We want to tell you about a client we'll call "a 45-person professional services firm." (We're not naming them, obviously — but this story is real, and so are the numbers.) They thought they were too small to be a target. They weren't doing anything wrong. They had antivirus. They thought they were fine.
At 2:47 AM on a Tuesday, ransomware began encrypting their file server. By the time their first employee sat down at a workstation at 7:15 AM, 60% of their shared drive was gone.
This is what the next 72 hours looked like.
Hour 0–4: Discovery and Containment
The first sign was an employee calling to say her shared drive was showing strange file names — everything had a random extension appended to it. Before that call was over, three more employees were calling in with the same problem.
If you're a managed client with us, here's what happens next: our SOC, which had already flagged anomalous activity at 3:12 AM, had already isolated the affected machines. The spread stopped. The attacker's ability to communicate with their command-and-control server was severed.
If you're not a managed client, here's what typically happens: you call your IT person (or IT company), spend 45 minutes explaining what's happening, spend another hour getting them remote access, and by then the infection has spread to three more machines and encrypted your backup drive too — because the backup drive was mapped as a network share.
The difference between those two scenarios is everything.
The Ransom Note
Ransomware gangs are surprisingly professional these days. The ransom note was courteous, detailed, and included a "proof of life" — they decrypted two files for free to show they had the key. There was a countdown timer. A chat interface. A Bitcoin wallet address. A list of what they claimed to have exfiltrated.
That last part is important. Modern ransomware attacks are double-extortion: they encrypt your files and they steal copies of your data first. Pay or don't pay — either way, they threaten to publish your client data or sell it on criminal forums.
This changes the calculation significantly. It's not just about getting your files back. It's about who else has your data now.
Hour 4–24: Assessment and Decision
There are three questions that need to be answered fast:
- Do we have clean backups we can restore from? This is the question everything hinges on. If yes, you have options. If no, you are at the attacker's mercy.
- What data was exfiltrated? This determines breach notification obligations. HIPAA, PCI, state privacy laws — depending on your industry, you may have 72 hours to notify regulators from the moment you know a breach occurred.
- Do we pay? This is a legal, ethical, and practical question that your attorney, your insurance carrier, and your IT team all have a voice in. There is no universally right answer.
In our client's case: they had Datto SaaS Protection running. Their Microsoft 365 data was untouched. Their shared drive files were mostly restorable from the previous day's backup, with about 4 hours of lost work. That's it. They didn't pay.
What Ransom Are We Talking About, Exactly?
People always want to know the number. Here's some context:
| Business Size | Typical Ransom Range | Average Recovery Cost (No Backup) |
|---|---|---|
| 5–25 employees | $5,000 – $50,000 | $100,000+ |
| 25–100 employees | $25,000 – $250,000 | $500,000+ |
| 100+ employees | $100,000 – $2,000,000+ | $1,000,000+ |
Those recovery cost numbers aren't just the ransom — they include downtime, remediation labor, breach notification costs, regulatory fines, reputational damage, and lost business. The FBI's most recent data shows the average ransomware recovery cost is over $1.4 million when you factor everything in.
Hour 24–72: Recovery and the Insurance Nightmare
If you have cyber insurance, you should have called them at hour one. Most policies require prompt notification — delay can affect your coverage. Your carrier will assign a breach coach (usually an attorney, which is important for privilege protections) and walk you through the process.
What most business owners don't know until they're in this situation: cyber insurance doesn't just write you a check. They have requirements too. They'll want to know your security posture at the time of the incident. They'll ask about your EDR coverage, your backup practices, whether you had MFA enabled. If the answer to those questions is "no," they may pay reduced benefits — or deny the claim entirely.
We've seen this happen. It's not pleasant.
The Part That Actually Matters
Ransomware is not an "if" question anymore. It's a "when" question. The FBI processed over 2,800 ransomware complaints last year, representing over $59 million in losses — and that's only what was reported.
The good news is that this is one of the most preventable catastrophes in business IT. The combination of managed EDR, a SOC watching your environment, immutable backups, and MFA on all accounts eliminates the vast majority of successful ransomware attacks before they start.
Our client was back to normal by end of day Wednesday. The firm next door — who had the same attack hit them two months later — was down for three weeks and ended up paying $85,000. The only difference was whether they'd invested in the right protection beforehand.
If you want to know where you stand, we do a free security assessment. No sales pressure. Just an honest look at what you have and what you don't.