Ransomware Attack: Western Sydney Business Fully Recovered in 24 Hours
How a local business went from total lockdown to full recovery — without paying the ransom.
The Situation
A small professional services business in Western Sydney arrived at the office one Monday morning to find every computer on their network displaying a ransom note. All files — client records, invoices, contracts and years of work — had been encrypted overnight. The attackers were demanding payment in cryptocurrency to restore access. The business had no IT support, no tested backup, and no idea what to do next.
What We Found When We Arrived
On-site within two hours of the call, we immediately isolated the affected machines from the network to prevent the ransomware spreading further. The attack had entered through a phishing email opened three days earlier — the malware had been dormant, quietly mapping the network, before triggering the encryption during the weekend when no one was watching. Two of the four workstations were fully encrypted. One had only partially encrypted. The fourth — which had been powered off over the weekend — was untouched. The business router logs revealed the malware had also attempted to reach external servers, though the ISP had blocked most of the outbound connections.
How We Fixed It
We worked through the recovery in stages: **Stage 1 — Containment.** All network connections severed. Clean machine identified and isolated. The IT team (Ragu) confirmed the ransomware variant using forensic tools — this was a known strain with available decryption tools for older encrypted files. **Stage 2 — Data recovery.** Using shadow copy recovery and specialised decryption tools, we recovered approximately 85% of encrypted files directly — without paying the ransom. The remaining 15% were recovered from an old, partial backup the client had not realised they still had on an external drive sitting in a drawer. **Stage 3 — Clean rebuild.** Both fully encrypted machines were wiped and Windows reinstalled cleanly. All software reinstalled and configured. The partially encrypted machine was cleaned and verified safe. **Stage 4 — Security hardening.** Microsoft 365 Business Premium deployed across all machines, enabling cloud backup, advanced threat protection, and multi-factor authentication. Staff phishing awareness training conducted on-site. Automated daily cloud backup configured.
The Outcome
The business was fully operational within 24 hours of our first call. All critical client data was recovered. The ransom was never paid. The business now has automated cloud backup, MFA on all accounts, and a clear incident response plan. Six months later — zero incidents.
What this means for your business
Act fast and don't pay
Every hour a ransomware infection runs, more files are encrypted. Shutting off the internet connection immediately limits the damage. Paying the ransom is not recommended — it funds criminals and there is no guarantee of decryption.
Most ransomware enters through email
Staff training is the single most effective defence. One click on a phishing email opened the door here. Modern Microsoft 365 plans include advanced phishing filters that catch the vast majority of these attempts.
Backups are only useful if they are tested
This business had a partial backup they had forgotten about. Had it been current and tested, recovery would have been complete in hours. Automated cloud backup with version history is the standard for any business handling client data.
Patch everything immediately
The ransomware variant used exploited a Windows vulnerability that had been patched two months earlier. Keeping Windows and all software updated closes these doors before attackers can use them.
Frequently asked questions
How much does ransomware recovery cost?
It depends on the severity and the data involved. A single workstation cleanup and rebuild typically costs $300–$600. Full business recovery including security hardening varies. We always assess first with no obligation and give an upfront quote before starting any work.
Should I pay the ransom?
We strongly advise against it. Paying funds criminal organisations, there is no guarantee your files will be decrypted, and it marks you as a target for repeat attacks. In most cases, professional recovery tools and backup restoration are more effective and cost less than the ransom demand.
Can you recover encrypted files?
Often yes. The success rate depends on the ransomware variant, whether shadow copies survived, and the state of any backup. We have recovered files in the majority of cases we have handled without the ransom being paid.
How do I prevent ransomware?
The four key defences are: staff phishing training, Microsoft 365 with advanced threat protection, automated cloud backup with version history, and keeping Windows and software updated. We can set all of this up for Western Sydney businesses.
Facing a similar issue?
Same-day available · No Fix, No Fee
0434 358 263 WhatsApp usBook onlineNo Fix, No Fee guarantee
Upfront quote — no surprises
Same-day bookings available
On-site at your home or office
Related service
Cybersecurity & Ransomware Recovery →Dealing with a similar problem?
Same-day service across Western Sydney. No Fix, No Fee. Upfront quote before we start.