Ransomware Recovery for Canadian SMBs: A Practical Playbook

Canadian SMBs spend a lot on prevention: EDR, MFA, anti-phishing, security awareness training. Most of it works. Ransomware does not get into well-managed networks often. But when it does, the question stops being "is our security good enough" and starts being "can we recover."

This piece covers what ransomware recovery looks like for a real Canadian SMB: what happens in the first hour, how containment decisions play out, the restore-vs-negotiate question, how cyber insurance shapes the response, and how to build readiness before you ever need it.

Why Recovery, Not Prevention, Is the Real Test

Prevention is a probability problem. Recovery is a capability problem. You can drive ransomware risk down significantly with the controls we cover in our cybersecurity guide for Canadian SMBs, but you cannot drive it to zero. The realistic posture is "we have layered prevention AND we know exactly what we would do."

The SMBs that recover fast are not the ones with the most expensive tools. They are the ones who tested their backups, identified their IR partner before the incident, and rehearsed the first hour. The ones who suffer most are the ones who discover, at 2am on a Saturday, that their backup vendor changed its retention policy six months ago and nobody noticed.

The First 60 Minutes

The first 60 minutes of a ransomware incident set the tone for the next 14 days. The sequence that works:

1. Confirm it is ransomware. Multiple endpoints with encrypted files, a ransom note artifact, EDR alerts firing on the same indicators. Not just one machine acting weird.
2. Isolate affected systems. Network-level isolation (block at switch or firewall) is better than yanking cables, because it preserves volatile evidence.
3. Stop the spread. Disable affected user accounts. Force-revoke tokens. Block known-bad IPs at the perimeter. If you have EDR with network containment, use it.
4. Notify your cyber insurance carrier. Most policies require notification within 24 to 72 hours, and many have a 24/7 hotline. Failing to notify can void the policy.
5. Engage your incident response partner. If you have a retainer, this is when you call. If you do not, this is when you discover you need one.
6. Preserve evidence. Do not wipe and reinstall yet. Forensics will need disk images, memory captures, and logs to determine root cause.

Notice what is not on this list: paying the ransom, restoring from backups, or notifying customers. Those decisions come after the first hour, with more information.

Containment Decisions

Containment is the highest-stakes decision in the first six hours. The trade-off: aggressive isolation halts the attack but stops business operations. Conservative isolation keeps things running but may let the attack spread.

The right answer depends on what you can see. With proper security visibility in place, you can see which accounts were used, which devices are involved, and how recently the attacker moved laterally. Without that visibility, the safer call is broader isolation: assume more is compromised than you can prove.

Specific containment moves that almost always make sense:

• Disable all admin accounts and re-enable through a verified clean path
• Force password reset and token revocation for any account with recent privilege use
• Disconnect or isolate backup systems from the production network (the most aggressive ransomware variants target backups first)
• Block external command-and-control IPs at the firewall
• Pause any scheduled jobs that move data between systems

Restore from Backups vs. Negotiate

Once containment is in place, the central question is whether you restore from backups or negotiate. The honest answer: if your backups are clean, intact, and tested, you restore. If they are not, you discover that very fast.

Modern ransomware operators target backups first because they know it is your leverage. If your backup repository was reachable from your production network, on the same identity provider, with the same admin credentials, assume it is encrypted too. This is why immutable backups matter: at least one copy must live somewhere the attacker mathematically cannot reach.

If backups are intact, the recovery path is: rebuild a known-clean environment, restore systems in dependency order (identity, then DNS, then file servers, then applications), and rotate every credential before bringing systems online. Expect 5 to 14 days for a typical SMB with 50 to 200 endpoints.

If backups are not intact, the decision becomes commercial. Cyber insurance carriers and IR partners will guide negotiation. The numbers in Canadian SMB ransomware cases in 2025 averaged USD 100,000 to USD 350,000 in ransom demands, with successful negotiations frequently landing 30 to 50 percent below the opening number. Payment does not guarantee a working decryptor, which is why even with cyber insurance, carriers prefer restore paths.

Cyber Insurance Notification and IR Partner

Your cyber insurance policy almost certainly requires you to use the carrier's approved IR partner unless you have a pre-approved alternative on file. Calling your own preferred firm without notifying the carrier can mean those costs are not covered.

The carrier's 24/7 hotline routes you to a breach coach (usually a lawyer) who coordinates: forensics, ransomware negotiation, regulatory notification, customer communication, and PR. This is the highest-value part of the policy and the part most SMBs do not understand until they need it.

If you have not had a cyber insurance policy review in the last 12 months, the items you need to verify are covered in our cyber insurance documentation guide. Run our free cyber insurance readiness checker if you want to see how your controls stack up against what carriers ask before they will quote.

Operating the Business During Recovery

While IT is recovering, the business still has customers, payroll, and obligations. The plans that work include:

• A documented manual fallback for the top 3 to 5 business processes (taking orders, scheduling, payroll, customer support)
• Pre-printed contact lists and emergency phone trees that do not depend on the email system
• Pre-identified communication channels for customers (text, phone, social, secondary email) when email is down
• A holding statement template approved by the breach coach in advance
• A list of which decisions belong to the owner and which to the IR partner

These are checklist items, not big projects. The SMBs who recover with minimal damage have them. The SMBs who become news stories generally do not.

Post-Incident Review

Once production is restored, the work shifts to closing the gaps that allowed the incident. The breach coach typically requires a post-incident report covering: root cause, timeline, controls that failed, controls that worked, and remediation plan.

The most common findings in Canadian SMB ransomware incidents in the last two years:

• MFA not enforced on a privileged account (initial access)
• Legacy authentication still allowed (bypassed MFA)
• Backup repository reachable from production network (encrypted with everything else)
• EDR exclusions misconfigured (attacker living in a blind spot)
• Unpatched VPN appliance or remote access tool (initial access)

None of these are exotic. They are the items the cybersecurity baseline covers. The post-incident review almost always converges on the same controls that should have been operating in the first place.

Building Recovery Readiness Before an Incident

Recovery readiness is built in normal time. The practical investments:

• Test restores monthly on a real system (not just a backup-job-completed alert)
• Document the first-60-minutes playbook on paper and store it where the email outage cannot hide it
• Run one tabletop exercise per year (cyber insurance increasingly expects this)
• Identify and pre-engage an external IR partner
• Confirm your cyber insurance policy hotline number is accessible offline
• Establish immutable backups with separate identity from production
• Maintain a current asset and account inventory you can pull without your normal tools

None of this is dramatic. It is the unglamorous operational work that separates SMBs who treat ransomware as a survivable event from those who treat it as a business ending one.

Where ClayGen Connect Helps

Connect's Security Hub gives owners and IT staff one view of identity coverage, EDR health, backup status, and Microsoft 365 hardening. In normal times, that visibility is how you keep controls from drifting. In incident time, it is the snapshot the IR partner uses to scope the blast radius without spending the first three hours discovering what you have.

For our managed cybersecurity clients, the dashboard, the tabletop, and the documented playbook come standard. For everyone else, the readiness checker is the no-email-required starting point. For the full controls picture, see our cybersecurity guide and our managed cybersecurity service page.