Ä¢¹½ÊÓÆµ

Skip to the main content.

14 min read

The Canadian SMB Ransomware Response Playbook: What to Do in the First 72 Hours

The Canadian SMB Ransomware Response Playbook: What to Do in the First 72 Hours
The Canadian SMB Ransomware Response Playbook: What to Do in the First 72 Hours
28:58

It's 7:43 a.m. on a Tuesday. Your office manager calls: half the computers won't boot, there's a ransom note on every screen, and your file server is throwing errors. You have payroll to run on Friday, a client presentation at noon, and absolutely no idea what to do first.

This is no longer a hypothetical scenario for Canadian small and medium-sized businesses. The Canadian Centre for Cyber Security's identifies ransomware as the top cybercrime threat to Canadian organizations and attackers have shifted their focus deliberately toward SMBs because they know most don't have a tested response plan.

The 2026 Verizon Data Breach Investigations Report confirmed a landmark shift: vulnerability exploitation has overtaken stolen credentials as the number-one initial access vector but the end payload is still overwhelmingly ransomware, and the tactics have evolved. Double extortion is now the default: attackers exfiltrate your data first, then encrypt it. They don't just hold your files hostage they threaten to publish your client records, employee data, and financial information publicly unless you pay.

The first 72 hours of a ransomware attack are the most consequential. The decisions your team makes in that window determine whether you recover in days or months, and whether a bad day becomes a business-ending event. This playbook gives you a clear, actionable sequence from the moment you discover the attack through containment, notification, recovery, and the hard conversations about what happens next.

Ä¢¹½ÊÓÆµ has supported Canadian SMBs through ransomware incidents across Calgary, Edmonton, Vancouver, Toronto, and beyond since 2012. What follows is the structured approach our incident response team uses adapted here so your business can prepare before the worst happens.

 

 

 

Understanding What You're Actually Dealing With

Ransomware in 2026: It's Not What It Used to Be

Early ransomware was blunt: it encrypted your files and demanded Bitcoin. Modern ransomware is a layered extortion operation. By the time you see the ransom note, attackers have typically been inside your network for days or weeks quietly mapping your environment, identifying your backups, and exfiltrating your most sensitive data.

The 2026 Mandiant M-Trends report recorded a dramatic acceleration in attack speed: the median time from initial access to secondary threat group handoff the moment attackers escalate from reconnaissance to active exploitation has collapsed from over eight hours in 2022 to 22 seconds in 2025. This means your window to catch an intrusion before it becomes a full ransomware deployment is vanishingly small without continuous monitoring.

For Canadian SMBs, three factors compound the risk:

