The Night Everything Went Dark: A Ransomware Recovery Story

This is the story of a ransomware attack on a small business. It's not a technical analysis or a vendor pitch. It's what actually happened, what it felt like, and what we learned.

The company asked us to share their story anonymously, hoping it might help other businesses avoid their mistakes.

Day 1: Discovery

6:47 AM

Sarah, the office manager, arrived early to get ahead on payroll. She turned on her computer, entered her password, and saw something she'd never seen before: a red screen with a countdown timer and a message.

YOUR FILES HAVE BEEN ENCRYPTED

The message demanded $75,000 in Bitcoin within 72 hours. After that, the price would double. After seven days, the decryption key would be destroyed.

Sarah tried another computer. Same screen. The server. Same screen.

She called the owner, Mark.

7:15 AM

Mark arrived to find Sarah in tears. He tried to stay calm, but his stomach was churning. Seventeen years of building this business, and now everything—customer records, financial data, project files, emails—was locked behind a ransom demand.

"Call Jeff," Mark said. Jeff was the IT guy who came when something broke.

8:30 AM

Jeff confirmed the worst: this was real ransomware, and it had spread to everything. Every computer, the server, the backup drive connected to the server.

"The backup drive too?" Mark asked, his voice cracking.

"It was connected to the network. They encrypted it first."

Mark sat down heavily. The backup was supposed to be their safety net.

10:00 AM

Mark called his lawyer, his insurance agent, and his accountant. The lawyer warned against paying—it might violate OFAC sanctions if the attackers were from certain countries. The insurance agent said cyber coverage wasn't included in their policy—an add-on Mark had declined to save $1,200 per year. The accountant started calculating how much cash they could access.

The business employed 23 people. Without systems, they couldn't operate. Every day of downtime was burning cash.

Day 2: The Hard Choices

9:00 AM

We got the call from Jeff. "I'm in over my head. This needs specialists."

Mark was skeptical—he'd already spent money on IT support that clearly hadn't prevented this. But he had no other options.

We arrived within two hours. The first thing we did was assess the damage and isolate what remained.

Findings:

• Every Windows computer encrypted
• Primary server encrypted
• Backup drive encrypted
• Cloud email survived (Microsoft 365)
• Paper records in filing cabinets survived
• One employee's MacBook (used for design) survived

The attackers had been in the network for at least two weeks before triggering the encryption. They'd mapped everything, identified the backup system, and timed their attack for a Friday night when no one was watching.

2:00 PM

Mark faced a decision: Pay the ransom and hope for decryption keys, or don't pay and try to rebuild.

Arguments for paying:

• Faster potential recovery
• Might get data back
• $75,000 less than weeks of downtime

Arguments against paying:

• No guarantee of getting working keys
• Funding criminal enterprises
• Potential legal issues
• Might be targeted again as a "payer"

Mark asked us what we'd seen with other clients. Honestly, we told him: about 70% of businesses that pay do get working decryption keys. But decryption often fails for some files, and the process takes days anyway.

6:00 PM

Mark decided not to pay. "I can't stomach giving money to the people who did this. And there's no guarantee anyway."

We began planning the rebuild.

Days 3-7: The Rebuild

The Lucky Break

Digging through the wreckage, we found something: an old external drive in a closet. It was an office-wide backup from eight months ago. Not current, but not nothing.

Mark nearly cried when we told him.

The Grind

Day 3: New server hardware expedited. Begin rebuilding network infrastructure from scratch.

Day 4: Server arrives. Install operating system, begin configuring core services. Employees start calling customers to explain delays.

Day 5: Core line-of-business application reinstalled. Restore eight-month-old data. Begin reconciling eight months of changes from paper records and email.

Day 6: Most employees back online with new workstations. Discover customer database is missing recent records. Marketing manager works through weekend to reconstruct from email and invoices.

Day 7: Operations functional but not normal. Two employees doing nothing but data reconstruction.

The Ongoing Pain

Weeks 2-4: Continuous discovery of things that were lost or corrupted. Customer complaints about missing orders. Vendors confused about payment history.

Months 2-3: Finally reaching something like normal operations. Employees exhausted from working double-time to catch up.

The Final Accounting

Financial Impact

Compare this to the $75,000 ransom demand. But remember: paying doesn't guarantee recovery, and the rebuild would have been necessary anyway to close the security gaps.

What They Lost Forever

• Eight months of detailed customer interaction history
• Project files for work in progress (some recreated, some lost)
• Financial records requiring reconstruction from bank statements
• Institutional knowledge stored only in files
• Two employees who quit, citing "too much stress"

The Lessons

Lesson 1: Connected Backups Aren't Backups

The backup drive was connected to the network. The attackers encrypted it first. An air-gapped or immutable backup would have made this a minor incident instead of a catastrophe.

What they do now: Multiple backup copies, including one that's completely offline and one that's immutable (can't be modified or deleted for 30 days).

Lesson 2: Basic Security Wasn't in Place

The attackers got in through a phishing email. The employee clicked a link, entered credentials, and the attackers had a foothold. There was no multi-factor authentication. Once inside, they had weeks to explore because there was no monitoring.

What they do now: MFA on everything. Security awareness training. 24/7 monitoring. Endpoint detection that catches suspicious behavior.

Lesson 3: "Break-Fix" IT Isn't Enough

Jeff was good at fixing things that broke. But he wasn't proactively looking for security gaps, monitoring for threats, or ensuring backups actually worked. That wasn't what he was hired for.

What they do now: Managed IT services with security built in. Regular assessments. Proactive maintenance. 24/7 monitoring.

Lesson 4: Cyber Insurance Is Worth It

Mark declined cyber insurance to save $1,200 per year. The attack cost over $285,000. A cyber insurance policy would have covered most of the recovery costs and provided access to incident response specialists.

What they do now: Comprehensive cyber insurance with appropriate limits.

Lesson 5: You Can Survive This

The attack was devastating. There were moments when Mark wondered if the business would survive. But it did. Eighteen months later, they're back to pre-attack revenue with better systems and processes than before.

Mark's Message to Other Business Owners

"I thought ransomware happened to big companies or careless people. I didn't think of us as a target. We were just a small business doing our thing.

"I was wrong. The attackers don't care how big you are. They care whether you'll pay. Small businesses pay because we're desperate.

"If I could go back, I'd spend the money on prevention. The security improvements we made after the attack cost maybe $3,000 per month. That's nothing compared to what the attack cost.

"But I can't go back. All I can do is share this story and hope it convinces someone else to take security seriously before they have to learn the hard way."

Don't Learn the Hard Way

Mark's story is more common than you'd think. We get calls like this regularly. Sometimes we can help recover; sometimes the damage is already done.

The best time to prepare for ransomware was years ago. The second best time is now.

Layth Solutions has been protecting NYC businesses from cyber threats for 30 years. We implement the security controls that would have prevented Mark's attack—and we do it before disaster strikes, not after.

Request a free security assessment to find out where your business is vulnerable and what it would take to protect it.