Respond

Getting 100 servers back online

Joint rapid ransomware response and recovery for an Australian business

Servers and workstations scanned
~100
Response framework applied
NIST 800-61
Recovery than expected
Faster
IT, MSP, and MSSP coordinated
3 teams

The situation

A complex Australian business fell victim to a ransomware attack that halted their production. They had uncertainty about how effective their backups were. The business contacted us to provide guidance and expertise, working alongside their IT teams, MSP, and MSSP to recover from the incident.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

The ransomware had spread across the business’s server infrastructure, encrypting production systems and creating uncertainty about which systems were compromised and which were clean. The business needed rapid triage across approximately 100 servers and workstations to identify infections and prioritise recovery.

How we responded

We provided leadership and guidance based on NIST Special Publication 800-61 (Computer Security Incident Handling Guide) and our own forensic procedures:

  1. Incident leadership coordinating the response across the company’s internal IT teams, their MSP, and their MSSP
  2. Networked forensic analysis using our systems to perform rapid forensic scans across approximately 100 servers and workstations, identifying and tracking malware infections
  3. Recovery prioritisation guiding the teams on which systems to restore first based on business criticality and infection status
  4. Malware elimination ensuring infected systems were cleaned before reconnection to the network

The outcome

By applying structured incident response methodology, we reduced guesswork and guided the combined IT teams to get the business back online sooner than expected. Our experience in leading incident response events and collaboration with the client’s IT teams, MSP, and MSSP proved valuable in restoring operations quickly and minimising business impact.

Lessons for similar organisations

  • Structured incident response reduces recovery time. Following an established framework like NIST 800-61 gives teams a clear process when they are under pressure.
  • Coordination across multiple providers is critical. Most businesses have internal IT, an MSP, and possibly an MSSP. Someone needs to lead. In a ransomware event, an experienced incident responder can coordinate all three effectively.
  • Networked forensics enables rapid triage. Scanning 100 servers individually would take weeks. Networked forensic tools can identify infections across the estate in hours.