Case Study — How a Cybersecurity Company in India Stopped a Ransomware Attack

Ransomware is one of the most devastating cyber threats facing Indian businesses today. In a matter of hours, a single ransomware attack can encrypt an entire organisation’s data, bring operations to a complete standstill, and demand crores of rupees in ransom — with no guarantee of data recovery even if the ransom is paid. For many businesses, a ransomware attack is not just a security incident — it is an existential crisis.

This case study tells the story of how a leading cybersecurity company in India detected, contained, and helped a mid-sized Indian manufacturing firm recover from a sophisticated ransomware attack — saving the business from what could have been a catastrophic, potentially company-ending event.

While specific identifying details have been changed to protect client confidentiality, the attack scenario, response methodology, and lessons learned are drawn from real-world ransomware incidents handled by cybersecurity companies in India.

Background — Meet the Client

The client is a mid-sized manufacturing firm headquartered in Pune, Maharashtra, with approximately 800 employees, three production facilities across Maharashtra and Gujarat, and an annual revenue of approximately ₹250 crore. Like many Indian manufacturers, the company had undergone rapid digital transformation over the previous three years — moving from largely manual processes to an integrated ERP system, connecting their production floor machinery to a centralised monitoring platform, and enabling remote work capabilities for their administrative and management teams.

Their IT infrastructure included a hybrid environment of on-premise servers running their ERP and production management systems, a Microsoft Azure cloud environment hosting their customer portal and document management system, approximately 650 employee endpoints including laptops and desktop computers, a network of 120 IoT-connected production floor devices, and a small internal IT team of six people with no dedicated cybersecurity expertise.

The company had basic security measures in place — a perimeter firewall, standard antivirus software on endpoints, and Microsoft 365 for email and productivity. They had no dedicated Security Operations Centre, no Incident Response Plan, and no managed security services engagement. Cybersecurity was handled reactively by their internal IT team alongside their regular IT support responsibilities.

Six months before the attack, the company’s CFO had flagged cybersecurity as a growing concern during a board meeting — particularly after hearing about ransomware attacks on other Indian manufacturers at an industry conference. The board had approved a budget to engage a cybersecurity company in India for a security assessment and to explore managed security services. The engagement was still being finalised when the attack happened.

The Attack — What Happened and How

Day 0 — The Initial Breach

The attack began not with sophisticated hacking tools or zero-day exploits — but with a phishing email. At 9:47 AM on a Tuesday morning, a purchase manager in the company’s procurement department received an email that appeared to come from one of their regular suppliers. The email was well-crafted, referencing a real ongoing purchase order by number, and contained what appeared to be an updated invoice PDF attachment.

The purchase manager, seeing nothing unusual about the email, opened the attachment. The PDF contained an embedded macro that, when enabled, silently downloaded and executed a trojan — a remote access tool that gave the attacker an invisible foothold inside the company’s network.

This initial compromise went completely undetected. The company’s standard antivirus software did not flag the trojan because it used a polymorphic code structure that had never been seen before — a technique increasingly common in modern ransomware campaigns and one that traditional signature-based antivirus tools are fundamentally unable to detect.

Days 0 to 14 — Quiet Reconnaissance

For the next fourteen days, the attacker operated silently inside the network — a phase known in cybersecurity as dwell time. During this period the attacker conducted extensive reconnaissance of the company’s environment, mapping the network topology, identifying critical systems and data repositories, locating backup servers and understanding the backup architecture, harvesting credentials by capturing network traffic and extracting stored passwords, escalating privileges by exploiting a vulnerability in an unpatched internal application to gain domain administrator access, and disabling Windows Defender on key servers using the newly acquired administrator credentials.

None of this activity triggered any alerts. The company’s basic security tools had no visibility into lateral movement, privilege escalation, or credential harvesting — and their IT team had no mechanism for detecting these early-stage attack behaviours.

Day 14 — The Ransomware Deployment

At 11:23 PM on a Friday night — deliberately chosen to maximise the time before discovery — the attacker executed the ransomware payload simultaneously across 47 servers and 312 endpoints. The ransomware encrypted files using military-grade AES-256 encryption, deleted all accessible backup copies, disabled recovery options on affected systems, and displayed a ransom note demanding payment of 85 Bitcoin — approximately ₹18 crore at the time — in exchange for the decryption key.

By the time the first employee arrived at work on Saturday morning and discovered that their computer would not start, the damage was already done. The company’s ERP system was down. Production management systems were offline. Customer portal was inaccessible. Email was partially functional only because it was hosted on Microsoft 365. The entire organisation was effectively paralysed.

The IT manager immediately called the company’s leadership team. Within an hour, the CEO made the call that would prove to be the most important decision of the entire crisis — he called a cybersecurity company in India that had been recommended by their industry association.

