Early one Friday morning, a mid-sized electrical contractor in Western Canada woke up to a nightmare: their core servers were offline, critical systems were inaccessible, and evidence of a live ransomware attack appeared across the network.
Within hours, Clearbridge moved from containment to recovery, protecting the business and restoring operations by:
– Containing the attacker by isolating the network.
– Deploying advanced endpoint detection across the environment.
– Restoring clean servers from recent backups to a replacement hypervisor.
– Resetting all privileged credentials and initiated a global password reset.
– Returning key staff to working status before the end of the business day.
By Monday morning, onsite and remote employees were back to work in a controlled, secure way, with added monitoring and hardening to reduce future risk.
This post walks through the attack, the response, and the business lessons any organization can apply to strengthen cyber resilience.
Customer Profile
– Mid-sized electrical contractor operating in Western Canada.
– Mix of office staff and field employees relying on centralized systems.
– Core line-of-business applications hosted on virtual servers.
– Microsoft 365 in use for email and collaboration.
– Dependence on reliable access to scheduling, accounting, and project information—any extended outage directly threatens revenue, cash flow, and customer commitments.
The Incident at a Glance
Type of attack: Targeted ransomware with a Python-based backdoor.
Initial entry: A user executed a malicious file that unpacked scripts and created persistent scheduled tasks.
Impact: Core virtual servers shut down and encrypted, attacker present on the hypervisor, multiple workstations infected.
Key Outcomes:
– Ransomware contained.
– Clean server environment restored from backups.
– All domain and global administrator accounts reset.
– All user passwords reset and re-enrolled with secure access.
– Endpoint detection and response (EDR) deployed across the environment.
Business Risk: What Was Really at Stake
This was more than a technical incident.
The attack threatened:
– Operational continuity: Inability to access core systems could halt work on active projects.
– Revenue and cash flow: Delayed jobs, invoicing, and project billing.
– Customer reputation: Missed deadlines and communication breakdowns.
– Regulatory and contractual exposure: Potential questions around data handling, privacy, and security.
A slow or poorly coordinated response could have extended downtime from hours into days or weeks, with cascading financial and reputational damage.
How the Attack Unfolded
Phase 1: Initial Entry
A user opened a malicious file that:
– Unpacked Python scripts.
– Created scheduled tasks to persist malware.
– Hid code using multiple layers of obfuscation.
The scripts connected to an attacker-controlled system, giving the threat actor remote access.
Phase 2: Establishing Control
The attacker:
– Explored the network using the backdoor.
– Delivered additional payloads, including ransomware.
– Targeted the virtualization host running key business servers.
– Timed actions to avoid immediate detection.
Phase 3: Payload Deployment and Impact
When the ransomware activated:
– Core virtual machines went offline and could not restart.
– Engineers observed live control of the hypervisor.
– Remote management software was removed, confirming active compromise.
Clearbridge Response: Contain, Restore, Harden
1. Immediate Containment
Within minutes:
– Engineers confirmed abnormal behavior and suspicious ransomware filenames.
– Instead of shutting down everything, network traffic was blocked while maintaining secure remote access.
– Firewall rules were disabled to isolate the environment, balancing containment with recovery.
2. Rebuilding from Known Good Backups
By 3:00 am:
– Servers restored from a backup taken four days prior.
– A replacement hypervisor was prepared for clean deployment.
– All domain and global administrator accounts were reset.
3. Full Environment Threat Hunt
– EDR deployed across endpoints.
– Server and workstation logs examined for suspicious activity.
– High-risk endpoints isolated for inspection and cleaning.
– Specialized incident responders validated findings and provided forensic insight.
4. Credential Reset and User Recovery
– All domain and global administrator accounts reset immediately.
– Global password reset planned and executed for all users.
– Full Active Directory credential reset completed by late afternoon.
5. Returning the Business to Operation
By Friday afternoon:
– Restored virtual machines brought online in a secure, isolated environment.
– Workstations triaged, cleaned, and validated.
– Key staff resumed essential business functions ahead of the weekend.
Structured Monday Morning Recovery
– Controlled return of staff to the office.
– Onsite workstation verification and cleanup.
– Remote re-onboarding of users to company systems.
– Focused support for specialized applications like accounting and ERP tools.
By mid-morning, both office and remote employees were operational, minimizing disruption and panic.
Ongoing Hardening and Unknowns
– Root cause not fully identified due to attacker evidence destruction.
– Assessment of possible data exfiltration ongoing.
– Continuous monitoring, threat hunting, and access hardening remain in place.
4 Key Lessons for Business Leaders
1. Backups Are Necessary But Not Sufficient
– Recent, reliable backups allowed recovery without paying a ransom.
– Backups must be paired with: Tested recovery plans, Alternative infrastructure (e.g., clean hypervisor or cloud), and a partner who can execute under pressure at 1:30 am.
2. Endpoint Detection and Response (EDR) Is Critical
– Traditional antivirus cannot stop multi-stage, script-heavy attacks.
– EDR detects suspicious behavior, aids responders, and provides forensic telemetry.
3. Identity and Access Are High-Value Targets
– Attackers target credentials for lateral movement.
– Rapid global credential resets and MFA reduce persistence risk.
4. Network Design Can Limit Blast Radius
– Isolation and segmentation reduced impact while maintaining recovery capabilities.
How Clearbridge Helps You Prepare
We focus on business outcomes, not just devices. Our approach includes:
– Incident readiness and playbooks: Clear roles and runbooks before emergencies.
– Modern endpoint protection and monitoring: EDR across servers and workstations.
– Backup and recovery strategy: Tested backups, defined recovery objectives, alternative infrastructure.
– Identity and access hardening: MFA, privileged access management, rapid credential resets.
– Network segmentation and zero trust principles: Reducing lateral movement and exposure.
– Ongoing security reviews and improvement: Continuous tuning from real incidents and evolving threats.
Your Next Business Steps
Ransomware isn’t just a threat to large enterprises.
Mid-sized businesses especially in aviation, manufacturing, transformation, construction, and professional services are attractive targets due to operational criticality.
In this case, Clearbridge’s preparation, tooling, and precise response:
– Contained the attack before it spread.
– Restored core systems quickly using clean backups on new infrastructure.
– Returned staff to work in a controlled, secure way with stronger security.
Proactive action is key. You don’t need to wait for a 1:30 am call to start improving your cyber resilience.
We can help you:
– Assess current readiness.
– Identify gaps in backup, identity, endpoint security, and network design.
– Build a practical roadmap to strengthen your defenses.
