• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Ransomware Response

A global manufacturer was unprepared when they were hit with every organization’s worst nightmare: a ransomware attack.

With severe technical debt and a brand-new IT team, they were facing damages that could put them out of business. As their trusted partner, Arraya guided them through their response and recovery.

Today, they’re more protected and prepared than ever.

BACKSTORY

Our client, a global manufacturer, had severe technical debt and a new IT team.

Once a new CIO came on board, he contracted with Arraya to address vulnerabilities and improve their security posture. A new backup system had just been implemented and more changes were in the pipeline.

The Friday before Thanksgiving, we had a meeting with the client to discuss the results of our security assessment and go over identified issues, along with our recommendations for addressing these risks. Over that weekend, their enterprise resource planning (ERP) system stopped working. They would quickly come to learn that they had fallen victim to a ransomware attack.

IDENTIFICATION

On Sunday evening, Arraya was contacted. Within an hour, we had communicated with all client stakeholders to establish what the issue was, what systems were giving them trouble, and what had transpired to date. We discovered that several files had been encrypted, which were the cause of the ERP system’s issues.

Because of our previous work with the client, we already had access to their system, and we were familiar with how their organization functioned. This allowed us to act immediately, and they gave us the autonomy to make decisions on their behalf.

We brokered in our partner, SEVN-X, as the incident response and forensics team to determine how this attack happened, how far it had spread, and how it could be contained.

MITIGATION

Arraya’s team acted as the incident coordinator, effectively quarterbacking the remediation and recovery efforts.

We directed executive leadership to execute their insurance policy and get a claim filed. We maintained power for all systems to protect future forensic efforts, but disconnected the network from all known systems so the ransomware could not spread further.

We were in constant communication with all parties involved regarding the ransom demand and it was ultimately decided that it would not be paid.

By late night Monday, we had an action plan put together.

INVESTIGATION

Over the next few days, SEVN-X worked through the forensics process, which is very labor intensive as every machine had to be assessed. They started with known affected systems and worked through each individually from there.

Throughout this process, a full inventory of all systems in the network was created that all parties could access, monitor, and update. The goal was to determine what systems needed to be restored and what that process would entail. This depended on what the resources were, how much data they involved, and more.

Throughout this process, Carbon Black was rolled out as a central endpoint detection & response (EDR) platform to monitor for any issues once the systems were cleaned. As indicators of compromise (IOCs) were discovered by SEVN-X, Carbon Black was updated to detect and thwart any discovered malicious activity.

RECOVERY

Just prior to the ransomware attack, the client had begun backing up their data to an off-site location. Rather than restoring their data over the internet, we restored to this off-site location, allowing the client to get select systems online in about an hour.

As there was no predetermined incident response plan in place, Arraya was responsible for reviewing and prioritizing what systems to restore based on the critical path. This means we first identified and prioritized the minimum number of systems that would make the biggest impact in continuing operations.

REBUILDING

Arraya stood up a network connection between the client and their off-site data storage. As servers were restored, they were put into their own isolated network where they could be tested for infection before they were moved to a staging network in which they could communicate with other clean and restored data systems.

Lastly, we rebuilt the client’s Microsoft Active Directory, domain controllers, and got applications reintegrated with the new, clean systems.

Arraya worked with the client to reset every employee’s password through a coordinated effort with their service desk. We provided a script that was used to explain what had transpired and implemented a system that allowed the service desk to issue new passwords to employees over the phone after an ID verification process was completed.

LESSONS LEARNED

The client survived this cyber-attack. However, without the backups that Arraya had recently implemented, this likely wouldn’t have been the case.

Arraya’s incident coordination services drove the recovery from identification to mitigation and rebuilding. Because of our prior work with the client, we were already familiar with their network, and they trusted us to do what was right for their organization. We were able to begin our response to the attack immediately and with the autonomy to make decisions on their behalf.

Throughout the investigation, it was discovered that the ransomware attack was carried out against vulnerable, unpatched systems that were internet-facing. Their systems had been infected for over a week before the ransomware was deployed.

RESULTS

  • Continued Business Operations
  • Improved Security Posture
  • Modernized & Future-Ready Infrastructure
  • Consolidated Redundant Systems

Arraya paired the client with a managed detection and response provider to prevent attacks from going undetected again. We brought all patches up-to-date and hardened their systems. We also implemented MFA for each employee when connecting remotely.

If the client had had an established and tested incident response plan in place prior to this attack, the response and recovery costs would have easily been cut in half.

As a silver lining, the client focused on clean up following this attack. They got rid of legacy technology, revised their naming system, modernized their infrastructure, and consolidated redundant systems.

With these new processes and procedures in place, they are now better protected from cyber threats and much more prepared to respond, should they fall victim again.

SAFEGUARD YOUR DIGITAL WORLD

Don’t gamble with your business. In today’s climate, securing your business is not an option – it’s a necessity.

Uncover your vulnerabilities, protect your assets, and receive personalized recommendations from our cybersecurity experts. Act today, and together, we’ll fortify your digital assets. Contact us to get started!

Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}