Clearbridge CA
Proudly Canadian. Solving Business Problems with Technology.
Proudly Canadian.
Solving Business Problems with Technology.
Proudly Canadian. Solving Business Problems with Technology.
Proudly Canadian.
Solving Business Problems with Technology.
Clearbridge Ca logo

Case Study: Emergency Ransomware Containment & Recovery

Jan 27, 2026 | IT Solutions & Trends

Emergency Ransomware Containment & Recovery

Early Friday morning, a mid-sized electrical contractor in Western Canada was hit with ransomware.

Servers were down.
Systems were locked.
The attacker was still active.

By Monday morning, staff were working again.

Here’s how and what your business can learn.

 

The Business

• Mid-sized electrical contractor
• Office and field teams
• Virtual servers running core apps
• Microsoft 365 for email
• Heavy reliance on scheduling, accounting, and project systems

If systems stayed down, revenue stopped.

 

The Attack

Entry point: A user opened a malicious file.

It:
• Installed hidden Python scripts
• Created scheduled tasks
• Gave the attacker remote access

Then the attacker:
• Moved across the network
• Targeted the virtualization host
• Deployed ransomware
• Encrypted core virtual machines

Operations halted.

 

What Was at Risk

• Ongoing projects
• Cash flow
• Customer trust
• Data security

A slow response could have meant weeks of downtime.

 

The Response

Clearbridge followed three steps:

1. Contain
• Isolated the network
• Blocked malicious traffic
• Maintained secure remote access

 

2. Restore
• Rebuilt servers from clean backups
• Deployed a replacement hypervisor
• Reset all admin credentials

 

3. Harden
• Deployed Endpoint Detection and Response (EDR)
• Reset all user passwords
• Reviewed logs and isolated risky devices

No ransom paid.

 

Monday Morning

• Systems restored
• Devices verified
• Staff returned in phases
• Key apps prioritized

By mid-morning Monday, the business was operating again.

 

4 Lessons for Leaders

1. Backups must be tested. Recovery plans matter as much as backup files.

2. EDR is critical. Traditional antivirus is not enough.

3. Identity is a primary target. Fast credential resets and MFA reduce risk.

4. Network design limits damage. Segmentation reduces spread.

 

What This Means for You

Ransomware doesn’t just target large enterprises.

Mid-sized businesses in construction, manufacturing, aviation, and professional services are attractive targets.

Preparation made the difference:
• The attack was contained.
• Systems were restored quickly.
• Staff returned safely.
• You don’t need to wait for a crisis.

Start the conversation about your cyber resilience today.

Categories

    Latest Posts