The Response — How the Cybersecurity Company in India Took Control

Hour 1 — Immediate Triage and Containment

The cybersecurity company in India received the emergency call at 8:47 AM Saturday morning. Within fifteen minutes, a senior incident response consultant was on a video call with the company’s IT manager and CEO — beginning the triage process immediately.

The first priority was containment — preventing the ransomware from spreading further to any systems that had not yet been encrypted. The incident response team provided immediate, specific instructions to isolate all affected network segments by disabling inter-VLAN routing on the core switch, physically disconnecting production floor IoT devices from the network, suspending all remote access VPN connections, and preserving all available system logs and network traffic captures before any recovery attempts began.

Within forty-five minutes of the initial call, the active spread of the ransomware had been contained. Systems that had not yet been encrypted — including some production floor workstations that had been powered off over the weekend — were preserved.

Simultaneously, the cybersecurity team deployed a forensic imaging tool to capture memory dumps and disk images from key affected systems — preserving the evidence needed to understand exactly how the attack had unfolded and identify the specific ransomware variant and attacker toolset.

Hours 2 to 8 — Forensic Investigation

With containment achieved, the cybersecurity company in India began a detailed forensic investigation — working to answer three critical questions. How did the attacker get in? How far did they get? And what data, if any, was exfiltrated before the ransomware was deployed?

The forensic team analysed preserved system logs, network traffic captures, Windows Event logs, and endpoint telemetry — piecing together the complete attack timeline from the initial phishing email through to the ransomware deployment fourteen days later.

Within eight hours, the team had reconstructed the full attack chain — identifying the specific phishing email that initiated the compromise, the trojan used for initial access, the exact path of lateral movement through the network, the privilege escalation technique used to gain domain administrator access, the specific ransomware variant deployed, and critically — whether any data had been exfiltrated before encryption.

The data exfiltration analysis was a particular concern. Modern ransomware attacks frequently involve double extortion — where attackers steal sensitive data before encrypting it and threaten to publish it publicly if the ransom is not paid. The forensic analysis of network traffic logs revealed evidence of data exfiltration — approximately 28 GB of data had been transferred to an external server over the preceding three days. The cybersecurity team identified the specific datasets involved — primarily financial records and supplier contracts — and advised the client accordingly.

Hours 8 to 24 — Regulatory Notification

The confirmed data exfiltration triggered mandatory regulatory notification obligations. The cybersecurity company in India immediately advised the client of their obligations under CERT-In’s incident reporting directive — which requires notification of cybersecurity incidents within six hours of detection.

The incident response team prepared and submitted the CERT-In notification on behalf of the client — compiling all required technical details including the attack vector, ransomware variant, systems affected, data potentially compromised, and containment measures taken. This rapid, accurate regulatory notification — completed within the required timeframe — protected the client from potential regulatory penalties for delayed reporting.

The cybersecurity team also advised the client on notifications required under their cyber insurance policy, communications to affected business partners whose data may have been compromised, and preliminary advice on DPDP Act implications given the personal data potentially included in the exfiltrated datasets.

Days 2 to 7 — Recovery Planning and Execution

With containment achieved, forensics completed, and regulatory notifications filed, the cybersecurity company in India shifted focus to recovery — helping the client restore operations as quickly and safely as possible.

The recovery process began with a critical assessment — identifying which systems could be recovered from backups, which backups were intact, and in what priority order systems should be restored to minimise business impact. Although the ransomware had successfully deleted the primary backup copies accessible from the network, the forensic investigation had confirmed that offline backups stored on tape — physically disconnected from the network — had survived intact.

The recovery team prioritised restoration in three phases. Phase one focused on restoring the ERP system and core business operations — the systems whose unavailability was causing the greatest operational and financial impact. Phase two restored the customer portal and supplier communication systems. Phase three addressed endpoint recovery — rebuilding or restoring the 312 affected employee computers.

Throughout the recovery process, the cybersecurity company in India ensured that every restored system was thoroughly scanned and validated before being reconnected to the network — preventing the scenario where a restored system carrying remnants of the attacker’s tools reinfects the environment.

By day seven, core business operations had been restored. Full operational recovery — including all endpoints and peripheral systems — was completed by day fourteen.

The Aftermath — What the Cybersecurity Company in India Did Next

Restoring operations was only the beginning. A cybersecurity company in India worth its name does not just put out the fire — it makes sure the building cannot burn down again.

Immediate Security Hardening

In the two weeks following the initial recovery, the cybersecurity team implemented a comprehensive set of immediate security hardening measures. These included deploying an AI-powered Endpoint Detection and Response (EDR) solution across all endpoints and servers, implementing multi-factor authentication (MFA) across all remote access, email, and privileged accounts, patching all identified unpatched vulnerabilities — starting with the internal application flaw exploited for privilege escalation, segmenting the production floor IoT network into an isolated VLAN with strict access controls, implementing email security controls including advanced phishing protection and macro blocking in Office documents, and deploying a privileged access management (PAM) solution to control and monitor the use of administrator credentials.

