Ransomware Hit Our Client on a Friday Night. Here’s Exactly What Happened.

It was 11:47pm on a Friday when the alert came in. A healthcare client in Orange County — 80 employees, two locations — had ransomware spreading across their network. By the time their office manager noticed something was wrong and called us, four servers were already encrypted.

By Saturday afternoon, less than 18 hours later, they were fully operational. Zero data loss. Zero ransom paid.

This is what actually happened — and what made the difference.

The Attack

The entry point was a phishing email that had landed in a billing coordinator’s inbox three days earlier. It looked like a vendor invoice. She clicked the attachment, nothing seemed to happen, and she moved on. The malware sat dormant for 72 hours — standard behavior for modern ransomware — then activated on a Friday night when it calculated the lowest chance of immediate detection.

Within 40 minutes of activation, it had encrypted files on the local workstation, moved laterally across the network using harvested credentials, and reached four of their seven servers before our NOC alert triggered.

Why the NOC Alert Fired

We monitor file system activity patterns across all managed endpoints. Mass file modification — which is what ransomware encryption looks like from a monitoring perspective — triggers an immediate alert regardless of the time. Our NOC engineer was on the phone with the client’s emergency contact within 6 minutes of the alert firing.

The first call lasted 4 minutes. We confirmed the attack, instructed them to physically disconnect the two affected workstations from the network, and began our incident response process.

The Recovery

This is where the preparation paid off. Eighteen months earlier, we had built their disaster recovery plan with a specific focus on ransomware scenarios. That plan included:

Air-gapped backups — their backup environment was completely isolated from the production network. The ransomware never reached it.
Immutable snapshots — backups were configured as write-once, meaning even if the ransomware had reached the backup server, it couldn’t have modified or deleted existing snapshots.
Tested recovery procedures — we had run a full DR test six months prior. The runbook existed, the steps were documented, and our engineers had executed them before under test conditions.
Defined RTO — the client had agreed to a Recovery Time Objective of 8 hours for critical systems. We beat it.

We restored the four encrypted servers from the previous night’s backup — a recovery point of approximately 14 hours. For this client, that meant reprocessing about two hours of billing entries that had been entered after the last backup completed. Everything else was intact.

What Would Have Happened Without a DR Plan

We’ve seen the alternative. Clients who come to us after an incident without proper backups face a brutal choice: pay the ransom (with no guarantee of recovery) or rebuild from scratch. Rebuilding a 7-server environment from scratch for an 80-person healthcare practice typically takes 2–4 weeks and costs $50,000–$150,000 in labor, hardware, and lost productivity. Many practices never fully recover.

The ransom demand in this case was $340,000. The client paid nothing.

What This Means for Your Business

A few things to take from this story:

Ransomware doesn’t announce itself. It sits and waits for the worst possible moment.
The backup you think you have may not be the backup you actually need. Air-gapped, immutable, tested backups are a different thing entirely from a standard backup job.
A DR plan you have never tested is not a plan. It’s a document.
Response time matters enormously. The difference between 4 encrypted servers and 7 was 6 minutes.

If you’re a business in Orange County or Southern California and you’re not certain your backup and disaster recovery setup would hold up to a ransomware attack, we’ll assess it for free. No sales pitch — just an honest evaluation from engineers who have run real recoveries.