All case studies
CybersecurityData ProtectionInfrastructure

Ransomware recovery for a five-division manufacturing business, in 72 hours.

A 300-person chemical manufacturing business with five divisions across Tamil Nadu. No ransom paid. No repeat incidents since.

72 Hrs
Full rebuild
5
Divisions restored
300+
Staff back online
Zero
Ransom paid

Client overview

Chemical Manufacturing

A 300-person chemical manufacturing business with five divisions across Tamil Nadu.

LocationChennai, India
Timeline72 hours, emergency response
Delivered byUniware Systems

Technologies used

CrowdStrike - Falcon EDR

Fortinet - Firewall

Veeam - Backup

The problem

A single server failure turned out to be the entire business.

Within hours, staff across all five divisions could not access files, applications, or any business system. The team initially thought one server had failed. Every server across every division had in fact been encrypted overnight, along with the laptops of finance and management staff.

There was no firewall at any location, no multi-factor authentication, and antivirus software that had been disabled by the attacker using standard Windows tools. The attacker had been inside the network for roughly 14 hours before the ransomware ran.

The only surviving restore point was a backup taken months earlier by a third-party software vendor during a routine upgrade.

The solution

A complete rebuild, from zero to fully protected.

Uniware's team followed the NIST Cybersecurity Framework end to end, giving the recovery a documented, auditable structure. This project took five stages. Others may take three, or six, depending on scope.

  1. 1
    Identify
    CrowdStrike deployed immediately across every reachable system, giving the team endpoint protection and the business's first complete device list at the same time.
  2. 2
    Protect
    Fortinet firewalls installed at every location. Secure VPN with MFA replaced exposed remote desktop access. Active Directory rebuilt from scratch with hardened policies.
  3. 3
    Detect
    Tamper-proof activity logging and automated alerts configured for suspicious behaviour going forward.
  4. 4
    Respond
    Compromised accounts disabled, passwords reset business-wide, forensic evidence preserved on original drives.
  5. 5
    Recover
    Servers rebuilt on clean hardware. Data restored from the last available backup, with the remaining gap re-entered by all 300 staff within two days.

Technologies used

Falcon EDRFirewallBackup

Before and after

Read row by row, what actually changed.

MetricBeforeAfter
FirewallNone at any locationFortinet with IPS at every location
Remote accessExposed, no MFASecure VPN with MFA
Endpoint protectionBasic antivirus, disabled by attackerCrowdStrike on all servers and workstations
BackupsOn the same server, plus a connected USB driveVeeam Backup + rotational offline drives
User accountsWeak passwords, no MFA, no lockoutStrong passwords, MFA, lockout policies
Asset inventoryNoneFull device inventory
Incident response planNone in placeDocumented playbook delivered

The results

What changed, in practice.

  • Zero repeat incidents since the recovery
  • Full device inventory created for the first time
  • Documented incident response playbook now in place
  • Layered backup strategy protects against future attacks

A note from our team

If a client calls over the weekend, it is almost always ransomware. We went immediately, and the whole team rallied, including all 300 staff who helped re-enter two days of missing data by hand.

Dhanasekar

Chief Technology Officer, Uniware Systems

What's next. Phase 2 is underway: long-term backup retention is moving to the cloud, layered on top of the fast local recovery already in place.

Facing something similar?

Talk to the Uniware team about ransomware recovery and prevention, before an attack forces the conversation.

Book a Security Review