  • Canada's average data breach cost rose to CA$6.98 million in 2025 a 10.4% year-over-year increase at a time when global breach costs were declining, according to IBM's Cost of a Data Breach Report 2025
  • PIPEDA and provincial privacy legislation require breach notification to affected individuals and the Office of the Privacy Commissioner with penalties for failure to report
  • Cyber insurance carriers are increasingly scrutinizing incident response procedures when adjudicating claims; a disorganized response can affect your coverage
  • Phishing and business email compromise (BEC): A credential harvested from a spoofed Microsoft 365 login page gives attackers a foothold in your email environment. From there they move laterally.
  • Unpatched vulnerabilities: The Verizon 2026 DBIR's landmark finding exploitation of known unpatched vulnerabilities is now the top initial-access vector. This includes VPN appliances, remote desktop exposure, and outdated server software.
  • Supply chain and third-party access: Attackers compromise a vendor or software provider to reach their actual targets. This is particularly relevant for businesses using cloud-managed services or shared IT environments.
  • Decryption tools: For some ransomware variants, free decryption tools are available through the (nomoreransom.org), a partnership between law enforcement agencies and cybersecurity companies. Your IT provider can identify the specific ransomware variant and check tool availability.
  • Negotiation: Ransomware groups operate with a perverse degree of professionalism. Negotiation is possible and can reduce the ransom amount. This should only be conducted through your legal counsel or a specialized incident response firm never directly by your team.
  • Rebuild: In some cases, rebuilding from scratch with clean hardware, fresh OS installations, and recovered data from unaffected sources is faster and more reliable than attempting decryption.
  • Initial access: How did the attacker get in? What vulnerability was exploited, and is it fully patched? Are there similar vulnerabilities elsewhere in the environment?
  • Dwell time: How long was the attacker inside the network before triggering the ransomware? What monitoring gaps allowed them to remain undetected?
  • Backup integrity: Were backups intact and sufficient? What is the recovery point objective (RPO) how much data was lost? What is the recovery time objective (RTO) how long did restoration take compared to your target?
  • Response coordination: Were roles and responsibilities clear? Did the team know who to call and what to do? Were communication channels functional?
  • Insurance and legal: Was the claims process smooth? Were there any gaps in coverage? Were notification obligations met within required timeframes?
  • 24/7 emergency response: Ransomware does not wait for business hours. Your provider should have a dedicated after-hours emergency line with an SLA measured in minutes, not hours.
  • Internal staff, not a call centre: The person who picks up the phone should be a technical professional with authority to act not a triage agent reading from a script.
  • Forensic capability: Your MSP should be able to conduct or coordinate forensic investigation to determine scope and entry point. Without this, you cannot be confident the environment is clean.
  • Insurance and legal coordination: Your MSP should understand how to work within the insurance claims process and how to document the incident in ways that support your breach notification obligations.
  • Backup and recovery architecture: Your MSP should have implemented backup solutions ideally immutable, tested regularly that make recovery possible. If your backups were inadequate, that is a service delivery failure worth examining.
  • 24/7 monitoring and alerting through our internal Security Operations team not outsourced to a third-party NOC
  • Endpoint detection and response (EDR) deployed on all managed endpoints as a standard service component
  • Immutable backup solutions with tested RTO/RPO targets documented in each client's service agreement
  • 5-minute response guarantee for critical incidents backed by contract, not just a marketing claim
  • SOC2 certified operations meaning our internal controls, change management, and incident response procedures meet independently verified standards
  • Disconnect affected systems from the network (unplug ethernet, disable Wi-Fi) do not power off
  • Call your IT provider's emergency line
  • Verify backup status are backups intact and offline/immutable?
  • Identify and secure a secondary communication channel (personal phones, secondary email)
  • Designate a single incident commander one decision-maker
  • Preserve all evidence no antivirus scans, no manual recovery, no system wipes
  • IT provider conducts forensic scope assessment
  • Notify cyber insurance carrier activate policy
  • Contact legal counsel if regulated data (health, legal, financial) may be affected
  • Notify affected vendors and partners if shared systems are involved
  • Document everything: timestamps, actions taken, systems affected
  • Do not pay the ransom without legal and insurance guidance
  • Assess whether personal information was exfiltrated PIPEDA breach notification threshold analysis
  • Determine which privacy laws apply: PIPEDA (federal), PIPA (Alberta/BC), Law 25 (²Ï³Üé²ú±ð³¦)
  • File breach report with Office of the Privacy Commissioner if threshold is met
  • Notify affected individuals as soon as feasible if required
  • Maintain breach records for 24 months minimum
  • Forensic investigation complete before any restoration
  • All attacker access eliminated credentials rotated, vulnerabilities patched, persistence removed
  • Clean environment confirmed via EDR before restoration
  • Restore from pre-attack clean backups in staged sequence
  • Post-incident review scheduled within 30 days
  • In business since 2012: Over 13 years of managed IT experience means our team has navigated real incidents not hypotheticals. We have supported Canadian SMBs through ransomware events and emerged with stronger security architectures on the other side.
  • SOC2 certified: Our internal operations meet independently audited control standards for security, availability, and confidentiality which means the partner supporting your incident response has verifiable operational discipline.
  • B-Corp certified: We operate with accountability to more than just revenue. Our team's commitment to clients extends to supporting recovery even under pressure.
  • 24/7 internal staff: Our after-hours support is handled by our own technical professionals, not a third-party call centre. When you call at 3 a.m. during an active ransomware incident, a Ä¢¹½ÊÓÆµ engineer picks up.
  • 5-minute response guarantee: For critical incidents, our SLA is five minutes. This is the difference between containment in hour one and containment in hour four a difference that can mean hundreds of thousands of dollars in recovery costs.
  • Security-first architecture: Clients on our managed services platform get EDR, immutable backup, and 24/7 monitoring as standard. Not as add-ons. This is what prevention-first managed IT looks like.
  • Eight offices across Canada: Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and ²Ñ´Ç²Ô³Ù°ùé²¹±ô. National coverage means local presence for on-site response when remote is not enough.
  • Project packs included: Recovery from a ransomware incident often requires project-based work environment rebuilds, new security architecture, staff training. Our managed services contracts include project packs so this work doesn't come as a budget surprise.

 

The Three Attack Patterns You'll Most Likely Face

Understanding the entry point matters because it determines containment strategy. The three most common vectors hitting Canadian SMBs in 2026 are:

 

The 72-Hour Response Framework: Hour by Hour

Hours 0–4: Immediate Containment

The first instinct when ransomware hits is often to try to fix things restart servers, investigate the ransom note, or call the person who 'knows computers.' Resist all of it. The priority in the first four hours is one thing: stop the spread.

