Incident Response · Vancouver, BC

Cyber Incident Response Vancouver | Ransomware, BEC, Data Breach

If you are actively being attacked, or you have just discovered a breach, every minute matters. Hexafusion provides cyber incident response for Vancouver and Lower Mainland businesses, with 24/7 on-call coverage for Professional and Enterprise managed IT clients and rapid business-hours engagement with best-effort after-hours callback for new-client emergencies. Ransomware notes, business email compromise, wire fraud, phishing clicks, lost Microsoft 365 admin access, or a stolen laptop with client data on it, we triage in minutes and contain in hours.

If you are experiencing an active incident right now

Do these steps in order before you do anything else. You do not need to be technical to follow them.

1. Disconnect affected machines from the network. Pull the ethernet cable or turn off Wi-Fi on any device that looks compromised. Do not power the machine off. Memory evidence is lost when you shut down.
2. Do not pay any ransom yet. Do not email the attacker. Do not buy cryptocurrency. Paying without a containment plan often results in a second demand, and some ransomware strains do not actually have a working decryptor.
3. Preserve evidence. Take photos of ransom notes, screen messages, and suspicious emails with your phone. Do not delete anything. Do not run anti-virus cleanup yet, the artifacts it removes are the evidence we need.
4. Write a time-stamped log. Note when you first saw the problem, what you clicked or opened, who else is affected, and what you have already tried. A plain text note or a piece of paper is fine.
5. Stop any in-progress wire transfers. If this is a finance-related incident, call your bank fraud line immediately and ask for a recall. Minutes count, funds clear fast.
6. Call us. (604) 332-1500. We will triage, scope, and get on a screen-share within 15 minutes.

Ransomware

Ransomware usually shows up as a full-screen or desktop-wallpaper note demanding payment in cryptocurrency, files renamed with a strange extension, or Office documents that refuse to open. Sometimes you notice it by the backup jobs failing overnight.

• Stop the spread. Disconnect file servers from the network. Disable the compromised user account in Microsoft 365 and Active Directory. Block outbound traffic from affected subnets at the firewall.
• Identify the strain. The file extension and ransom note usually identify the variant. That tells us whether decryption is possible through No More Ransom or whether restore is the only path.
• Assess backup integrity. Check whether backups are immutable or offline. Ransomware groups routinely delete online backups first.
• Rebuild and restore. Clean rebuild of compromised systems, validated restore from a known-good backup, password and token rotation across the environment, and phased re-introduction to the network.

Business email compromise and CEO fraud wire transfer

A staff member gets an email that looks like it is from the CEO, the bookkeeper, or a known supplier asking to change banking details or push through an urgent wire. By the time anyone notices, the funds are gone.

• Call your bank fraud department immediately. Ask for a recall on the wire. If the funds have not left the receiving bank you have a chance.
• Report to the Canadian Anti-Fraud Centre. File at antifraudcentre-centreantifraude.ca. They coordinate with the RCMP and receiving banks.
• Preserve the email chain. Export the original message as .eml or .msg including full headers. Do not forward, do not delete.
• Check for mailbox rules and forwards. Attackers set up inbox rules that auto-delete bank emails or forward them to an external address. We audit every compromised mailbox for these.
• Notify your cyber insurance. Most policies require prompt notice, usually within 24 to 72 hours, or coverage can be denied.

Clicked a phishing link

If a user clicked a link and entered credentials, or ran a file, act fast. The credentials may already be in an attacker's automated pipeline.

• Change the password. From a different device. Not the one that was compromised.
• Revoke active sessions. In Microsoft 365, sign the user out of all sessions and rotate refresh tokens. A password change alone does not kick out an attacker who has already logged in.
• Audit MFA methods. Attackers register their own MFA device so they can log back in after you reset the password. Remove any unknown methods.
• Review sign-in logs. Look for sign-ins from unusual countries, unusual IP addresses, or legacy protocols. Microsoft's guide on responding to a compromised account has the full checklist.
• Check Outlook rules, forwards, and delegated access. Common persistence methods attackers use.

Lost Microsoft 365 admin access

If the Global Admin account has been compromised, or the last admin left the company without handing off credentials, you need to recover control before an attacker locks you out permanently.

• Use break-glass accounts if they exist. If they do not, that is a gap we will fix.
• Initiate Microsoft's admin takeover process. Microsoft requires proof of domain ownership and business registration documents.
• Escalate through Microsoft Support with a severity-A ticket. We open these for clients and stay on the bridge.
• Rotate every other admin credential, conditional access policy, and service-principal secret after recovery.

Stolen laptop with business data

A laptop is lost on SkyTrain, stolen from a car, or missing after travel. What you do in the next hour determines whether this is a paperwork headache or a reportable breach.

• Remote wipe through Intune or your MDM. If the device checks in once on public Wi-Fi, the wipe command runs.
• Confirm BitLocker status. If the disk was encrypted, unauthorized access to the data is unlikely. If it was not encrypted, you are likely into breach-notification territory.
• Revoke device certificates and session tokens. Cached credentials on the device can still be abused otherwise.
• Document for PIPEDA. Under the federal PIPEDA breach reporting guidance, if there is a real risk of significant harm, you must notify the Privacy Commissioner and affected individuals.
• File a police report. The incident number is often required by insurers and clients.

Our incident response process

We follow the standard NIST 800-61 incident response lifecycle. It is the same playbook used by breach counsel and national responders, and it keeps everyone on the same page when things are chaotic.

• Triage. Fast assessment of scope, severity, and blast radius. Decisions on whether to engage breach counsel, notify insurance, or alert law enforcement.
• Containment. Stop the spread. Isolate hosts, disable accounts, block indicators at the firewall, and kill attacker sessions.
• Eradication. Remove persistence mechanisms, malicious scheduled tasks, backdoors, rogue OAuth apps, and compromised accounts.
• Recovery. Clean rebuild, validated restore, credential rotation, and staged re-introduction to production.
• Lessons learned. Written post-incident report, evidence of controls now in place, and a remediation roadmap you can show your insurer and your board.

Why response time matters

Modern ransomware groups move from initial access to full domain compromise in under 24 hours. Business email compromise fraud clears in minutes. Every hour of delay compounds the recovery cost, the data loss, and the regulatory exposure.

Our SLA commitments for incident response:

• Initial ticket response within 15 minutes.
• Emergency on-site Vancouver downtown within 1 hour.
• Emergency on-site Burnaby, Richmond, North Vancouver within 1 hour 30 minutes.
• Emergency on-site West Vancouver, New Westminster within 1 hour 45 minutes.
• Emergency on-site Coquitlam, Port Coquitlam, Port Moody, Delta within 2 hours.
• Emergency on-site Surrey, Langley, White Rock, Maple Ridge within 2 hours 30 minutes.
• Remote support immediate during the response window.

PIPEDA breach reporting obligations

Under Canada's federal Personal Information Protection and Electronic Documents Act, commercial organizations must report a breach of security safeguards to the Office of the Privacy Commissioner of Canada when it creates a real risk of significant harm. Notice to affected individuals and record-keeping obligations run alongside. Reports are expected as soon as feasible, and the Commissioner has been clear that 72 hours is the practical benchmark.

We help you scope the notifiable population, draft the Commissioner report, draft plain-language notices for affected individuals, and maintain the 24-month breach register required by regulation. Authoritative guidance at priv.gc.ca and the Canadian Centre for Cyber Security at cyber.gc.ca.

Frequently Asked Questions

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).