Case Study

Ransomware Hit a Multi-Site Business. We Were Back in Two Hours.

By Grey Lawson · Founder & Fractional CIO, OKC CIO Partners · June 27, 2026 · ~5 min read

Most ransomware stories end with a wire transfer or a two-week shutdown. This one ended in about two hours, with no ransom paid. The difference wasn’t luck or a better firewall — it was a decision made long before the attack.

In 2020, ransomware hit a multi-site manufacturer and distributor where I served as IT Director — an operation spanning seven locations across five states. Here is what happened, and why it didn’t become a catastrophe.

What happened

The attack did what ransomware does: it moved to encrypt systems and the data the business runs on, then demand payment for the keys. For most companies this is the moment the business stops — orders, shipping, accounting, all frozen — and the only questions left are how much to pay and how long recovery will take.

Why two hours instead of two weeks

Two things, both decided in advance. First, the backups were air-gapped — a copy of the data kept offline, where the ransomware simply could not reach it to encrypt. Online backups feel safe right up until the attack encrypts them too; an offline copy is the one that survives. Second, the recovery plan was real and rehearsed — we knew the restore order, who did what, and how to bring sites back without tripping over each other. The morning of the attack was a checklist, not a panic.

What most businesses get wrong

When I assess a business’s readiness, the same gaps show up again and again: backups that are online and therefore encryptable, restores that have never actually been tested, and — the quiet killer — no plan for who decides what in the first hour. A backup you have never restored from is a hope, not a plan.

What this means for your business

Recovery is a decision you make before the attack, not after. That is exactly the work I own as a fractional CIO: a tested disaster recovery and business continuity plan, and a security posture and risk register that puts the odds in your favor. For manufacturers and distributors, where a line down is money lost by the hour, it is the difference between a bad afternoon and a bad quarter.

Could your business survive a ransomware attack tomorrow? If you are not certain — that uncertainty is the answer. The discovery call is free, and we will talk through where you actually stand.

Book a free discovery call
← All articles