Step 1: Isolate affected systems immediately. Disconnect infected machines from the network physically unplug ethernet cables and disable Wi-Fi. Do not shut down the machines entirely; forensic memory analysis may be needed later, and some encryption processes can be interrupted. Isolate, don't power off.

Step 2: Contact your IT provider. If you have a managed services provider, call their emergency line right now. Every minute of delay allows the ransomware to propagate to additional systems. At Ä¢¹½ÊÓÆµ, our 5-minute response guarantee means your call gets answered by our internal team never a call centre any time of day or night.

Step 3: Identify and protect your backups. Ransomware specifically targets backup systems. Before doing anything else, verify whether your backups are intact and offline. Immutable backups those that cannot be modified or deleted even by an administrator are your most valuable recovery asset.

Step 4: Preserve evidence. Do not run antivirus scans, do not wipe systems, and do not attempt manual recovery before your IT provider has assessed the environment. Hasty remediation destroys forensic evidence needed for insurance claims, regulatory reporting, and understanding the attack's scope.

Step 5: Identify your incident response contacts. You should have these numbers already: your IT provider, your cyber insurance carrier's claims line, and legal counsel if you handle sensitive regulated data (healthcare records, legal files, financial data). If you don't have these ready, now is a chaotic time to find them.

Hours 4–24: Assessment and Communication

Once immediate containment is underway, your focus shifts to understanding the scope of the incident and managing communication.

Scope assessment: Your IT provider will conduct a forensic assessment to determine which systems are affected, what data may have been exfiltrated, when the attack began (attackers often persist for weeks before triggering the ransomware), and whether the attacker still has active access.

Internal communication: Establish a clear command structure. One person typically the CEO, owner, or operations lead should be the single decision-maker. Conflicting instructions from multiple people during an active incident create dangerous delays. Keep internal communications off affected systems; use personal mobile phones or a secondary email platform.

Vendor and partner notification: If your operations are connected to suppliers, partners, or clients through shared systems or data feeds, you may need to notify them to prevent lateral spread. Your IT provider should advise on this.

Do not pay yet. The decision to pay a ransom is complex, legally significant, and should never be made in the first 24 hours. Paying does not guarantee you will receive a working decryption key. In some cases where the attacker is a sanctioned entity payment can expose your business to federal penalties. Contact your legal counsel and cyber insurance carrier before any ransom decision.

Hours 24–72: Regulatory Obligations and Recovery Planning

By the 24-hour mark, you should have a clearer picture of what was compromised. This is when regulatory and legal obligations come into focus.

 

PIPEDA Breach Notification Requirements

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), if a security breach involves personal information and creates a real risk of significant harm to individuals, you are required to:

  1. Notify affected individuals as soon as feasible
  2. Report the breach to the Office of the Privacy Commissioner of Canada
  3. Maintain records of all breaches for at least 24 months
  4. Forensic investigation complete: Identify entry point, persistence mechanisms, and full scope of compromise
  5. Attacker access eliminated: Rotate all credentials, patch the exploited vulnerability, remove malware and backdoors
  6. Clean environment confirmed: Deploy endpoint detection and response tools to verify the environment is clean before restoration
  7. Restore from clean backups: Restore from the most recent backup that pre-dates the attacker's initial access not the most recent backup, which may itself be compromised
  8. Staged restoration: Bring systems back online one segment at a time, monitoring for signs of reinfection at each stage
  9. Credential rotation: All passwords for all accounts not just those directly involved should be rotated. Assume all credentials in the environment are compromised.
  10. MFA everywhere: If multi-factor authentication was not enforced on all accounts and remote access points, implement it before bringing systems back online. Phishing-resistant MFA (passkeys, hardware keys) is preferable to SMS-based codes.
  11. Endpoint detection and response (EDR): If you were relying on traditional antivirus, replace it with an EDR platform. EDR provides behavioural monitoring that can detect attackers moving laterally before they trigger the ransomware payload.
  12. Backup architecture review: Implement the 3-2-1-1 backup rule: three copies of data, on two different media types, with one offsite copy and one immutable (air-gapped or object-locked) copy.
  13. Tabletop exercise: Within 90 days, run a tabletop exercise with your leadership team simulating a ransomware incident. Walk through who calls whom, what decisions get made, and in what sequence.

