Ransomware in the workplace: what the CHOC FM attack teaches us

On Saturday, February 14, 2026, around 8 PM, the team at CHOC FM in Portneuf turned on their computers to find a red screen. Every system encrypted. A message with an email address and a demand: $100,000 to get their data back.

Audio files, archives, advertiser spots, years of recordings. All gone.

What happened

The concept is straightforward: malicious software gets into your systems, encrypts everything, then demands payment to unlock it. That’s ransomware. According to the 2025 Verizon Data Breach Investigations Report, 88% of security breaches in SMBs involve this type of attack. CHOC FM is a real-world example.

Michel Cloutier, the station’s director, put it simply: “We’re a regional station. We don’t have the budgets of large media groups like Bell Media or Cogeco.”

Vicky Beaudoin, Vice-President of Rhesus: “We’re still in the assessment phase, but it’s highly likely that the attackers had silently planted the attack weeks, possibly even months ago.”

That’s exactly what makes SMBs vulnerable. Cybercriminals don’t necessarily go after the biggest companies. They go after the least prepared ones.

What the CHOC FM case reveals

Michel Cloutier was transparent with the media about what happened, and his account illustrates a reality that many SMBs share without knowing it.

The last complete backup was from 2022. Four years without a usable backup. The administrative data survived because it was managed by an external company, but everything else – the music, the ads, the archives – didn’t have that protection. As Mr. Cloutier told Le Soleil: “It’s like we have to start the station from scratch, like in 2020.”

Mr. Cloutier acknowledged it himself: he didn’t think his station could be a target. It’s a reaction we hear often. “We’re too small to attract hackers.” But cybercriminals don’t choose their targets based on size. They look for doors that aren’t locked.

Finances were already tight. The station, which opened in 2020, survived the pandemic but the initial loan still hasn’t been paid off. When a cyberattack hits under those conditions, the $50,000-plus recovery cost becomes a very real blow. Mr. Cloutier’s message was clear: “I urge all businesses to protect themselves and always have a second backup copy.”

What SMBs can do right now

We’re not talking about spending hundreds of thousands of dollars. We’re talking about practical steps that would have changed the outcome for many of the organizations we’ve helped.

• Eliminate outdated operating systems. Legacy systems lack security updates. They’re extremely easy vulnerabilities for hackers to exploit.
• Regular and rigorous maintenance. Eliminate the gaps in your network infrastructure before someone else finds them.
• Back up your data externally with ransomware detection. Today’s solutions offer automatic ransomware detection powered by artificial intelligence. Test your backups regularly and verify data integrity. Internal backups alone are no longer recommended. It’s doable, but you need a plan B.
• Complex passwords. A complex and unique password for every application. Never reuse the same password in two places.
• Multi-factor authentication. Download an authentication app to verify it’s actually you logging in. If your password is compromised, hackers will still need to obtain your 6-digit code. Quick tip: that code should never be shared with anyone claiming to be from a third-party company.
• Train and educate your teams. Build organizational reflexes by training your teams on cybersecurity, running workshops and simulations, and offering personalized phishing campaigns. It’s a way to strengthen cybersecurity through the people themselves.
• When it happens, it’s too late to improvise. A simple, accessible document that clearly says: here’s what we do if we get attacked. The numbers to call, the steps to follow in the first 30 minutes, who communicates what to whom. We’ve seen companies significantly limit the damage simply because they had a plan and everyone knew where to find it.
• Segment your network. If one workstation gets compromised, does the attacker have access to everything? In many SMBs, the answer is yes. Separating environments (admin, production, backups) limits how far an attack can spread.
• Set up anti-spam protection. Email is the number one vector for cyberattacks.
• Replace your router with a security appliance. The gateway between your infrastructure and the internet is your router. Residential-grade routers have no place in a business. SMBs need a proper solution to secure their systems.

The question everyone asks: should we pay?

It’s the first thing people want to know. The short answer: no.

Paying guarantees nothing. As Sami Khoury, Canada’s senior cybersecurity official, stated in La Presse: “There is no guarantee that criminals will keep their word when you pay the ransom.” Some groups take the money without providing the decryption key. Others come back with a second, even a third ransom demand.

The Canadian Centre for Cyber Security recommends not paying and reporting the incident to law enforcement.