CapaOne
Real cases from CapaSystems User Group – Skanderborg, Wednesday 29 April 2026
At CapaSystems User Group in Skanderborg on Wednesday, 29 April, Christian Ranum Spohr from Eagle Shark walked a room full of IT professionals through two real ransomware cases. No hypotheticals. No vendor slides. Just the decisions that had to be made under pressure — and what they cost.
The cases were anonymized. The lessons were not. And for IT managers responsible for endpoint management and ransomware attack surface reduction, the lessons are directly operational.
What a Real Ransomware Attack Looks Like for IT Management
The first case involved a software company serving the hospitality industry. Seven servers. All fully encrypted. Email down. Phone lines were overwhelmed by customers who depended on the software to run their daily operations.
The owner had 72 hours to decide whether the company would survive.
Christian Ranum Spohr described the moment clearly: this was not just an IT incident. It was a full organizational crisis — with simultaneous pressure from customers, employees, the press, the Data Protection Authority, and the police. And at the center of it, one person who had to make a call without complete information, without a clear playbook, and without knowing when it would end.
The Three Options on the Table
IT managers in that situation face three paths — and none of them are good.
Pay the ransom. The fastest route back to operations, statistically speaking. But it requires navigating cryptocurrency transactions, trusting criminals to deliver decryption keys, and accepting the ethical and potential legal implications.
Rebuild from scratch. In this case, specialists estimated recovery at approximately one million kroner per server — with no guarantee of full recovery — and a timeline of 12 to 24 months to restore full operations. For a company whose customers depend on the software to run their business, that is not a viable path.
Close the company. A real option when the financial exposure — ransom, recovery costs, legal liability, customer compensation — exceeds what the organization can absorb.
The company paid. It took close to a month to fully decrypt the files due to multiple layers of encryption. They survived.
The Decision Framework IT Managers Need Before the Attack
Christian Ranum Spohr made a point that resonated across the room: most organizations are not slow because they lack technical competence. They are slow because they have not defined who decides what, when, and under what authority.
When an attack hits at 11 PM on a Friday, the question is not just technical. It is organizational. Who has the authority to isolate systems without escalating to the board? Who communicates with customers? Who contacts legal counsel? Who handles the Data Protection Authority notification, which NIS2 mandates within 24 hours for significant incidents?
Without those decisions pre-made, the first hours of a crisis consume the time that should go toward containment.
The single most valuable action an IT manager can take before an attack is to define that decision tree. Not a 28-page policy document — a clear, actionable framework that answers the five questions that matter most when everything is on fire.
Reducing the Ransomware Attack Surface Through Endpoint Management
The ransomware cases Christian Ranum Spohr presented shared a common thread: attackers had been inside the environment for weeks or months before triggering the encryption. They mapped the infrastructure. They identified the backup systems. They waited.
That dwell time is not inevitable. It exists because organizations have unpatched applications, unmonitored privilege escalation, and insufficient visibility into endpoint behavior.
Endpoint management is not a reactive discipline. IT managers who consolidate their endpoint operations — patching, privilege control, and vulnerability visibility — onto a single platform reduce the attack surface ransomware relies on. They also reduce dwell time because anomalies become visible faster when all endpoint data flows through a single location.
CapaOne Endpoint Management Platform provides IT managers with a consolidated view. It works alongside Microsoft Intune or as a standalone platform — and it addresses the specific gaps that ransomware exploits most: unpatched third-party applications, standing local admin rights, and blind spots in vulnerability exposure across the estate.
The best crisis management decision an IT manager can make is the one that prevents the crisis from ever escalating to a board-level emergency in the first place.
And if the worst happens, CapaOne stands ready to support endpoint recovery within 10 minutes — for any organization.
Book a demo of CapaOne Endpoint Management Platform →
Frequently Asked Questions?
Isolate affected systems immediately to stop the spread — even without full information. Activate your crisis communication plan and notify relevant stakeholders. Document everything from the first moment. The speed of containment in the first hours determines the scope of the damage. CapaOne supports endpoint recovery within 10 minutes — so IT managers have a concrete path back to operations from the moment an attack is confirmed.
There is no universal answer. Payment is statistically the fastest route back to operations, and the criminals have a professional incentive to deliver decryption keys. But the decision depends on the organization’s financial position, legal exposure, the nature of the data, and whether recovery is feasible without payment. The decision requires input from IT, legal, finance, and senior leadership — and IT managers should discuss it before an attack occurs.
Ransomware exploits specific weaknesses: unpatched applications, excessive local admin rights, and poor visibility into endpoint behavior. Organizations that patch consistently, enforce least-privilege access, and maintain real-time visibility across their endpoint estate give attackers significantly less to work with — and enable earlier detection of intrusions when they do occur.
Endpoint management platforms that consolidate patching, privilege control, and vulnerability visibility reduce the attack surface that ransomware depends on. A unified platform also reduces dwell time — the period between initial compromise and the moment the attacker triggers encryption — because anomalies become detectable faster when all endpoint data flows through a single view. And if an attack does succeed, CapaOne supports endpoint recovery within 10 minutes for any organization — reducing downtime and limiting the operational impact of an incident.
