Case Studies
Anonymised accounts of real engagements. Names, sectors, and identifying details have been changed or omitted to protect client confidentiality.
LockBit Attack on Manufacturing Client: 11-Day Recovery
Situation: A UK manufacturing company with 850 employees discovered their entire VMware ESXi environment encrypted at 06:00 on a Monday morning. Production lines halted. Backup servers had been encrypted alongside primary infrastructure. The threat actor had been present in the environment for 18 days before deploying ransomware.
Response: Binary Response was engaged at 07:30. Within two hours we had identified the initial access vector (an unpatched Fortinet VPN appliance), contained the incident by isolating affected network segments, and begun forensic triage. Negotiation advisory commenced in parallel. The threat actor's demand was reduced by 62% over four days of structured negotiation. Decryptors were tested before any payment was considered.
Outcome: Full operational recovery achieved in 11 days. Forensic investigation established the complete attacker timeline and identified two additional dormant persistence mechanisms that would have enabled re-attack. ICO notification filed at day 4. Client enrolled in IR retainer post-engagement.
Business Email Compromise: £340k Fraudulent Transfer Investigation
Situation: A professional services firm discovered a £340,000 payment had been made to a fraudulent bank account following a business email compromise. The finance director’s Microsoft 365 account had been compromised six weeks earlier. The attacker had been silently monitoring email traffic and intercepted a legitimate supplier payment instruction, substituting their own account details.
Investigation: Binary Response conducted a full M365 forensic investigation. We reconstructed the complete attacker timeline — from initial account compromise via a consent phishing email, through six weeks of surveillance, to the payment interception. We identified that two additional senior accounts had been compromised and were still under attacker control. We also identified a forwarding rule silently copying all emails to an external address.
Outcome: Evidence package submitted to Action Fraud and the firm’s bank within 48 hours. £210,000 was recovered via the banking sector fraud recall process. The forensic evidence supported a subsequent civil claim. ICO notification filed. Full post-incident hardening recommendations implemented.
Dark Web Alert Prevents Ransomware Deployment
Situation: At 14:30 on a Tuesday, Binary Response dark web monitoring detected a posting on a criminal forum advertising access to a private healthcare provider’s network. The post included evidence screenshots showing active RDP sessions and domain administrator credentials. The client had no awareness of any compromise.
Response: The client’s named incident contact was called within 20 minutes of the alert. Emergency IR engagement commenced immediately. We confirmed the access was live, identified the compromised system (an unpatched remote desktop gateway), and worked with the client’s IT team to isolate it within three hours. Forensic investigation confirmed the threat actor had been present for four days and had conducted reconnaissance but had not yet deployed ransomware or exfiltrated data.
Outcome: Ransomware deployment prevented entirely. No data exfiltration confirmed. ICO notification not required (no personal data at risk). Client enrolled in IR retainer with dark web monitoring as a direct result. Estimated avoided cost based on similar healthcare sector incidents: £1.2M–£3M.
Covert Data Exfiltration by Departing Senior Employee
Situation: A financial services firm suspected a departing director had exfiltrated a client database and confidential pricing models to a competitor. The director had resigned with one week’s notice and started at a competitor ten days later. IT had seized the laptop but lacked forensic capability.
Investigation: Binary Response conducted forensic examination of the laptop and M365 account. We identified over 4,000 documents accessed in the 72 hours before resignation, with 847 uploaded to a personal OneDrive account. Network logs confirmed large data transfers to a personal cloud storage service. We also identified a personal USB drive had been connected on the final day in the office, with evidence of file copying.
Outcome: Expert witness report produced for High Court injunction proceedings. Emergency injunction granted within 48 hours, requiring the former employee to preserve and return all company data. The evidence package was provided to the firm’s employment lawyers for ongoing litigation. A financial settlement was reached before trial.
Ransomware Negotiation Saves Professional Services Firm £2.1M
Situation: An SRA-regulated professional services firm was hit by ALPHV/BlackCat with a £2.4M ransom demand. The firm held highly sensitive client data across multiple active matters, and the threat actor had exfiltrated a significant volume before deploying ransomware. Regulatory obligations were complex and time-sensitive.
Response: Binary Response conducted detailed threat actor profiling on the ALPHV/BlackCat group, including analysis of their negotiation patterns and decryptor reliability. Full OFAC/OFSI sanctions screening was completed before any engagement. Over four weeks of structured negotiation, the demand was reduced from £2.4M to £310k. The decryptor was validated on sample data before payment. A delayed payment window was negotiated to give the firm time to arrange cryptocurrency acquisition.
Outcome: £2.09M saved against original demand — an 87% reduction. The decryptor worked on first run with no data loss. SRA and ICO were notified within 72 hours. The firm’s professional indemnity insurer was fully briefed throughout.
Dark Web Alert Prevents Secondary Attack on Financial Services Client
Situation: A financial services client received a proactive dark web alert from Binary Response after we identified their corporate credentials being offered for sale on an initial access broker forum. The listing included domain admin credentials and evidence of persistent access. No ransomware had been deployed yet — the access was being sold to the highest bidder.
Response: Emergency incident response was initiated within 30 minutes of the alert. Our team identified a Cobalt Strike beacon active on a domain controller, confirmed the threat actor had been present for approximately 12 days conducting reconnaissance. The attacker was ejected, all compromised credentials were reset, and a full network sweep was conducted over 48 hours to confirm no additional persistence mechanisms.
Outcome: Ransomware was never deployed. Zero data was exfiltrated. The FCA was notified as a precaution. The client enrolled in an IR retainer with continuous dark web monitoring. This case demonstrates why proactive monitoring catches threats that traditional security tools miss.
Manufacturing Recovery from LockBit in 72 Hours
Situation: LockBit 3.0 struck a UK manufacturing company at 17:00 on a Friday — a deliberate timing choice by the threat actor. With 340 employees and 90% of systems encrypted, production lines halted immediately. Estimated downtime cost was £80,000 per day. The ransomware demand was significant.
Response: Binary Response was engaged within 90 minutes. Rapid triage identified that the OT (operational technology) network had not been fully compromised and was isolated before encryption could spread to production control systems. Clean backups were identified from an air-gapped backup server. Parallel negotiation advisory was provided while technical recovery proceeded — ultimately the ransom was not paid.
Outcome: Core systems were restored within 72 hours. Full production resumed by Monday morning. Total cost avoidance was £420k compared to the projected £600k+ had recovery taken the industry average of 21 days. ICO was notified. Post-incident forensics confirmed zero data was leaked.
Discuss Your Situation
Every engagement is different. Contact us to discuss your specific situation — whether you're dealing with an active incident or planning ahead.
Get In Touch