Sign In Get a Demo Get pricing
Sign In Get a Demo

From $67M in Losses to Zero Ransom Paid: A Ransomware Rescue Case

CASE STUDY

From $67M in Losses to Zero Ransom Paid: A Ransomware Rescue Case

Request a Quote

Background

One of the world’s top 10 poultry producers, exporting to over 70 countries, was hit hard by a targeted cyberattack. Conti, a well-known hacker group linked to Russia, set out to steal data, achieve financial gain, and disrupt business operations.

When breach reports surfaced publicly, UnderDefense reached out to offer assistance. At first, the company decided to handle the incident on its own, which took two weeks of self-recovery attempts. After consulting with industry peers and getting positive feedback on our forensics and incident response capabilities, their CIO got in touch.

Our team uncovered the root cause, restored and purged the network, and guided the recovery process. What started as a critical intervention evolved into a long-term MDR partnership, ensuring the company’s defenses are stronger and smarter.

The Challenge

Despite being a global enterprise with 35,000 employees and a strong focus on network security controls, our client faced a devastating cyber attack. For critical business reasons, the client decided to loosen security protocols and granted VPN bypass privileges to certain users, which opened up weak spots for attackers.

They already had a 14-person security team, including 7 SOC specialists, IBM QRadar SIEM, FortiClient endpoint protection, 24/7 monitoring, and segmented VMware infrastructure. On paper, the company’s security coverage looks solid. However, they didn’t stress test these tools and processes under real-world attack conditions. As a result, when it mattered most, their SOC was flooded with alerts and failed to detect the breach early on.

Their security system overlooked an initial intrusion, which happened 41 days prior to data encryption. During this time, threat actors deployed password stealers and utilized different IPs to breach an unprotected user account and an Internet-facing Virtual Desktop Infrastructure (VDI) panel.

The ransomware reached 22 hypervisors and triggered two weeks of complete system downtime. The financial loss during that period alone amounts to $29,73 million. The company was very close to a complete disaster since with each additional week of ransomware remaining hidden, they would have risked another $15 million. On top of that, a potential $7M ransom is multiplied by the costs of data recovery and reputational damage.

About the client

Industry:
Food Production
Project Duration:
December 2024 – Ongoing
Technologies and Tools:
EDR MDR

Key Results

  • $67 million in potential losses were avoided due to eliminated downtime and prevented ransomware payment. 
  • 90% improvement in incident response speed to handle threats in minutes, instead of hours or days. 
  • 100+ custom detection rules were implemented to replace over 900 outdated and ineffective ones. 
  • 30 critical alerts per day to cut through the noise, instead of 100 false positives that overwhelmed the team and impeded breach detection. 
  • Reestablished full visibility and control over the infrastructure and patched critical vulnerabilities. 
  • Network segmentation was redesigned to block lateral movement and isolate threats before they spread. 

The Solution

Our cybersecurity team acted fast to stop the attack and prevent reinfection. 

Here’s what we did:

  1. Rapid Containment and Endpoint Protection: We established communication with the client’s IT and SOC teams to align on every decision in real-time. Our experts deployed an advanced EDR system across infected endpoints to contain the threat. With the client’s help, we created a recent identity inventory and network diagram to measure the attack scope. 
  2. Deep Investigation and Threat Removal: Our Digital Forensics and Incident Response (DFIR) team analyzed collected artifacts and logs to reconstruct the complete attack chain, from patient zero to privilege escalation. Next, we uncovered and wiped out all malicious persistence mechanisms and implemented quick fixes to block the attack from spreading during further investigation stages. The client received regular status updates for full visibility. 
  3. Long-Term Security Improvements: The UnderDefense specialists corrected misconfigurations in the client’s Active Directory environment to minimize the risk of future privilege escalation. Then, we enhanced their SIEM with 100+ custom detection rules to reduce false positives and accelerate SOC response. 
  4. Ongoing Protection with UnderDefense MDR: 
  • 24/7 threat monitoring 
  • Extending the client’s in-house SOC with our expert SOC team
  • Full visibility into emerging threats using the UnderDefense MAXI platform

Complete Incident Timeline

Hackers remained undetected for too long before activating ransomware and halting critical processes in the client’s system. However, we managed to remediate the attack quickly. Take a closer look at how it unfolded:

