Return to overview
5 min read

$750K Ransomware Attack: Manufacturer's Recovery with Eye Security

5 min read
March 20, 2025
By: Arjan van Proosdij
ransomware investigation manufacturing
By: Arjan van Proosdij
26 March 2025

Picture this: a state-of-the-art production floor plunges into chaos. Machines grind to a halt, screens blare warnings, and panic grips the workforce. A ransomware attack has just crippled this manufacturer, bringing their finely tuned operation to an immediate standstill. Every second of downtime means lost revenue, missed deadlines and damaged customer relationships.

The Anatomy of an Attack

Like many others, this manufacturer believed its existing security measures were enough. However, today's cybercriminals are sophisticated and constantly evolve their tactics, and traditional defences often fall short.

 

Computer screen displaying a ransomware message.

 

This company needed expert help, and they needed it fast.

This wasn't a smash-and-grab raid. It was a calculated infiltration. Weeks earlier, a seemingly harmless phishing email opened a backdoor into the manufacturer's IT environment. Working in the shadows, the attackers spent a week escalating privileges, ultimately gaining admin credentials to critical systems. This allowed them to locate and steal over 300,000 files and encrypt tens of millions more, a classic double extortion tactic. The attack was executed in the dead of a Friday night with devastating efficiency.

Immediate Response: Securing the Environment

Faced with a crisis that threatened to shut them down, the manufacturer contacted Eye Security. We understand the urgency of these situations. In the last few years alone, we have managed 94 incident responses for non-clients like this manufacturer, including 27 ransomware attacks. Every incident is unique, so we tailor our battle-tested strategies to the specific needs of each situation.

Day 1. Immediate Lockdown

Upon initial consultation, we advised the client to immediately isolate their network from the Internet to prevent further malicious activity. The client then disconnected the Internet connection, swiftly cutting off the attackers. This rapid action prevented the attackers from causing additional harm to the environment.

Day 1-2. Rapid Assessment and Mitigation

Our team immediately began a collaborative assessment, analysing the company's external attack surface for potential vulnerabilities while the client confirmed the extent of encryption and the integrity of their backups.

The damage:

300,000 files were stolen, and millions were encrypted across all servers.
Backups were found to have been encrypted before deletion.
Attackers often claim to have stolen sensitive data before encrypting all systems. To validate these claims, we employed the following verification process:

  1. Initial Claim: The attackers provided a list of file names, asserting they had exfiltrated these files from the client's network.
  2. Proof of Possession: We requested specific files from the list, asking the attackers to provide the complete files, not just the names. This was done to confirm they possessed the data, not just file metadata.
  3. Validation: By successfully retrieving the requested files, we confirmed the attackers had indeed exfiltrated the data, including file contents.

Computer screen displaying a ransomware message detailing stolen files.

 

For our analysis, we guided the client in deploying EDR agents on accessible devices, establishing a secure connection for remote investigation, and configuring firewall rules to give us exclusive access, mitigating further attacker access.

Day 3. Targeted Neutralisation and Recovery Initiation

With secure access established, we took action to eliminate any malicious backdoors, minimising the risk of reinfection. Simultaneously, we worked with the client to begin the recovery of critical systems.

Key actions:

  1. Data Recovery: We collaborated with specialised data recovery experts to retrieve data from encrypted systems.
  2. System Rebuilding: Adopting an assumed breach model is a more effective strategy than rebuilding systems from clean installations. In this case, affected systems were rebuilt from clean installations due to the absence of backups and the client's decision not to pay. However, this method is time-consuming and results in more downtime.
  3. Password Resets: All passwords were reset to secure the environment.
  4. Negotiation Start: We initiated negotiations with the attackers to explore options for data recovery. Valuable data had been stolen, and the threat of public release was a concern.

Computer screen displaying a message requesting instructions from ransomware attackers on how to recover files.

Our primary focus was to restore the company's operations as quickly and safely as possible.

Day 3-4. Strategic Forensic Investigation

While we continued the recovery efforts, we launched a forensic investigation. Instead of a lengthy, full-scale analysis, we concentrated on identifying the initial entry point and the extent of the stolen data. This targeted approach allowed us to quickly pinpoint the root cause of the breach and implement precise measures to prevent future attacks.

