Rapid Ransomware Recovery During MSSP Onboarding

The Situation

Hit by Ransomware Mid-Onboarding

The client left their previous provider after finding that all backups were corrupted. They were still onboarding with ITonDemand when the Akira ransomware attack hit. The breach began with a phishing email and used an unauthenticated VPN to reach local servers, where it stole and encrypted data. Onboarding wasn’t finished, so some protections weren’t active yet. One of the first steps had been setting up new backups, which proved critical to recovery.

The Challenge

Responding Before Protections Were Fully in Place

The incident occurred at a critical juncture: between the deployment of advanced security measures and the implementation of backup systems. The client’s previous MSP had left them exposed, and the corrupted backups meant there would have been no recovery if the timing had been just one week earlier.

Unlike their previous setup, ITonDemand’s backup design isolated and encrypted data separately from user identities. Even if credentials or domain admin accounts were compromised, the backups remained protected. That difference made a complete recovery possible.

The main challenge was acting quickly to contain the infection and determine the best rebuild strategy while the client was still undergoing technical onboarding. The ITonDemand team also had to coordinate with lawyers, insurers, and forensic investigators during the recovery process.

The Solution

Full-Day Recovery and Enhanced Security Posture

When ITonDemand’s monitoring tools detected that the client’s servers had gone offline, the security operations center immediately initiated containment protocols. Systems were disconnected from the network, all credentials were reset, and disaster recovery backups were used to rebuild servers.

All critical systems were restored the same day, preventing major downtime. The only delay came from strategic rebuild decisions made with the client, not from technical limits. After recovery, the team added new security layers, including multi-factor authentication for Microsoft 365, SentinelOne, and Huntress XDR. They also performed a full network review and shared detailed logs with the client’s insurance and forensic teams.

The Result

Faster Recovery, Stronger Security

Despite the timing, the ransomware attack became a success story. Recovery was completed in one day with no lasting data loss, and the client’s systems came back stronger than before. The new security setup significantly reduced the likelihood of a similar breach.

A third-party forensics review followed in the weeks after recovery. ITonDemand worked closely with investigators and insurers throughout the process. Even as a new client still in onboarding, the team treated the event as a top priority. Senior engineers worked from morning to night to restore systems and guide the client through every step.

Our Partner

About the Southeastern Environmental Restoration Firm

This environmental services firm leads land and water restoration projects that strengthen community resilience and improve ecosystem health. Their team designs and delivers nature-based solutions that restore habitats, enhance water quality, and support long-term sustainability. Through their work, they help communities grow while protecting natural resources.