  1. Initial access to the network (Early December 2024):
Hackers get into the network by breaching an unprotected user account and an Internet-facing Virtual Desktop Infrastructure (VDI) panel.
  1. Lateral movement and gaining more control (Late December 2024):
The attackers move laterally within the network, remaining undetected by the in-house SOC team and security solutions.
  1. Pretending to be a domain controller (Early January 2025):
The hacker group executed a DCSync attack, ultimately compromising the Active Directory domain.
  1. Activating the ransomware (Late January 2025):
Ransomware is deployed, spreading across the network and encrypting critical systems. 
  1. First minutes after the client contacted us for help:
Established continuous communication with the client’s IT and SOC experts via Microsoft Teams. Outlined the next steps and aligned on immediate actions.
  1. First hours of our involvement:
Configured 24/7 monitoring with UnderDefense EDR across the whole network. Gained access to the compromised parts for in-depth investigation and forensic analysis.
  1. First week of our involvement:
Identified the initial point of compromise (patient zero) and executed short-term remediation measures while continuing the investigation. Provided regular status updates to the customer.
  1. Second week of our involvement:
Reconstructed the attack timeline and verified the absence of active threats or backdoors. Identified critical security misconfigurations and provided recommendations. Developed a plan for long-term security improvements and established 24/7 MDR monitoring. Configured SIEM and implemented 100+ custom detection rules to enhance network visibility.

Outcomes

Thanks to our timely involvement, the client avoided over $67 million in potential losses and regained control over their infrastructure.

Business Impact

  • $67 million saved by preventing prolonged downtime and reputational damage.
  • Full environment control restored with security gaps successfully remediated. 
  • 90% faster incident response time. 

 

SOC Optimization

  • 100+ personalized detection rules replaced over 900 ineffective and noisy rules. 
  • 30 critical alerts per day instead of 100 false positives. 
  • Automated alert triage, threat detection, and response.

Security Posture Improvement

  • The onboarding process was restructured to close security gaps that caused the breach.
  • Network segmentation was redesigned to prevent lateral movement.
  • Regular security drills and penetration testing to validate the effectiveness of system defenses.

Roadmap for 2025

To prevent another breach, we developed a SOC-as-a-Service roadmap:

Step 1. Fully reconfigure correlation rules for the client’s current SIEM tool.

Step 2. Align detection capabilities with current infrastructure needs using the MITRE ATT&CK framework.

Step 3. Identify vulnerabilities and map risks for better preparedness.

Step 4. Optimize SOC team workflows to minimize investigation time and boost threat mitigation.

Step 5. Use an extensive metrics dashboard to assess SOC effectiveness. 

Step 6. Rebuild the data collection architecture for enhanced threat detection.

Step 7. Move the SIEM system to the cloud, outside the core IT infrastructure, so it remains unaffected in case of another attack.

Lessons Learned

A ransomware attack isn’t always what it seems. Even if you’ve done everything right on paper, you can still miss critical security measures. Here’s what you can learn from this case:

  • More logs and alerts don’t automatically mean better security. Despite having terabytes of SIEM data and hundreds of alerts, the client still missed the ransomware attack. 
  • An internal SOC team isn’t always more effective than an outsourced one. Hackers moved undetected for over a month in the client’s network. 
  • Network segmentation is rarely stress-tested. The client’s assumed segmentation failed entirely, allowing attackers to escalate privileges with ease. 
  • Insecure onboarding procedures created the initial attack vector, granting threat actors easy access to critical systems.

How a ransomware attack really looks like

Total Cybersecurity: 24/7 Protection with MDR, SOC, and Managed SIEM

Removing ransomware is a stressful task, especially if you lack the expertise and experience to deal with hacker attacks. We will help you protect sensitive data and save thousands, if not millions. 

MDR:

  • 24/7 protection across cloud and network 
  • 360° visibility into threats and automated remediation
  • Seamless integration with your existing tools, no replacements needed 

 

SOCaaS:

  • 96% containment rate before any damage 
  • Instant access to seasoned SOC experts 
  • Up to 80% lower cost than running an in-house team 
  • Alert fatigue cut by 82%

 

Managed SIEM:

  • No tuning headaches, our team will handle all configurations
  • Faster deployment without tiresome onboarding 
  • Automated compliance reporting for SOC 2, HIPAA, ISO 27001, and GDPR
Don’t wait until it’s too late
Partner with UnderDefense to stop ransomware and find hidden vulnerabilities in your system.
Request a Quote