Que Pasa Cuando el Ransomware Golpea una Firma de 25 Personas en Riverside (una Linea de Tiempo Realista + Lo que lo Detiene)

What follows is a composite scenario based on patterns we see in real ransomware cases in the Inland Empire. The firm is fictional. The mechanics are not.

Meet a 25-person professional services firm in Riverside. They have a Microsoft 365 tenant, a small file server in a closet, a third-party line-of-business app, and laptops for every employee. They use a local IT vendor on a break-fix basis. Backups run nightly to a NAS in the same closet as the file server. MFA is on for the owner and the office manager but partial across the rest of the firm. Anti-phishing is at default. Conditional Access is off. The firm thinks of itself as well-run, and by most measures it is.

Let's walk through the next four weeks.

On a Tuesday afternoon, an associate receives an email that appears to be from a known vendor, attaching what looks like an invoice. The display name is correct. The reply-to address is a lookalike domain — one letter different from the real vendor. The email asks the associate to review the attached document.


The attachment is a Word file. When opened, it prompts the user to enable content. The user, who has done this hundreds of times for legitimate documents, clicks enable. A small payload runs, drops a remote access trojan onto the laptop, and reaches out to a command-and-control server. The associate's antivirus — a consumer-grade product the firm has run for years — does not flag it.

The attacker is now on one laptop in the firm. Nobody knows. The user goes back to work.

For two weeks, the attacker draws no attention. They map the network from the compromised laptop. They identify the file server, the practice's line-of-business application, and the credentials cached on the laptop. They run a tool that pulls the laptop's saved Wi-Fi passwords, browser-saved logins, and any locally stored credentials.

The associate's password is reused across several systems — a habit nobody has caught. The attacker uses the cached credential to RDP into the file server during a normal business hour, mixed in with normal admin traffic. From the file server, they move laterally to the Microsoft 365 tenant by using the same credential to sign into the firm's email — without MFA, because the associate's account did not have it enforced.

Now the attacker has access to two systems and is reading email. They watch for two more weeks, learning who pays whom, when wire transfers happen, what the partner-to-partner email patterns look like, where backups are stored, and where the most valuable client files live.

On a Friday night around 9 PM, the attacker triggers the ransomware. The encryption is fast — modern strains finish a small file server in under an hour. They simultaneously delete the NAS backup volumes from inside the network using credentials they harvested during reconnaissance. They exfiltrate the most sensitive client folders to their own servers as a leverage tool. By Saturday morning, every Windows machine on the network shows a ransom note. The file server is encrypted. The NAS is wiped. The Microsoft 365 mailboxes are intact for the moment but the attacker still has access.

The ransom demand is roughly $400,000, payable in cryptocurrency, with a five-day deadline before the exfiltrated data is published.

The ransom is the smallest part of the bill. Here is what the next week looks like.

• Monday: the firm cannot operate. Email is locked. Files are encrypted. The line-of-business app is down. The owner calls the IT vendor, who is not equipped to handle a ransomware case and refers them out.
• Tuesday: the cyber insurance carrier (assuming the firm has coverage) deploys an incident response firm. The IR firm takes over. The firm's existing IT vendor is sidelined.
• Wednesday: the IR firm determines the NAS backups are unrecoverable. Whether to pay the ransom becomes a real conversation. Even if the firm pays, decryption is slow and incomplete.
• Thursday and Friday: forensic work continues. The firm cannot bill, cannot work cases, cannot send invoices. Staff are sent home or doing manual tasks on personal devices.
• The following week: the firm is notifying clients of a potential data exposure. Some client matters are paused while clients evaluate the firm's posture. State data breach notification requirements (in California, Civ. Code § 1798.82 — generally 60 days to notify affected residents) apply because the exfiltrated data included personal information. If the firm handles financial customer data, the FTC Safeguards Rule (16 CFR Part 314, revised 2023) also imposes notification obligations. Legal counsel is involved.

All-in cost for a 25-person firm hitting this scenario, in our experience and based on published industry data: $250,000 to $1.2 million depending on whether the ransom is paid and whether business interruption insurance covers the gap. The firm typically loses 10 to 30 percent of clients in the year following the incident.

> The owner does not sleep well for six months. The ransom is the smallest line item; the lost clients, the forensic work, the regulatory clock, and the staff time are the real bill.

Now the rewind. Each of these would have meaningfully changed the outcome — listed in roughly the order we'd implement them at a firm this size.


1. MFA on every account, including the associate's. Even if the attacker had the password, MFA on the M365 account would have stopped the lateral move into email and from there into the deeper systems. This is a one-evening project for a small firm.

2. Modern EDR instead of consumer antivirus. Defender for Business, SentinelOne, or CrowdStrike would likely have flagged the initial trojan dropper. EDR is not perfect but it sees behavior that signature antivirus misses. Modern EDR is the line item most firms underspend on relative to the protection it provides.

3. Conditional Access policies. Conditional Access is the M365 feature that decides — per sign-in — whether the user is doing something normal (right device, right country, right time, MFA passed) and lets them through, or whether the request looks unusual and either prompts again or blocks. A policy that blocks sign-ins from countries where the firm does not operate, or that requires a managed device for sensitive resources, would have broken the attacker's M365 access.

4. Immutable, off-network backups. The NAS in the same closet as the file server, on the same network, with the same admin credentials, is a setup that loses to ransomware every time. Cloud backups with immutability — backups that cannot be deleted or modified for a defined retention period, even with admin credentials — survive the attack. This is the single largest determinant of recovery cost.

5. Tested restore procedures. Even good backups do not help if nobody has tested a restore. A quarterly restore test catches the gaps before a real incident.

6. Phishing-resistant MFA on admin accounts. For the owner, the office manager, and any accounts with elevated privileges, hardware security keys (FIDO2) or Microsoft Authenticator with number matching beat SMS or push fatigue. This is what stops a determined attacker from talking the user into approving a fake login — the "MFA fatigue" or "push bombing" attack pattern that has been the headline incident vector since 2022.

7. Email tenant hardening. Lookalike-domain detection, anti-phishing impersonation rules, and external-sender warnings would have made the original phishing email far less likely to fool the associate.

Adding up the controls above for a 25-person firm comes to a recurring monthly investment in licensing and management plus a one-time hardening project. The exact number depends on the firm's starting state, existing M365 licensing, and stack complexity — but annualized, it typically lands in the same neighborhood as the deductible on a standard small business cyber insurance policy.

> Annualized, that is in the same range as the deductible on a typical small business cyber insurance policy. The alternative is the scenario above.

Insurance carriers know this math, which is why they are pricing aggressively for firms that lack the basic controls and refusing to renew the ones that resist after a claim.

If you want to see where your firm currently sits against this list, our [security baseline assessment](/services/security-assessment) walks through it methodically, our [Inland Empire IT support](/it-support-inland-empire) page covers our coverage area, and our [free 12-question self-check](/self-check) gives you a rough grade in three minutes. Call 949-594-0742 if any of this feels uncomfortably familiar. The goal is for the worst day at your firm to be a Tuesday with a broken printer, not a Friday night with a ransom note.