A blow-by-blow account of containing a ransomware event at a mid-size manufacturer — what went right, what almost went wrong, and what we changed afterward.

Cyber incidents rarely happen at a convenient time. In this case, a mid-size manufacturing company experienced a ransomware attack on a Thursday evening, just hours before a critical production cycle was scheduled to begin. What followed was a 72-hour effort involving security analysts, infrastructure engineers, executives, legal advisors, and business stakeholders working together to contain the threat and restore operations.

While every incident is unique, the lessons from this engagement highlight common weaknesses we see across many organizations: inadequate identity protection, insufficient backup isolation, and limited incident response preparedness.

The Environment

The organization operated across multiple locations with approximately 700 employees. The environment included:

  • Hybrid Active Directory infrastructure
  • VPN-based remote access for employees and contractors
  • Microsoft 365 collaboration services
  • On-premise ERP and manufacturing systems
  • Endpoint Detection and Response (EDR) coverage on critical assets
  • Daily backup processes

Although the company had invested in several security controls, gaps remained in identity security and incident response readiness.

Hour 0–4: Detection and Containment

The first alert came from an EDR platform flagging unusual encryption-like file activity on a finance server. Security analysts immediately initiated an investigation and confirmed that multiple files were being modified at an abnormal rate.

Within minutes, the incident response team activated its emergency procedures.

Immediate actions included:

  • Isolating affected endpoints from the network
  • Blocking suspicious command-and-control traffic
  • Disabling potentially compromised user accounts
  • Restricting VPN access while investigation continued
  • Preserving forensic evidence for later analysis

This rapid containment decision likely prevented the ransomware from reaching production systems and manufacturing equipment.

One of the most important lessons from this phase was the value of visibility. Because the organization had centralized logging and EDR telemetry, investigators could quickly determine what was happening rather than spending hours collecting data.

Hour 4–24: Scoping the Blast Radius

With containment underway, attention shifted to understanding the full scope of the compromise.

Forensic analysis revealed that the attackers had obtained access using a compromised VPN credential that was not protected by multi-factor authentication (MFA). After gaining entry, they performed reconnaissance, escalated privileges, and moved laterally through several systems before launching the ransomware payload.

During the investigation, the team focused on answering critical questions:

  • Which systems were compromised?
  • How long had the attackers been present?
  • Was sensitive data accessed or exfiltrated?
  • Were backups affected?
  • Could the attackers regain access after recovery?

Investigators discovered evidence of attacker activity dating back nearly nine days before encryption began. This dwell time is not unusual; many ransomware groups spend days or weeks mapping environments before triggering their attack.

Fortunately, security logs showed no evidence that production databases or intellectual property repositories had been successfully exfiltrated.

Executive Communication During the Crisis

One of the most overlooked aspects of incident response is stakeholder communication.

Every four hours, the response team provided executive leadership with structured updates covering:

  • Current threat status
  • Systems affected
  • Operational impact
  • Recovery progress
  • Business risks
  • Next response actions

This approach reduced uncertainty and allowed leadership teams to make informed decisions without interfering with technical response efforts.

Clear communication proved just as valuable as technical expertise throughout the recovery process.

Hour 24–48: Eradication and Validation

Before restoring systems, the team focused on eliminating persistence mechanisms that could allow attackers to return.

Key activities included:

  • Resetting privileged credentials
  • Reviewing Active Directory permissions
  • Removing malicious scheduled tasks
  • Identifying unauthorized administrative accounts
  • Scanning for persistence tools and malware remnants
  • Patching exposed vulnerabilities

The team also conducted targeted threat hunting across the environment to ensure no additional compromised systems remained undetected.

A common mistake during ransomware recovery is restoring systems too quickly. If attackers maintain persistence, organizations can find themselves re-infected shortly after recovery.

Validation is often the difference between successful recovery and a second incident.

Hour 48–72: Recovery and Restoration

Recovery prioritized business-critical systems first.

The organization maintained offline backup copies that had not been reached by the attackers. These backups became the foundation of the recovery effort.

Restoration priorities were established based on business impact:

  1. Identity and authentication services
  2. ERP systems
  3. Manufacturing operations
  4. File servers
  5. Departmental applications
  6. Secondary business services

Each restored system underwent validation checks before being returned to production.

By hour 72:

  • Core business services were operational
  • Manufacturing activities resumed
  • Users regained access to critical applications
  • Monitoring confirmed no signs of renewed attacker activity

The company avoided paying the ransom and successfully restored operations using verified backups.

Business Impact Assessment

Although the organization recovered relatively quickly, the attack still carried measurable costs.

Estimated impacts included:

Impact Area Result
Production Downtime 18 Hours
IT Recovery Effort 72 Hours
Security Investigation 2 Weeks
Executive Coordination Ongoing
Regulatory Review Required
Customer Notifications Limited

The incident demonstrated that even successful recoveries can generate significant operational and financial disruption.

Root Cause Analysis

Following recovery, a formal post-incident review identified three primary contributing factors.

1. Missing MFA on VPN Access

The compromised credential alone would not have resulted in a successful intrusion if MFA had been enforced consistently.

2. Excessive Privileges

Several service accounts possessed permissions beyond their operational requirements, enabling faster lateral movement.

3. Limited Incident Response Testing

While the organization had an incident response plan, practical exercises had not been conducted recently.

The team knew what to do in theory, but several coordination challenges emerged during the first hours of the incident.

What We Changed Afterward

Following the engagement, the organization implemented a broader security improvement program.

Identity Security

  • Enforced MFA on all remote access paths with no exceptions
  • Introduced conditional access policies
  • Reduced administrative privileges
  • Implemented privileged access management controls

Backup Resilience

  • Moved backup infrastructure to immutable storage
  • Established air-gapped backup copies
  • Increased backup validation frequency
  • Tested recovery procedures quarterly

Detection and Response

  • Expanded EDR deployment coverage
  • Improved log retention and monitoring
  • Added threat hunting activities
  • Established 24/7 security monitoring capabilities

Incident Readiness

  • Added a tabletop exercise cadence
  • Updated incident response playbooks
  • Defined executive communication procedures
  • Conducted annual ransomware simulations

Key Takeaways for Security Leaders

This incident reinforced several lessons that apply to organizations of every size.

  1. MFA remains one of the highest-value security controls available.
  2. Fast containment often determines the ultimate business impact.
  3. Backups must be isolated, tested, and protected from attackers.
  4. Visibility through EDR, logging, and monitoring dramatically improves response effectiveness.
  5. Incident response plans should be exercised regularly, not simply documented.
  6. Executive communication is a critical component of successful crisis management.

Final Thoughts

No organization is immune to ransomware. The difference between a manageable incident and a business crisis often comes down to preparation, visibility, and response speed.

This recovery succeeded because the organization had foundational security controls in place, maintained usable backups, and acted decisively when the first alert appeared.

For organizations looking to strengthen resilience, the best time to improve incident response capabilities is before an attack occurs—not during one.