← Blog

Ransomware Incident Response Playbook for Small Business Canada 2026: The 72-Hour, Dollar-and-Decision Guide

2026-07-09 · 8 min read

Ransomware Incident Response Playbook for Small Business Canada 2026: The 72-Hour, Dollar-and-Decision Guide
Most ransomware guidance for Canadian small businesses tells you what to do. Almost none tells you what it costs, who is legally allowed to decide, or how fast your province's law forces your hand. This playbook is built around a real 70-employee Hamilton-area distributor whose ERP was encrypted and hit with a CA$340,000 demand, and it fills in the three things every other Canadian resource skips: dollar figures, a pay/no-pay decision framework, and a tabletop script you can run yourself in 90 minutes. See the full guide on Small Business Cybersecurity, or if you would rather have it handled, IT Cares offers ransomware recovery and incident response.

The Incident That Should Change How You Think About Ransomware

A roughly 70-employee industrial distributor outside Hamilton, Ontario logged in on a Monday morning to find its ERP system locked and a ransom note demanding CA$340,000 in cryptocurrency. The attackers had already exfiltrated 38GB of purchase-order data — customer names, pricing, banking details on file — and posted a countdown leak-site listing before the company's IT contractor had even finished isolating the affected servers. This is the case referenced in Canadian MSP incident reporting on 2026 attack trends, and it's instructive precisely because nothing about it was exotic: no zero-day, no nation-state tradecraft, just a phished credential, an under-segmented network, and an owner who had a generic 'call IT' plan but no answer for who could authorize a six-figure payment decision at 7am. That gap — operational checklist versus strategic decision-making — is the gap this playbook exists to close. The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2025-2026 names ransomware the top cybercrime threat facing Canadian organizations, with incident volumes climbing roughly 26% year over year, and Mandiant's 2026 M-Trends data shows why speed now matters more than ever: the median time between an attacker's initial foothold and handoff to a second, more destructive threat group collapsed from over 8 hours in 2022 to just 22 seconds in 2025. A business that still budgets a full day to 'figure out what happened' before acting is, in 2026, operating on a clock that no longer exists. This playbook is designed as a companion to tactical resources — use it for roles, legal exposure, and money; use a first-hour recovery checklist for the technical response itself.

The First 72 Hours: An Hour-by-Hour Response Timeline

Using the Hamilton case as the spine: Hour 0-1 — the first employee who notices encrypted files or a ransom note isolates the device from the network (unplug, don't shut down — memory forensics needs the live state) and calls the pre-designated incident commander, not IT support generally. Hour 1-4 — the incident commander activates the response team, engages the cyber insurance carrier's 24/7 breach hotline (this call starts the insurer's clock and often dictates which forensic firm you're allowed to use), and begins network segmentation to stop lateral spread. In the distributor's case, this stage was where they discovered the attackers had pivoted from a single workstation into the ERP server over the preceding 36 hours — undetected. Hour 4-24 — a digital forensics and incident response (DFIR) firm begins scoping: what was accessed, what was exfiltrated, whether backups are compromised. This is also when legal counsel should be looped in under privilege, before anyone writes an internal email speculating about cause. Hour 24-72 — the window in which most provincial and federal notification clocks start ticking, and where the pay/no-pay decision typically has to be made, since leak-site countdowns and operational downtime costs both escalate sharply past 72 hours. Every hour in this window should be logged with a timestamp and decision-maker name — that log becomes your evidence trail for both insurers and regulators.