Day 5-15. Critical Data Server Recovery

A complete backup of a critical data server created two weeks before the attack by a maintenance supplier was successfully recovered. Lucky! This crucial recovery significantly accelerated the restoration of the IT environment, enabling employees to return to work by day 15. It also underscores the necessity of consistent backup practices and robust backup protection.

Day 16-30. High-Stakes Negotiation

With the IT environment largely restored and employees back to work, negotiations with the attackers, which started earlier, intensified. This delicate process demanded careful assessment of the situation and a strategic weighing of downtime costs against potential ransom payments. The tension was palpable as the attackers initially demanded a staggering $750,000!

The ransom demand:

Computer screen displaying a $750,000 ransom demand.

 

Understanding the immense financial burden and emotional toll on the client, our team expertly navigated the negotiation. While we always strive to minimise the financial impact, sometimes a strategic payment for obtaining the decryption keys and preventing data publication is the fastest path to recovery. In this case, our skilled negotiators successfully reduced the ransom demand to $200,000 in Bitcoin, preventing data publication and significantly reducing reputational damage. However, the attackers did not provide a decryption key, and despite the successful recovery of a critical data server backup, the client still suffered data loss.

Day 39. Reporting

We delivered a comprehensive incident report.

We supported the manufacturer throughout the process, ensuring they understood each step and felt confident in their decisions. We also guided them in fulfilling crucial regulatory requirements, including:

  1. Developing a comprehensive communication plan for employees, clients, partners, and investors.
  2. Filing the necessary police reports.
  3. Reporting the incident to the relevant data protection authorities with strict reporting deadlines.
  4. With our guidance, the manufacturer safely recovered its critical data and restored its systems, bringing its production lines back online within fifteen days after the ransom payload.

From Crisis to Confidence: Building a Secure Future

The manufacturer was brought to its knees but not broken. Eye Security's rapid response averted a complete disaster. The ransom was paid, but significantly less than the initial demand. Critical data was recovered, and the company was saved.

But the scars remained.

This experience was a stark reminder that robust cybersecurity and cyber insurance are not a luxury but a necessity in today's digital battlefield.

The manufacturer now partners with Eye Security to build an unbreakable defence against future threats.

This is how they transformed their security posture:

  • 24/7 Managed Detection & Response (MDR): They deployed our MDR service, gaining an extended team of dedicated security experts who continuously monitor their endpoints and provide an immediate expert response to neutralise threats before they can disrupt production lines. It's like having a dedicated security operations centre (SOC) working tirelessly around the clock without the cost and complexity of building one in-house.
  • Cloud Security: They implemented Eye Security's robust Cloud Detection and Response service, recognising the increasing importance of cloud computing in their operations. This helps safeguard their cloud identities and data from unauthorised access and vulnerabilities, ensuring their cloud environment remains a secure and reliable engine for innovation and growth. Within the first month of implementation, our service successfully thwarted a Business Email Compromise attack, demonstrating its immediate value in protecting their evolving digital landscape.
  • Cyber Insurance: They secured comprehensive cyber insurance through Eye Security's broker network to further fortify their defences and protect their bottom line. This insurance provides a crucial safety net, offering affordable financial protection and dedicated expert support if a threat slips through its reinforced defences.

The Eye Security Difference: More Than Just Incident Response

This story demonstrates how Eye Security goes beyond traditional incident response. We become your extended cybersecurity team, providing:

  • Expert 24/7 Incident Response: Our experienced team acts swiftly and decisively to help you contain, eradicate, and recover from cyberattacks, minimising downtime and financial loss.
  • Threat Monitoring: We continuously monitor your endpoints and cloud identities, proactively hunting for threats and neutralising them before they cause damage.
  • Comprehensive Protection: We secure your entire operation, from production lines and supply chains to cloud environments and critical data.
  • Eye Portal Visibility: Our Eye Portal provides complete visibility of your attack surface, along with 24/7 security recommendations and actionable insights to keep your operations secure.
  • Integrated Cyber Insurance: We help you navigate the complexities of cyber insurance and ensure you have the right coverage to protect your business.

Turn Crisis into Opportunity

A ransomware attack can be a devastating experience, with ransom demands often exceeding $750,000. But it doesn't have to define your future. With Eye Security, you can build a cyber-resilient and secure manufacturing business.

Don't wait for an attack. Contact Eye Security today to safeguard your production lines and ensure continued success.

Let's talk

Curious to know how we can help?

Get in touch
GET IN TOUCH
Share this article.