security team immediately
• If you don’t have an IT provider, now is the time to call one (like GoodChoice IT)
• Do NOT attempt to “fix” this yourself—ransomware spreads quickly

Minute 31-45: Preserve Evidence

• Take photos of error messages, ransom notes, and encrypted files
• Document which systems are affected and when the attack was discovered
• Don’t delete anything—forensics are important for insurance claims and law enforcement

Minute 46-60: Notify Stakeholders

• Inform senior management immediately
• Alert your cyber insurance provider if you have cover
• Prepare to notify clients about potential delays (but DON’T reveal you’ve been hacked yet)

Determine the Scope of the Attack

• Which systems are infected? (File servers, workstations, project management tools)
• Has the ransomware spread to backups? (This is critical—many attacks target backup systems)
• Are your project files, CAD drawings, site photos, contracts affected?
• Check whether cloud-based tools (Microsoft 365, Procore, etc.) are compromised

Assess Your Backup Situation

• Do you have recent, clean backups? If yes, recovery is faster and cheaper
• Are backups offline and isolated? Online backups may also be encrypted
• When was the last successful backup? Days? Weeks? This determines data loss
• Test a small restore to verify backups are actually usable

To Pay or Not to Pay the Ransom?

This is the hardest decision. Here’s what to consider:

Arguments AGAINST Paying:

• No guarantee you’ll get your data back
• You’re funding criminal operations
• You become a target for future attacks
• Some ransomware groups provide faulty decryptors
• Legal and regulatory issues in some jurisdictions

When Payment Might Be Considered:

• No viable backups exist
• Data loss would bankrupt the company
• Restoration time exceeds acceptable downtime
• Cyber insurance covers the ransom

Important: Consult with your IT security team, insurance provider, and legal counsel before paying any ransom.

If You Have Clean Backups:

• Begin restoring systems from the most recent clean backup
• Prioritise critical systems: accounting, project management, client communications
• Verify backups are truly clean before restoring
• Change ALL passwords before reconnecting systems
• Scan restored systems with updated antivirus before bringing them online

If You’re Considering Paying the Ransom:

• Engage a professional negotiator (many cybersecurity firms offer this service)
• Never use your business email to communicate with attackers
• Negotiate the price—ransoms are often inflated and negotiable
• Get proof the decryption key works before paying
• Document all communications for law enforcement and insurance

Communicate with Your Team

• Inform employees what’s happening (without revealing sensitive details)
• Establish alternative communication methods (personal phones, WhatsApp)
• Set expectations for downtime and recovery timelines
• Warn employees about phishing emails related to the attack

Secure Your Environment Before Restoring

• Identify and patch the vulnerability that allowed the attack
• Enable multi-factor authentication (MFA) across all systems
• Reset ALL passwords—not just admin accounts
• Review user access permissions and remove unnecessary admin rights
• Deploy endpoint detection and response (EDR) software

Report the Incident

• File a report with Action Fraud (UK) or your local cybercrime unit
• Notify your cyber insurance provider with full documentation
• If personal data was compromised, report to the ICO within 72 hours (GDPR requirement)
• Consider notifying clients if their data may be affected

Create a Communication Plan

• Prepare messaging for clients about potential delays
• Coordinate with your legal team on disclosure obligations
• Brief your team on what they can and cannot say publicly
• Monitor for data leaks on the dark web (many ransomware groups threaten to publish stolen data)

Begin Post-Incident Analysis

• How did the attackers get in? (Phishing email, RDP vulnerability, compromised credentials?)
• What could have prevented this?
• Why did backups fail (if they did)?
• What systems need better protection?

The first 4 hours are critical, but ransomware recovery is a marathon, not a sprint.

Week 1 Priorities:

• Complete system restoration
• Conduct full security audit
• Implement additional security controls
• User training on phishing and security awareness

Long-Term Actions:

• Regular penetration testing
• Continuous security monitoring
• Quarterly backup testing
• Cyber insurance review and renewal

The best ransomware recovery plan is one you never have to use.

• Implement the 3-2-1 backup rule: 3 copies of data, on 2 different media types, with 1 copy offsite
• Enable MFA everywhere: Email, VPN, cloud services, remote access
• Train employees on phishing: Most ransomware starts with a malicious email
• Patch everything: Operating systems, applications, firmware
• Segment your network: Isolate critical systems from general users
• Restrict admin rights: Users shouldn’t have admin access to their workstations
• Deploy EDR software: Detects and blocks ransomware before it spreads

If you’re reading this after an attack, contact us immediately at GoodChoice IT. We specialise in rapid ransomware response for construction firms and can help you recover faster.

If you’re reading this as prevention, even better. We offer:

• Ransomware readiness assessments
• Backup testing and validation
• 24/7 security monitoring
• Incident response planning
• Employee security training

Don’t wait until it’s too late. Contact GoodChoice IT today to protect your construction business from ransomware.