What Ransomware Actually Costs in Canada

Nobody budgets for an incident they've never priced out, so here are the ranges Canadian SMBs are actually seeing. DFIR forensic firms typically bill CA$2,500 to CA$5,000 per day per investigator, with a mid-size incident requiring a team of two to four for one to three weeks — meaning forensics alone can run CA$35,000 to CA$150,000 before recovery even starts. Ransom demands against Canadian SMBs commonly open in the CA$50,000 to CA$500,000 range depending on revenue and perceived ability to pay (the Hamilton distributor's CA$340,000 demand sits squarely mid-range for a company its size); negotiated settlements, when negotiation is pursued, frequently land 40-60% below the opening ask. Cyber insurance deductibles for SMB policies typically run CA$10,000 to CA$50,000, and many policies cap extortion coverage or require you to use a carrier-approved forensic and negotiation panel to keep coverage valid — using your own IT contractor instead can void that portion of the claim. Sun IT Solutions cites an average Canadian breach cost of CA$6.98 million, a figure that traces back to IBM-style cost-of-breach methodology and skews heavily toward large enterprises; for a 20-100 employee business, total incident cost — forensics, downtime, notification, credit monitoring, and either ransom or rebuild — more realistically lands between CA$75,000 and CA$400,000. Knowing these numbers before an incident, not during one, is what lets an owner negotiate from a budget instead of panic.

The Pay-or-Don't-Pay Decision Tree

Three gates determine whether payment is even an option, and none of the four leading Canadian playbooks walk through them. Gate one: sanctions exposure. Some ransomware groups (or their affiliates) appear on sanctions lists — most relevantly the U.S. Treasury's OFAC Specially Designated Nationals list, which functionally binds Canadian businesses with any US banking relationship, payment processor, or insurer, plus Canada's own listings under the Special Economic Measures Act. Paying a sanctioned actor can itself be a legal violation regardless of intent — your forensic firm or negotiator should run an attribution check before any payment is discussed. Gate two: insurance clawback. Policies with extortion riders often require pre-approval before payment and can deny the claim retroactively if you pay first and notify second, or if you use a non-panel negotiator. Gate three: recovery viability. If clean, tested, offline backups exist (the 3-2-1-1 standard — three copies, two media types, one offsite, one immutable/offline), paying is rarely the cheaper or faster path even against a six-figure demand, since decryptor tools from attackers frequently fail or corrupt data on large datasets. Regardless of the payment decision, report the incident through three channels: local police or the RCMP for the criminal record, the Canadian Anti-Fraud Centre for the fraud database, and the Cyber Centre's My Cyber Portal, which feeds national threat tracking and can connect you with active technical support. The decision authority for payment should be named in your IR plan before an incident — not improvised at hour 30.

Your Legal Clock: A Province-by-Province Breach Notification Guide

Federally, PIPEDA requires notifying affected individuals and the Office of the Privacy Commissioner when a breach creates a real risk of significant harm — there's no fixed day-count, but 'as soon as feasible after determination' is the operative standard, and regulators treat unexplained delay past 72 hours as a red flag during review. Layer provincial law on top based on where your data subjects live, not just where you're incorporated. Alberta is the outlier: PIPA has required mandatory notification to the Alberta Office of the Information and Privacy Commissioner since 2010, predating the federal rule, triggered by the same 'real risk of significant harm' test but enforced with Alberta's own timeline expectations — notify 'without unreasonable delay.' Quebec, under Law 25 (fully in force since September 2023), requires notifying the Commission d'accès à l'information and affected individuals 'diligently' when there's a risk of serious injury, and mandates you maintain a permanent incident register — even for breaches that don't cross the notification threshold — which no other province requires. British Columbia's PIPA does not currently impose its own standalone mandatory-notification duty the way Alberta and Quebec do, so BC businesses default to the federal PIPEDA threshold unless the incident also touches Alberta or Quebec residents. Practical takeaway: a company with customers in all three provinces is running three overlapping legal clocks simultaneously, and your notification letter template needs a Quebec-specific version referencing Law 25 explicitly.