Managed Security Services Engagement

Following the incident, the manufacturing firm signed a twelve-month managed security services agreement with the cybersecurity company in India. Under this agreement, the cybersecurity partner provides 24/7 SOC monitoring with AI-powered threat detection, monthly vulnerability assessments and patch management, quarterly penetration testing, ongoing security awareness training for all employees, and dedicated incident response retainer with guaranteed four-hour on-site response.

Building a Resilient Backup Architecture

One of the most critical lessons from the attack was the vulnerability of network-accessible backups to ransomware encryption. The cybersecurity team designed and implemented a new backup architecture based on the 3-2-1-1 principle — three copies of data, on two different media types, with one copy offsite, and one copy offline and air-gapped. This architecture ensures that even a sophisticated ransomware attack that successfully encrypts all network-accessible systems cannot reach the protected offline backup — guaranteeing recovery capability regardless of the attack’s severity.

Employee Security Awareness Training

Since the attack originated with a phishing email, employee security awareness was identified as a critical control gap. The cybersecurity company in India designed and delivered a comprehensive security awareness training programme — covering phishing recognition, safe email practices, password security, and incident reporting procedures. The programme includes monthly AI-powered phishing simulations that test employees with realistic, contextually relevant phishing scenarios — and provides immediate targeted training to anyone who falls for a simulation.

ISO 27001 Certification Journey

Six months after the incident, the manufacturing firm engaged the cybersecurity company in India to begin their ISO 27001 certification journey — formalising the security improvements made in the wake of the attack into a comprehensive, auditable Information Security Management System. The ISO 27001 programme was completed successfully ten months later — transforming a company that had been devastated by a ransomware attack into one with a certified, world-class information security posture.

The Numbers — What the Attack Cost and What Was Saved

Understanding the financial impact of the attack — and the value delivered by the cybersecurity company in India — provides important context for any business evaluating its own cybersecurity investment.

The total cost of the ransomware attack to the manufacturing firm included fourteen days of partial operational disruption estimated at ₹85 lakh in lost production and revenue, IT recovery costs of approximately ₹40 lakh including hardware replacement and recovery labour, legal and regulatory advisory costs of ₹12 lakh, reputational damage resulting in the temporary loss of two major supplier contracts worth approximately ₹1.2 crore annually, and cyber insurance premium increases of approximately ₹8 lakh per year.

The total direct and indirect cost of the attack was estimated at over ₹3 crore.

The ransom demand of ₹18 crore was not paid — thanks to the intact offline backups and the rapid, expert recovery support provided by the cybersecurity company in India.

The annual cost of the managed security services engagement signed after the attack — including 24/7 SOC monitoring, quarterly penetration testing, and ongoing security awareness training — is approximately ₹36 lakh per year. A fraction of what a single ransomware attack cost the business.

Key Lessons Every Indian Business Must Learn

This case study carries powerful lessons for every Indian business — regardless of size, industry, or current security maturity.

Phishing remains the most common entry point for ransomware attacks. Employee security awareness training is not optional — it is one of the highest-ROI security investments any business can make. Attackers are patient. The fourteen-day dwell time in this attack is not unusual — the average attacker dwells inside a network for weeks or months before deploying ransomware. Early detection through 24/7 monitoring is the only reliable way to catch attackers during this reconnaissance phase.

Backups are your last line of defence against ransomware — but only if they are offline, air-gapped, and regularly tested. Network-accessible backups will be encrypted along with everything else. Basic security tools are no longer sufficient. Signature-based antivirus, perimeter firewalls, and reactive IT support cannot protect against modern, sophisticated ransomware campaigns. AI-powered threat detection and managed security services are now baseline requirements.

Speed of response is everything. The rapid containment achieved by the cybersecurity company in India in the first hour of the response prevented the ransomware from spreading to additional systems and preserved critical offline backups — directly enabling recovery without paying the ransom. Regulatory compliance is not separate from security — it is part of it. Having a cybersecurity partner that understands CERT-In notification requirements and can file accurate, timely notifications on your behalf is critical for avoiding regulatory penalties on top of the attack itself.

Final Thoughts

Ransomware is not a distant threat that happens to other companies in other industries. It is an immediate, present danger facing Indian businesses of every size and sector — and it is growing more sophisticated every year.

This case study demonstrates clearly what is at stake when a ransomware attack strikes — and equally clearly what is possible when a skilled, experienced cybersecurity company in India is in your corner. The difference between a company that recovers from a ransomware attack within two weeks without paying the ransom and a company that faces months of disruption, crores in losses, and potential business failure often comes down to one thing — whether they had the right cybersecurity partner before the attack happened.

Do not wait for your own ransomware case study. Partner with a trusted cybersecurity company in India today — before the attackers make that decision for you.