Ransomware recovery for a five-division manufacturing business, in 72 hours.
A 300-person chemical manufacturing business with five divisions across Tamil Nadu. No ransom paid. No repeat incidents since.
The problem
A single server failure turned out to be the entire business.
Within hours, staff across all five divisions could not access files, applications, or any business system. The team initially thought one server had failed. Every server across every division had in fact been encrypted overnight, along with the laptops of finance and management staff.
There was no firewall at any location, no multi-factor authentication, and antivirus software that had been disabled by the attacker using standard Windows tools. The attacker had been inside the network for roughly 14 hours before the ransomware ran.
The only surviving restore point was a backup taken months earlier by a third-party software vendor during a routine upgrade.
The solution
A complete rebuild, from zero to fully protected.
Uniware's team followed the NIST Cybersecurity Framework end to end, giving the recovery a documented, auditable structure. This project took five stages. Others may take three, or six, depending on scope.
- 1IdentifyCrowdStrike deployed immediately across every reachable system, giving the team endpoint protection and the business's first complete device list at the same time.
- 2ProtectFortinet firewalls installed at every location. Secure VPN with MFA replaced exposed remote desktop access. Active Directory rebuilt from scratch with hardened policies.
- 3DetectTamper-proof activity logging and automated alerts configured for suspicious behaviour going forward.
- 4RespondCompromised accounts disabled, passwords reset business-wide, forensic evidence preserved on original drives.
- 5RecoverServers rebuilt on clean hardware. Data restored from the last available backup, with the remaining gap re-entered by all 300 staff within two days.
Technologies used
Before and after
Read row by row, what actually changed.
| Metric | Before | After |
|---|---|---|
| Firewall | None at any location | Fortinet with IPS at every location |
| Remote access | Exposed, no MFA | Secure VPN with MFA |
| Endpoint protection | Basic antivirus, disabled by attacker | CrowdStrike on all servers and workstations |
| Backups | On the same server, plus a connected USB drive | Veeam Backup + rotational offline drives |
| User accounts | Weak passwords, no MFA, no lockout | Strong passwords, MFA, lockout policies |
| Asset inventory | None | Full device inventory |
| Incident response plan | None in place | Documented playbook delivered |
The results
What changed, in practice.
- Zero repeat incidents since the recovery
- Full device inventory created for the first time
- Documented incident response playbook now in place
- Layered backup strategy protects against future attacks
A note from our team
If a client calls over the weekend, it is almost always ransomware. We went immediately, and the whole team rallied, including all 300 staff who helped re-enter two days of missing data by hand.
Dhanasekar
Chief Technology Officer, Uniware Systems
Facing something similar?
Talk to the Uniware team about ransomware recovery and prevention, before an attack forces the conversation.
Book a Security Review