'Real risk of significant harm' is broadly interpreted and includes financial harm, reputational harm, identity theft, and loss of employment or business opportunities. When in doubt, report. The cost of a penalty for failure to report significantly exceeds the cost of reporting unnecessarily.

Provincial privacy laws in Alberta (PIPA), British Columbia (PIPA BC), and ²Ï³Üé²ú±ð³¦ (Law 25) have additional requirements that may apply. Your legal counsel and IT provider should help you determine which obligations apply to your specific situation.

 

Cyber Insurance: Activating Your Policy

If you have cyber insurance, activate your policy immediately ideally within the first 24 hours. Most policies require timely notification as a condition of coverage. Your insurer will typically assign a breach coach (often legal counsel) who coordinates the response and helps manage notification obligations.

Important: your insurer may also have preferred vendors for forensic investigation and incident response. Engaging non-approved vendors can sometimes complicate the claims process. Review your policy or call your broker before making major recovery vendor decisions.

 

Recovery: Getting Back to Operations

Clean Recovery vs. Fast Recovery

There is a fundamental tension in ransomware recovery: pressure to restore operations quickly versus the need to ensure the environment is genuinely clean before bringing systems back online. Rushing restoration without eliminating the attacker's persistence mechanisms results in reinfection sometimes within hours.

A proper recovery sequence looks like this:

When You Don't Have Adequate Backups

If your backups are compromised, outdated, or incomplete, your options narrow significantly:

The Cloud Misconception

Many Canadian SMBs operate under the assumption that because their data is in Microsoft 365 or Google Workspace, they don't need to worry about ransomware. This is a dangerous misunderstanding. Ransomware that compromises a user's credentials can encrypt synchronized files in OneDrive and SharePoint, propagate through connected applications, and leverage Microsoft 365 email to spread to contacts.

Cloud-based data requires cloud-specific backup solutions third-party backup tools that create independent, immutable copies of your Microsoft 365 or Google Workspace data at a configurable recovery point. Native Microsoft 365 retention policies are not a substitute for backup.

 

The Post-Incident Review: Learning What Needs to Change

Why Most Businesses Skip This Step (and Pay for It Later)

After the crisis passes, the instinct is to move on get back to normal, let the team decompress, and put the experience behind you. This is understandable and almost always a mistake. Ransomware incidents reveal specific gaps in security posture, backup architecture, and response readiness. A structured post-incident review translates that painful experience into durable improvement.

 

What a Post-Incident Review Should Cover

Mandatory Actions After Every Ransomware Incident

Regardless of how the incident resolved, these changes should be implemented before the environment is considered restored:

 

How Your MSP Should Support a Ransomware Response

The Difference Between Break-Fix IT and True Incident Response Support

Not all managed service providers are equipped to support an active ransomware incident. A break-fix provider one who responds to tickets reactively is poorly positioned to lead an incident response where speed, forensic discipline, and regulatory knowledge all matter simultaneously.

What to expect from an MSP during a ransomware incident:

Ä¢¹½ÊÓÆµ's Approach to Incident Response

Ä¢¹½ÊÓÆµ's security-first managed IT model is built on the premise that prevention is primary but response capability is non-negotiable. Our clients across Canada operate under managed services contracts that include:

 

The Ransomware Response Checklist: Print This and Keep It Accessible

Immediate (Hours 0–4)

Short-term (Hours 4–24)

Regulatory (Hours 24–72)

Recovery

 

Ä¢¹½ÊÓÆµ Differentiators: Why Our Clients Recover Faster

When a ransomware incident strikes, the quality of your managed IT provider becomes the most consequential variable in your recovery outcome. Here is what sets Ä¢¹½ÊÓÆµ apart:

 

Frequently Asked Questions: Ransomware Response for Canadian SMBs

What should I do the moment I discover ransomware on my systems?

Isolate affected systems immediately disconnect them from the network by unplugging ethernet cables and disabling Wi-Fi, but do not power them off. Then call your IT provider's emergency line. The priority in the first minutes is stopping the spread to unaffected systems. Do not attempt to remove the ransomware yourself, do not run antivirus scans, and do not make any changes to affected systems before a forensic assessment.

Should I pay the ransomware demand?

Do not pay without consulting legal counsel and your cyber insurance carrier first. Paying does not guarantee you will receive a working decryption key. In some cases where the attacker group is on a government sanctions list payment can expose your business to federal penalties. Your insurer may also have specific requirements around payment decisions that affect your claim. This decision should never be made under panic in the first few hours.

Am I required to report a ransomware attack in Canada?

