The case study below is a composite drawn from several real incidents at agricultural businesses across Western Canada in 2025–2026. Identifying details have been changed. The sequence of events is accurate — this is approximately how 2026 ransomware works against small businesses that lack modern defences. We share it because the pattern is consistent enough that it is worth understanding before it happens to you, not after.
Throughout, we mark the points where modern defences would have changed the outcome. Most of these were inexpensive controls. None required heroic action.
Day -7: The reconnaissance
A small-town agricultural supply business, 22 employees, $14M annual revenue, runs on Microsoft 365 with mostly off-the-shelf tooling. The owner is in his late 50s. The IT function is handled by his nephew, who has a regular job in Edmonton and helps out on weekends.
An attacker — likely an affiliate of one of the major Russian-speaking ransomware groups — has been running automated scans across Canadian SMB tenants. They have identified this business as a target because its Microsoft 365 tenant is missing MFA on several accounts, including one that ends in “bookkeeper@” — a high-value target.
Defence that would have stopped this: universal MFA enforcement.
Day 0: The phishing email
The bookkeeper receives an email apparently from a long-time grain trader supplier, with an attached Excel file labeled “Q3 reconciliation.” She is expecting reconciliations from that supplier. She opens the file. The file contains an embedded link that prompts her to sign in to her “Microsoft account” to view the protected content. The page looks exactly like Microsoft 365. It is not — it is a credential harvester hosted on a domain registered three days ago.
She enters her email and password. The credential harvester captures both. She is redirected to a generic error page and assumes the supplier sent her a broken file. She thinks no more of it.
Defences that would have stopped this: Microsoft Defender for Office 365 with anti-phishing policies enabled would have flagged the embedded link as suspicious. User awareness training would have made her more cautious of unexpected sign-in prompts. Either alone would likely have prevented the credential theft.
Day 0, 17 minutes later: The initial access
The attacker now has working credentials for the bookkeeper. They sign in to her Microsoft 365 account from a residential IP address in eastern Europe. Without MFA, this works. The mailbox is now under attacker control.
Their first action is to set up an Outlook rule that auto-forwards every incoming email to an external address they control, then deletes the original from the sent folder. They will read all incoming email for the next week without the bookkeeper noticing.
Defences that would have stopped this: MFA on the bookkeeper's account (every modern carrier requires this). Conditional Access policies blocking sign-ins from unusual locations. Disabling external auto-forwarding at the tenant level.
Days 1–4: The lateral movement
The attacker reads four days of email traffic. They learn:
- The owner's name, schedule, and signature style
- Banking details for several supplier accounts
- The structure of the business's reporting relationships
- Which employees handle what financial functions
They also notice that the bookkeeper's account has access to a shared file repository in SharePoint where the business keeps payroll information, customer contracts, and historical tax records. They begin quietly downloading these documents to a server they control.
Defence that would have stopped this: managed EDR with cloud workload monitoring would have flagged the unusual download patterns. SharePoint audit logging review (which most SMBs do not do) would have caught the data exfiltration.
Day 5: The privilege escalation
The attacker has identified that the “owner” account is also a Global Administrator in the Microsoft 365 tenant. They craft a phishing email impersonating the bookkeeper, asking the owner to “sign in and approve a vendor payment urgently.” The owner signs in to what he believes is the company's payment system. The credential harvester captures his email and password.
The owner happens to have MFA enabled on his account. But the attacker has anticipated this — they immediately initiate a sign-in flow that triggers MFA prompts on the owner's phone. Two prompts. Three. The owner, mid-meeting and frustrated, taps Approve to make the notifications stop.
The attacker is now a Global Administrator.
Defences that would have stopped this: MFA number-matching (so the user has to type a code, not just tap Approve). User training to treat unexpected MFA prompts as security incidents. Separated daily-driver and admin accounts for the owner. Conditional Access requiring compliant device + risky sign-in detection.
Day 6: The deployment
With Global Admin access, the attacker quietly disables the audit logging in the M365 tenant. They create a new admin account they control. They install a remote-management tool on the bookkeeper's and owner's workstations via Intune (which they now have full control over). The remote-management tool downloads and executes the ransomware payload at 11:47 PM Saturday night.
By Sunday morning, every Windows machine on the network is encrypted. Every M365 SharePoint file is encrypted. The accounting system is locked. The owner cannot run payroll Monday morning.
A ransom note demands $180,000 USD in bitcoin.
Defences that would have changed the outcome: managed EDR on every endpoint would have detected the remote-management tool deployment and contained the attack before encryption began (typically within 15 minutes of installation). Immutable cloud backups would have allowed restoration without paying the ransom. A documented incident response plan would have reduced the recovery time from weeks to days.
What happened next (and why this is the part owners don't think about)
The owner's general business insurance does not cover the cyber incident. He calls his broker, who confirms the policy excludes cyber events. He has no standalone cyber-insurance policy.
He spends 11 days off-line. He hires an emergency incident-response firm from Edmonton at $850/hour. He pays a forensic team to attempt decryption (partially successful — about 60% of files are recovered). He notifies affected employees that their personal information was likely exfiltrated. He notifies the Office of the Privacy Commissioner of Alberta because PIPA requires notification of any breach with real risk of significant harm.
Total cost, conservatively: $340,000 in direct expenses, plus an unmeasurable amount of customer trust and team morale.
The ransom itself ($180,000 demanded) was not the largest cost. It rarely is.
The defences that would have prevented this, ranked by cost
- Universal MFA enforcement — Free. Would have prevented Day 0 step 4.
- Number-matching MFA — Free. Would have prevented Day 5 escalation.
- Disable external auto-forwarding — Free. Would have prevented the 4-day reconnaissance.
- Microsoft Defender for Office 365 anti-phishing — $5/user/month if not bundled. Would have flagged the original phish.
- Annual user training + quarterly phishing simulation — $3–5/user/month. Would have reduced click-through probability.
- Managed EDR on all endpoints — $7–13 USD/endpoint/month. Would have contained the remote-management tool deployment within minutes.
- Immutable cloud backups — $50–200/month. Would have made the ransom decision unnecessary.
- Standalone cyber-insurance policy — $4–9k/year. Would have covered most of the $340k in direct costs.
- Documented IR plan with external firm on retainer — $5k/year. Would have reduced recovery time and total cost by 30–50%.
Total cost of full defence stack: approximately $25,000–$35,000 per year for a 22-employee business.
Cost of the incident: $340,000+ in direct expenses.
The math is not subtle.
How we help
Peace Country Cyber deploys this complete defence stack for Canadian ag businesses, trucking outfits, sawmills, and rural SMBs as part of our managed-services tiers. Most of the incident above would have been impossible at a client with our Cyber Essentials + Managed IT tier in place. The annual cost for a 22-person business is roughly $15,000.
If any of this story feels familiar, the time to act is before the parallel is exact.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →