A 3-site construction company survives a ransomware scare
On a Friday at 3:40pm, an estimator opened an invoice attachment that wasn't an invoice. What happened over the next 66 hours is why we test backups instead of admiring them.
A convincing email, a bad afternoon
The company — around 45 staff across a head office and two active job sites — had been a managed client for about a year. The email that got through was good: it referenced a real supplier and arrived during invoice week. The estimator opened the attachment, and ransomware began encrypting the files their account could reach.
Why it didn't become a catastrophe
Two boring decisions made earlier did most of the work. Endpoint protection killed the process and isolated the machine from the network within minutes, raising the alert that started our response. And because the environment was segmented — site networks separated, file permissions scoped to role — the blast radius was one workstation and one department's share, not the company.
// the approachContain, verify, restore, prove
We treated it as a full incident regardless of how contained it looked. Friday evening: the workstation was pulled for reimaging, the estimator's credentials were reset, and every endpoint was swept for the same payload. Saturday: the encrypted share was restored from the previous night's backup — the same backups whose restores we test quarterly, which is why nobody had to hope. Sunday: we verified file integrity with the department lead and confirmed the initial email's path, then closed the gap in the mail filter rule that had let it through.
Monday 8am, all three sites worked normally. Total data loss: a few hours of one estimator's Friday work. The incident report went to the owners in plain English the same week, and to their insurer without follow-up questions.
// the outcomeWhat actually changed
- No ransom was paid, and no client or bid data left the company.
- One workstation was reimaged; roughly six working hours were lost in one department.
- The phishing simulation program got a new template based on the real email — click rate on that pattern has since dropped measurably.
- The owners now describe security spending as insurance that paid out.
The honest caveat: this went well because the groundwork existed. The same email landing at the same firm two years earlier — flat network, untested backups — would have been a very different story, and a much more expensive case study.
About this case
Why didn't the ransomware spread to the other sites?
Network segmentation and least-privilege access. The estimator's account could reach the files an estimator needs, not the whole company. The site networks connect through the firewall, not as one flat network — so encryption stopped at the boundary of one machine's reach.
Would you ever advise paying a ransom?
Our job is to make the question irrelevant: with tested backups and a rehearsed recovery plan, restoring is faster and cheaper than negotiating with criminals. Payment decisions ultimately belong to the client, their insurer and their counsel — but no client of ours with tested backups has needed to consider it.
Is this case study real?
Yes. The client is real and consented to publication; identifying details are anonymized and figures are rounded. The recovery went well because it had been rehearsed — that's the takeaway, not luck.
Would your Friday afternoon end this way?
The free assessment includes a plain look at your backups, permissions and phishing exposure — the three things that decided this story.