Case Study: Rapid Recovery from a Ransomware Attack

Background

A medium-sized UK trading company, still in the early stages of onboarding with our team, suffered a ransomware attack on a Sunday morning in August 2025. The attack encrypted multiple user computers and the main server, leaving critical files inaccessible and accompanied by a ransom demand. During onboarding, our security review had already identified that remote access to servers and PCs, combined with weak credentials, posed a significant risk. Work was already underway to remove these vulnerabilities when the attack occurred.

Challenge

The ransomware impacted seven user PCs and the main application/file server, disrupting normal business operations. The variant used a double-extortion model, threatening both data encryption and leakage. The timing was particularly challenging, as the company was mid-transition to a hardened IT environment with improved security measures.

Response

Our team acted immediately following an out-of-hours alert:

• Containment: Staff were instructed to shut down all systems to halt the spread. Infected machines were removed from the network, and event logs were secured for forensic analysis.
• Recovery: The server was restored the same day using immutable backups, significantly reducing data loss. Infected PCs were rebuilt and reconfigured, with business-critical applications validated before redeployment.
• Investigation: Analysis confirmed that the attack exploited the very remote access weakness we had already flagged and begun addressing as part of onboarding. The ransomware, identified as “Beast” (GIGAKICK), was fileless in execution, designed to evade traditional antivirus.

Long-Term Solution

In the weeks that followed, our team worked with the client to complete the planned security upgrades and introduce additional protective measures, including:

1. Disabling all direct remote access, enforcing VPN-only entry.
2. Removing the built-in administrator account.
3. Resetting all user passwords with strengthened complexity requirements.
4. Eliminating broad file share permissions.
5. Enabling Microsoft 365 security defaults.
6. Beginning the removal of unnecessary local administrator rights.

Outcome

Despite the scale of the attack, critical operations were restored by Tuesday morning. Immutable backups prevented major data loss, and business downtime was minimised. By continuing onboarding with a heightened focus on cybersecurity, the company now benefits from stronger protections, local support, and greatly reduced exposure to similar risks.