LockBit Attack on Manufacturing Client: 11-Day Recovery

Situation: A UK manufacturing company with 850 employees discovered their entire VMware ESXi environment encrypted at 06:00 on a Monday morning. Production lines halted. Backup servers had been encrypted alongside primary infrastructure. The threat actor had been present in the environment for 18 days before deploying ransomware.

Response: Binary Response was engaged at 07:30. Within two hours we had identified the initial access vector (an unpatched Fortinet VPN appliance), contained the incident by isolating affected network segments, and begun forensic triage. Negotiation advisory commenced in parallel. The threat actor's demand was reduced by 62% over four days of structured negotiation. Decryptors were tested before any payment was considered.

Outcome: Full operational recovery achieved in 11 days. Forensic investigation established the complete attacker timeline and identified two additional dormant persistence mechanisms that would have enabled re-attack. ICO notification filed at day 4. Client enrolled in IR retainer post-engagement.

Discuss Your Situation

Every engagement is different. Contact us to discuss your specific situation — whether you're dealing with an active incident or planning ahead.