Yes, if personal information was accessed or exfiltrated and there is a real risk of significant harm to affected individuals. Under PIPEDA, you must notify the Office of the Privacy Commissioner and affected individuals as soon as feasible. Alberta's PIPA and BC's PIPA have parallel obligations. Quebec's Law 25 adds additional requirements including notification to the Commission d'accès à l'information. Failure to report when required can result in penalties. When in doubt, report.

How long does ransomware recovery typically take for a Canadian SMB?

Recovery time varies significantly based on backup architecture, attack scope, and response readiness. Organizations with immutable offsite backups, tested recovery procedures, and a managed IT provider with incident response capability typically restore operations within days. Organizations without adequate backups or tested recovery procedures commonly take weeks to months. The post-2025 data is sobering: roughly one in three businesses that experienced a significant disruption took six months or more to fully recover.

What is the 3-2-1-1 backup rule and why does it matter for ransomware?

The 3-2-1-1 rule is the current best practice for ransomware-resilient backup: three copies of your data, stored on two different types of media, with one copy offsite, and one copy immutable (meaning it cannot be modified or deleted, even by an administrator). The immutable copy is critical specifically because modern ransomware actively targets and deletes backups before triggering encryption. An immutable backup cannot be compromised by an attacker with administrative credentials.

Can ransomware affect my Microsoft 365 or cloud data?

Yes. Ransomware that compromises user credentials can encrypt files synchronized to OneDrive and SharePoint, spread through connected Microsoft 365 applications, and use compromised email accounts to distribute phishing messages. Cloud environments require cloud-specific backup solutions third-party tools that create independent, immutable copies of your Microsoft 365 or Google Workspace data. Native Microsoft 365 retention settings are not a substitute for backup and do not protect against all ransomware scenarios.

What is double extortion ransomware?

Double extortion is now the default ransomware playbook for sophisticated attackers. In a double extortion attack, the attacker exfiltrates your data before encrypting it. You then face two separate threats: paying to receive the decryption key for your encrypted files, and paying to prevent the attacker from publishing or selling your stolen data. This means that even if you restore from backup, the attacker can still threaten to release sensitive client records, employee data, or financial information. Your response plan must account for both dimensions.

How does cyber insurance interact with ransomware response?

Cyber insurance is an important component of ransomware preparedness, but it is not a substitute for a response plan. Most policies require timely notification often within 24 to 72 hours of discovery as a condition of coverage. Your insurer will typically assign a breach coach who coordinates legal, forensic, and notification support. Policies commonly cover ransom negotiation costs, forensic investigation, notification expenses, and business interruption losses but coverage terms vary significantly. Review your policy before an incident and ensure your IT provider understands your insurer's preferred vendors.

What is the role of my managed IT provider during a ransomware incident?

Your managed IT provider should lead technical containment, forensic investigation, evidence preservation, and recovery. They should have 24/7 emergency response capability, forensic tools to determine the scope of compromise, and documented procedures for working within the cyber insurance claims process. They should also have implemented preventive architecture EDR, immutable backup, 24/7 monitoring that reduces both the likelihood and the severity of a ransomware incident. If your current provider cannot articulate these capabilities, that is a gap worth addressing before an incident occurs.

What is endpoint detection and response (EDR) and why is it better than antivirus for ransomware?

Traditional antivirus relies on known malware signatures it can only detect threats it has already seen. EDR platforms monitor endpoint behaviour continuously, identifying suspicious patterns like lateral movement, credential dumping, and unusual file encryption activity the early-stage behaviours that precede a ransomware deployment. EDR can detect and contain a threat before it reaches the encryption stage. For Canadian SMBs without a dedicated security team, EDR paired with managed detection and response (MDR) where a security operations team monitors alerts 24/7 provides near-enterprise-grade protection at SMB economics.

 

Is Your Business Prepared for a Ransomware Incident?

Most Canadian SMBs discover gaps in their ransomware preparedness when they're in the middle of an active incident. That's the worst possible time.

Ä¢¹½ÊÓÆµ's security-first managed IT platform is built specifically to prevent ransomware incidents and support rapid recovery when prevention isn't enough. Our clients across Calgary, Edmonton, Vancouver, Toronto, Ottawa, and beyond operate with immutable backup, 24/7 EDR monitoring, and a team that answers the phone in under five minutes any time of day.

Start with a ransomware readiness assessment. We'll evaluate your current backup architecture, endpoint protection, identity controls, and incident response readiness and give you a clear picture of where your gaps are before an attacker finds them first.

Contact Ä¢¹½ÊÓÆµ at gamtech.ca to schedule your assessment. National coverage, local presence, and a security-first approach that's backed by SOC2 certification and 13 years of supporting Canadian businesses.