72-Hour
Ransomware Recovery
7 offices. Complete encryption. 200+ users. Zero ransom paid. This is the story of rebuilding an entire organization's IT infrastructure from scratch in three days.
Everything was encrypted.
At 6:14 AM on a Monday, we got the call every IT provider dreads. A mid-sized organization with seven offices across the Bay Area woke up to find every screen displaying the same message: a ransom demand for $450,000 in Bitcoin.
The attack was thorough. LockBit ransomware had hit their domain controllers first, then spread to every domain-joined system. File servers, application servers, workstations—all encrypted. Their network-attached backup storage? Domain-joined for convenience. Also encrypted.
By the time we arrived at 7:30 AM, the situation was clear: this wasn't a recovery scenario. This was a rebuild.
72 hours, start to finish
The Call
Client's IT contact calls. Every screen shows a ransom demand. Active Directory is down. Email is dead. File servers encrypted. They can't log into anything.
Assessment
We arrive on-site. The damage is complete—LockBit variant hit the domain controllers first. Every server, every workstation encrypted. Backups? The NAS was domain-joined. Also encrypted.
The Decision
Client leadership meets. Pay $450,000 ransom with no guarantee? Or rebuild from scratch? They choose to rebuild. We get to work.
New Infrastructure
Emergency hardware procurement. Two domain controllers, new NAS, clean switches. We start building a completely new Active Directory forest—no contamination from the old environment.
AD Goes Live
New Active Directory is running. We begin migrating user accounts from HR records—names, departments, group memberships rebuilt from scratch.
Branch Offices
VPN tunnels established to all 7 locations. New domain controllers replicated. Each office getting connectivity back online.
User Migration
Staff begin logging in with temporary passwords. We're imaging workstations as fast as we can—prioritizing by department criticality.
Email Restored
Microsoft 365 integration complete. Email flowing again. Users can communicate for the first time in 60+ hours.
Operational
All critical systems online. 200+ users working. File recovery from cloud syncs beginning. Business is running.
Back in business. Stronger than before.
By Thursday morning—72 hours after the attack—all 200+ employees were working. Email was flowing. Critical applications were running. The business was operational.
More importantly, the new infrastructure was more secure than what it replaced. Isolated backups. Proper network segmentation. Multi-factor authentication everywhere. The attack became an opportunity to do things right.
The attackers never got paid. The client's data, while some was lost, was largely recoverable from cloud syncs and user backups. The business survived.
What this taught us
Backup isolation matters
Their NAS was domain-joined for easy access. When AD fell, so did the backups. Isolated, offline, or air-gapped backups survive ransomware.
Know your rebuild path
We had a plan because we'd done this before. Knowing the exact steps saved 24+ hours of figuring things out.
Cloud sync saved data
While file servers were encrypted, user files synced to OneDrive were recoverable. Hybrid cloud paid off.
Document everything offline
Network diagrams, server configurations, group policies—all encrypted. Keeping offline documentation would have saved hours.
Don't wait for the ransomware.
Let's talk about protecting your organization before the attack, not after. Security assessments, backup strategies, incident response planning.