A Data Collaboration Services Case Study
Background: A Mission Under Threat
For organizations built around serving their communities, a cyberattack doesn’t just disrupt operations, it interrupts lives. This national nonprofit had spent more than two decades delivering social services, housing assistance, and workforce development programs across multiple locations in the United States. With roughly 60 staff, a mission-driven culture, and an IT environment managed by a single generalist coordinator, they operated the way most nonprofits do: lean, effective, and focused on the work.
There was no dedicated security team. No 24/7 monitoring. Backups ran nightly to an on-premises server sharing the same network segment as production systems. The organization carried cyber insurance but had never formally tested its incident response procedures. Like 43% of cyberattacks that target small and mid-sized organizations (Varonis), this nonprofit wasn’t victimized because it was high-profile. It was targeted because it had gaps and attackers had learned to find them.
Tuesday Morning. Everything Stops.
Staff arriving for the morning shift on a Tuesday in late Q3 found their screens locked. The file server was inaccessible. The case management database that the staff relied on to coordinate services for hundreds of active clients was encrypted. Shared drives holding years of program documentation, grant compliance records, and operational files had been replaced with a single message: a ransom note demanding $85,000 in cryptocurrency within 72 hours.
The organization’s IT coordinator immediately isolated the affected machines and called the executive director. Within the hour, they had reached DCS.
What the organization didn’t know yet: the attacker had been inside the network for three days before triggering encryption. A phishing email – convincingly spoofed as a grant notification from a known funder had bypassed the organization’s basic email filtering and delivered the initial payload. The encryption itself was the last step, not the first.
The DCS Response: Contain, Assess, Recover
DCS engaged the client within two hours of the initial call. The first priority was containment – stopping lateral movement and preserving forensic evidence before attempting any recovery.
Hours 0–4: Containment
Working remotely alongside the client’s IT coordinator, the DCS incident response team:
- Isolated all infected endpoints and severed their network connections.
- Mapped the spread – confirming the file server, two administrative workstations, and a directly-connected backup drive had been encrypted.
- Identified the attacker’s initial access vector and dwell period through log analysis.
- Confirmed that the organization’s Microsoft 365 environment and a weekly off-network backup remained fully intact and uncompromised.
- Documented and packaged forensic evidence to support the cyber insurance claim.
The decision on the ransom demand was straightforward.
The $85,000 demand was real pressure. Program operations had gone dark. Staff couldn’t access client files. Grant reporting deadlines weren’t going to move. The executive director’s first instinct was to consider payment as the fastest path back to normal.
DCS’s counsel was direct: don’t. A clean offline backup existed. The cloud environment was unaffected. Research consistently shows 35% of organizations that pay a ransom receive corrupted or unusable decryption keys (Semperis) – and payment would also introduce legal complications with the cyber insurer. Recovery without payment was not just possible; it was the right call.
72 Hours: The Recovery Timeline
Hours 0–12: Containment & Planning
Network fully contained. Clean systems identified and isolated. Recovery path confirmed. Cyber insurance carrier notified with full documentation and incident timeline.
Hours 12–36: Infrastructure Rebuild
File server rebuilt within a clean, properly segmented environment. Data restored from the offline weekly backup – the most recent clean snapshot was 96 hours old, representing a narrow, manageable data gap that program staff reconstructed manually. Microsoft 365 data – including email, SharePoint, and OneDrive files came online immediately and fully intact.
Hours 36–72: Validation & Hardening
Case management database restored and validated against program records by staff. All workstations re-imaged from clean baselines. Every user credential across every system was reset. Multi-factor authentication was enforced organization-wide. Network segmentation was implemented to isolate backup infrastructure from production going forward.
By Thursday morning – 72 hours after the attack was first discovered – core operations were fully restored. No ransom was paid.
After Recovery: Building a Security Program That Holds
Restoration was the immediate objective. Prevention was the lasting one. A comprehensive cybersecurity risk assessment conducted by DCS following the incident surfaced the systemic gaps the attack had exploited – insufficient email controls, backup infrastructure sharing production network space, no endpoint detection tooling, and zero security awareness training for staff.
DCS implemented a managed security program addressing each vulnerability:
- Endpoint Detection & Response (EDR) deployed across all devices at both locations.
- Immutable off-network backup solution replacing the compromised legacy setup.
- Advanced email filtering and anti-phishing controls to stop the initial access vector.
- 24/7 security monitoring through DCS’s managed SOC.
- Staff security awareness training and phishing simulation program.
- Documented incident response plan tested with internal staff.
The organization subsequently renewed its cyber insurance policy – with improved coverage terms, supported by the documented security improvements DCS had implemented.
Outcomes
- Full operational recovery in 72 hours
- Zero ransom paid
- All critical data restored – no permanent data loss
- Cyber insurance claim supported with complete forensic documentation
- Managed security program deployed across both locations
- No repeat incident in the 12 months following recovery
- Cyber insurance renewed with stronger coverage terms
“We thought paying the ransom was the only way to get back online. DCS walked us through exactly why it wasn’t and then they proved it. We were fully operational in three days. What we’ve built since then is a fundamentally different security environment. We’re a small nonprofit. We never thought attackers would come after us. Now we know that’s exactly why they did.”
— Executive Director, Regional Nonprofit Organization
Is Your Organization Prepared?
Most organizations don’t discover their security gaps until an attack finds them first. DCS works with businesses and nonprofits across the United States to build the backup infrastructure, monitoring, and incident response capabilities that make recovery possible without paying a ransom.
