← Back to Blog Threats

Ransomware Hit Your Business. Now What?

We were called in for incident response at a small medical billing company after ransomware encrypted their file server. They had backups - but the backups had also been encrypted. The attackers had been sitting in the network for 19 days before triggering the payload.

That 19-day dwell time is normal. Modern ransomware operators don't encrypt immediately - they spend weeks mapping the network, escalating privileges, identifying and destroying backups, and maximizing leverage before you know anything is wrong.

The Modern Ransomware Kill Chain

1. Initial access - phishing email, exposed RDP, or vulnerable VPN appliance
2. Persistence - install a backdoor, create new admin accounts
3. Lateral movement - spread from the initial foothold to more valuable systems
4. Discovery - map the network, find and identify backup locations
5. Exfiltration - steal data before encrypting (double extortion leverage)
6. Impact - encrypt everything, destroy shadow copies, drop ransom note

A Real Finding: Backup Destruction Before Encryption

In the incident we responded to, the attacker ran these commands silently before triggering encryption - destroying every local recovery option:

:: Commands executed by ransomware payload to destroy local backups
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {{default}} recoveryenabled No
wbadmin delete catalog -quiet

:: Then mapped all network drives and encrypted them
net use Z: \\fileserver\shared /persistent:yes
:: Encryption binary then ran against all mapped drives

:: Commands executed by ransomware payload to destroy local backups
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {{default}} recoveryenabled No
wbadmin delete catalog -quiet

:: Then mapped all network drives and encrypted them
net use Z: \\fileserver\shared /persistent:yes
:: Encryption binary then ran against all mapped drives

By the time the ransom note appeared on screen, every Windows shadow copy and local backup catalog was gone. The only recovery path was their cloud backup - which fortunately was stored offsite and hadn't been touched.

What To Do in the First 30 Minutes

1. Disconnect immediately. Pull the ethernet cable, disable Wi-Fi. Do not shut down - forensic evidence may still be in memory.
2. Don't pay yet. Call your cyber insurance provider first - they have incident response resources and professional ransomware negotiators.
3. Check offline backups. Are they intact and completely air-gapped? This determines your recovery options.
4. Contact the FBI. They maintain decryption keys for known strains and want the intelligence. No cost, no obligation.

Recovery for the medical billing company took 11 days, cost approximately $60,000 in IR fees and downtime, and required notifying 800 patients under HIPAA. Prevention would have cost a fraction of that.