Who Does What: Building Your Incident Response Roles Before You Need Them

The Hamilton distributor's slowest hours weren't technical — they were spent figuring out who could say yes. Assign five roles in writing before an incident, with named backups: an Incident Commander (usually the owner or COO) who holds final decision authority including payment approval; a Technical Lead (internal IT or your MSP) who runs containment and works directly with the DFIR firm; Legal Counsel, engaged early enough that forensic findings are covered by privilege, who also owns the notification-timeline calls across PIPEDA and applicable provincial law; a Communications Lead who drafts customer, employee, and (if needed) media statements — one voice only, to avoid contradictory public statements; and a Finance/Insurance Liaison who manages the claim, deductible, and any payment logistics if the decision tree leads there. Each role needs the others' cell numbers printed on paper, not just saved in a phone — if email or the intranet is part of the encrypted environment, your contact list may be locked along with everything else. Build a RACI matrix mapping each of these five roles against the response phases (detect, contain, eradicate, recover, notify) so there's no ambiguity about who is Responsible versus who merely needs to be Consulted. Review and re-confirm this roster twice a year — staff turnover is the single most common reason IR plans fail in year two, when the named Incident Commander has left the company and nobody updated the document.

Run Your Own Tabletop Exercise in Under 90 Minutes

Every competitor mentions tabletop exercises as a best practice; none hands you the script. Here's one sized for a 5-20 person response team with no dedicated security staff. Setup (10 min): gather your five named roles, print one scenario card ('It's 8:14am Monday. Three employees report they can't open shared files. A ransom note references your ERP vendor by name.'), and appoint one non-participant as facilitator/timekeeper. Inject 1, minute 10: facilitator reveals 40GB of data has appeared on a leak-site countdown page — team must decide who calls the insurer and DFIR firm, and by when. Inject 2, minute 30: facilitator reveals the ransom demand (use a real figure, e.g., CA$250,000) and a 96-hour countdown — team must walk the pay/no-pay gates (sanctions check, insurance pre-approval, backup viability) out loud. Inject 3, minute 55: facilitator reveals a journalist has called asking to confirm the breach — team must produce a one-paragraph holding statement in five minutes. Debrief (last 20 min): answer four questions as a group — what decision took longest to make and why, who was missing from the room, which phone number or password wasn't actually available when needed, and what would have changed if this happened at 11pm on a Friday instead of Monday morning. Document the answers; that document is your IR plan's next revision. Run this twice a year, or immediately after any major infrastructure change.

FAQ

Should a small business in Canada ever pay a ransomware demand?

There's no Canadian law against paying a ransom itself, but paying a sanctioned entity (per OFAC or Canada's Special Economic Measures Act listings) can be illegal regardless of intent, so a sanctions check must happen before any payment. In practice, paying is rarely the fastest or cheapest path if immutable, tested backups exist, since attacker-supplied decryptors frequently fail on large datasets.

How fast do we legally have to notify under PIPEDA after a ransomware breach?

PIPEDA requires notification 'as soon as feasible' after determining there is a real risk of significant harm — there is no fixed number of days in the federal law, but regulators and insurers generally expect action within the same 72-hour window used for containment and forensics.

What's the difference between reporting to the RCMP, the Canadian Anti-Fraud Centre, and the Cyber Centre's My Cyber Portal?

Local police or the RCMP create the criminal record needed for insurance claims and potential prosecution, the Canadian Anti-Fraud Centre feeds the national fraud-pattern database, and the Cyber Centre's My Cyber Portal is the technical reporting channel that can connect you with government cybersecurity support — reporting to all three is standard practice and none replaces the others.

Does Quebec's Law 25 require anything Alberta and BC don't?

Yes — Quebec's Law 25 uniquely requires businesses to maintain a permanent incident register logging every breach, even ones that don't meet the notification threshold, in addition to notifying the Commission d'accès à l'information and affected individuals when there's a risk of serious injury.

How long should a ransomware tabletop exercise take and how often should we run one?

A facilitator-led tabletop for a small business with no dedicated security staff can be run in under 90 minutes using scenario cards and timed injects, and should be repeated at least twice a year or immediately after any major infrastructure or staffing change.

Want this set up for you?

Get a free IT & security assessment — no payment, just a clear plan.

Get a free assessment →