Background
A mid-sized UK manufacturer with a mixed IT/OT environment discovered LockBit 3.0 ransomware active across their estate on a Monday morning. Production lines were halted. The initial demand was $1.8m with a 72-hour payment deadline.
The organisation had no IR retainer in place and had never dealt with a ransomware incident. Binary Response was engaged within 4 hours of discovery.
The OT Challenge
Manufacturing environments present unique IR challenges. OT systems — PLCs, HMIs, SCADA — often cannot be simply isolated without halting production indefinitely. Some cannot be reimaged. Some run legacy operating systems that cannot accept modern security tooling. The containment strategy in an OT environment requires surgical precision that general-purpose IR does not.
Our team's OT experience meant we could distinguish between systems that could be taken offline and those that needed to stay up for production safety reasons. Containment was applied in phases, preserving operational continuity in the production-critical areas while isolating the affected administrative network.
Parallel Recovery Assessment
Before entering negotiation, we conducted a rapid backup assessment. The manufacturer had what appeared to be a comprehensive backup strategy — but LockBit affiliates routinely target backup infrastructure specifically. Our assessment found that approximately 40% of backups had been encrypted. The remaining 60% — including production system images — were clean and restorable.
This was the key intelligence that shaped negotiation strategy. The decryptor value was limited to systems not restorable from backup. LockBit's $1.8m demand assumed full encryption with no viable recovery path — an assumption we could directly challenge.
Negotiation
LockBit 3.0 affiliates vary significantly in their behaviour. We profiled the specific affiliate involved based on the negotiation portal, ransom note format, and initial communications — cross-referencing with our database of prior LockBit engagements.
Sanctions screening returned clear. We entered negotiation with a clear position: documented financial evidence of the organisation's size and cash position, a viable recovery path for most systems that did not require a decryptor, and professional engagement that signalled the organisation was not panicking.
After 4 rounds of negotiation over 38 hours, a final settlement was reached at 32% of the initial demand. The decryptor was delivered, tested against a sample set of encrypted files, validated, and then deployed across the remaining affected systems. All files recovered.
Post-Incident
Root cause: a contractor VPN account with no MFA and an overprivileged AD role. The account had been compromised 18 days prior via credential stuffing. The dwell time included 14 days of reconnaissance and staging before encryption was triggered.
Post-incident recommendations focused on MFA enforcement across all remote access, AD privilege model review, and OT network segmentation. The manufacturer subsequently engaged Binary Response on an IR retainer.
Outcome
- Production halted for 31 hours total — contained significantly faster than industry average for comparable incidents
- $1.8m initial demand reduced to 32% of original figure
- All encrypted systems recovered — decryptor tested and validated before payment
- No customer data confirmed exfiltrated — no ICO notification required
- Insurance claim supported with full forensic documentation