A 200+ employee construction firm specializing in multi-family apartment development called us in crisis. Ransomware had encrypted their entire infrastructure — email, servers, project files, everything. Their existing MSP couldn’t recover it. Could we help?
We could. But what we found when we started digging was far worse than the ransomware itself.
What We Walked Into
The company’s previous managed service provider had been running their entire IT infrastructure out of a 500-square-foot office with four people. When we visited the site to assess the damage, the office was a mess. The “data center” was a spaghetti tangle of cables so disorganized it took hours just to trace which connections went where and determine how server rebuilds could even begin.
The root cause of the breach? An old, unpatched firewall. The attackers exploited the SSL VPN — a vulnerability that had a known patch available. The patch was never applied. That single gap gave attackers full access to the MSP’s virtual infrastructure, which hosted this construction company’s servers alongside who knows how many other clients.
The previous MSP’s hosted Exchange server — the company’s entire email system — was encrypted and unrecoverable. Servers containing years of project documentation, contracts, financial records, and architectural plans were locked down. For a construction firm managing millions of dollars in active multi-family apartment projects, every hour without email and file access meant delayed decisions, missed communications with subcontractors, and stalled project timelines.
The Rescue: 72 Hours That Changed Everything
We made a critical decision early: abandon the old infrastructure entirely. There was no point trying to rebuild on a foundation that was compromised from the start. Instead, we executed a rapid recovery plan that prioritized getting the business operational while simultaneously building a properly secured environment.
Step 1: Restore Email Immediately
Email was the lifeline. A construction company with 200+ employees and active development projects across multiple sites cannot function without email for even a day. We migrated their domain to Microsoft 365, restoring mail flow and implementing conditional access policies from day one. This meant employees could send and receive email within hours — not days or weeks — while we worked on recovering everything else.
Step 2: Recover Servers Into a Secure Environment
Rather than attempting to rebuild servers in the compromised environment, we recovered them directly into our private cloud infrastructure. This gave the company immediate access to their data and applications in an environment we controlled, monitored, and secured. No more trusting a 500-square-foot office with unlabeled cables to host your business-critical systems.
Step 3: Build Real Disaster Recovery
The old MSP had no meaningful disaster recovery plan — which is why one ransomware event destroyed everything. We implemented replication into Azure for a full disaster recovery and business continuity plan. If any single component fails, the business keeps running. We also deployed immutable backup storage — backups that cannot be encrypted, modified, or deleted by ransomware. Even if attackers somehow breach the network again, the backups survive.
Step 4: Secure Every Layer
With the immediate crisis resolved, we built the security posture that should have existed from the beginning: multi-factor authentication across all access points, modern endpoint protection on every device, automated patch management to ensure no firewall or system ever sits unpatched again, and proper network segmentation to prevent lateral movement if a threat does get in.
Why This Keeps Happening
This story isn’t unique. We see variations of it regularly. A business trusts their IT provider for years, assumes everything is running smoothly, and never verifies. They’ve never visited the provider’s facility. They’ve never asked about patch management schedules, backup testing, or disaster recovery plans. They’ve never questioned whether their firewall firmware is current.
Then ransomware hits and the truth comes out: the infrastructure was held together with duct tape.
The construction industry is particularly vulnerable. Firms manage high-value projects with tight timelines and complex coordination between architects, engineers, subcontractors, and investors. The cost of downtime isn’t just lost productivity — it’s delayed project milestones, penalty clauses in contracts, stalled permitting, and damaged relationships with capital partners.
Yet construction companies often underinvest in IT because technology isn’t seen as core to the business. It is. Every project timeline, every contract, every communication with a lender or subcontractor runs through your IT infrastructure. When it goes down, the business stops.
The Questions Every Business Owner Should Be Asking Their MSP
If you haven’t visited your IT provider’s facility, do it. If the answers to these questions make you uncomfortable, it’s time for a change:
When was our firewall firmware last updated? If your provider can’t answer this immediately with a specific date, your perimeter is likely exposed. Automated patch management eliminates this risk entirely.
Where are our backups stored, and can ransomware encrypt them? If backups are on the same network as production systems without immutable storage, they’ll be encrypted alongside everything else — exactly what happened here.
What’s your disaster recovery plan, and when was it last tested? A plan that hasn’t been tested isn’t a plan. It’s a hope. Real DR means replication to a separate environment with documented recovery procedures.
Is MFA enabled on every access point? Email, VPN, cloud applications, admin consoles. If any access point lacks MFA, it’s an open door for attackers.
From Crisis to Confidence
Today, this construction firm operates on infrastructure that’s properly designed, monitored 24/7, and built to survive the next attack — because there will be a next attempt. The difference is that now, an attempted attack gets detected and blocked instead of encrypting the entire business.
Their email runs on Microsoft 365 with conditional access and advanced email protection. Their servers run in our private cloud with Azure DR replication. Their backups are immutable. Their firewall is current. And their MSP actually answers the phone at 2 AM.
The ransomware event cost this company weeks of disruption, hundreds of thousands in recovery costs, and immeasurable stress. The infrastructure we built afterward costs a fraction of that annually — and it prevents the next one.
Is your infrastructure ready for a ransomware attack? Contact Infonaligy today for a complimentary infrastructure security assessment.
This is part of our series on why every layer of your security stack matters. Learn how a complete layered cybersecurity approach protects the businesses we serve.
