“All systems went dark. We are locked out of everything. We don’t know how far it’s spread.”
This is the typical call that our Incident Response hotline receives from a company in crisis. By the time they reach out, key systems are usually encrypted, operations had come to a standstill, and the full impact remains unclear.
The ransomware attack: what happens when it’s already late?
The harsh reality of modern ransomware: it starts weeks earlier, quietly, while attackers map out your network, escalate privileges, and wait for the right moment to strike. Despite the best efforts of IT and security teams worldwide, most organisations discover the breach only when it is already too late.
At Eye Security, we have supported dozens of organisations through the critical first days. In this case walkthrough, we take you inside a real-world attack, from the moment we were contacted through to investigation, ransom negotiations, and full recovery.
The story lifts the curtain on the events behind the scenes of a ransomware investigation. It shows the anatomy of modern ransomware campaigns, how they operate, where organisations falter, and how a well-prepared response can mitigate long-term damage.
What happens when ransomware hits?
Get behind the scenes of a ransomware attack.
The statistics already point to a crushing reality. According to Cybercrime Magazine, ransomware damage will cost the world $57b in 2025. This translates into $4.8b per month, $1.1b weekly, $156m per day, $6.5m per hour, $109,000 per minute, and $2,400 every second.
The Global Cost of Ransomware Study, recently conducted by the Ponemon Institute and based on a survey of 2,547 IT and cybersecurity professionals, reveals that 88% of the responding organisations were hit by ransomware in the last year. Of these, 58% had to shut down operations after an attack for an average of 12 hours.
For mid-sized businesses, the average ransom demand was at $1.2m, with 55% of organisations paying the ransom. Some 44% of organisations said that they were not prepared to quickly detect and respond to an incident. In 2024, the average ransomware attack cost $5.13m, a 574% increase over six years. That includes the ransom payment, recovery costs, as well as costs associated with reputational damage and loss of trust.
Part I. The call no company wants to make
It was a regular weekday afternoon when Eye Security’s Incident Response (IR) hotline rang. On the other end was the IT lead of a European mid-sized company in crisis. They had never worked with us before. Their operations were at a standstill. Order processing halted, employees locked out, and all critical systems non-functional. They had just been hit by a ransomware attack and it was severe.
Their team had done what they could but they quickly realised they were outmatched. Beyond technical recovery, they were in urgent need for strategic crisis management.
Part II: Day 0. Impact and immediate damage
Upon engagement, it became evident the organisation had been targeted by a ransomware group known for its high-impact attacks. Since emerging in early 2023, the ransomware group had claimed responsibility for over 700 incidents globally and was estimated to have extorted more than $42m.
The group’s modus operandi includes exploiting VPN vulnerabilities, frequently using leaked credentials or brute-force techniques to bypass defences.
Once inside the environment, they conducted reconnaissance, escalated privileges, and methodically mapped out the network. By the time the ransomware was deployed, the threat actor had already:
- Deleted backup repositories, ensuring data recovery would be difficult;
- Encrypted over 300,000 files across systems; and
- Exfiltrated sensitive data, setting the stage for a double-extortion attempt.
For the company, this resulted in operational paralysis. All signs pointed to a well-prepared, highly motivated adversary.
Know how you would respond.
Download the incident readiness checklist.
Part III: A breakdown of the response timeline
Here is how the attack progressed, starting from day 1 of our engagement.
Day 1. Rapid triage and forensics initiated
Initial containment actions were taken to isolate infected endpoints and preserve forensic evidence. A data recovery specialist was engaged, particularly since the company's local backups had been wiped by the attackers.
At this point, the focus was on:
- Confirming the attack vector
- Assessing what data was encrypted or exfiltrated
- Determining how long the attacker had been inside the environment
Day 2. Ransom negotiation begins
Once secure communication with the attacker was established, the adversary made their presence clear. A formal ransom note was issued, and early discussions began. While no specific figure was shared initially, the attack’s scale suggested that the demand would be in the high six-figure range.
Simultaneously, our team began preparing a multi-scenario response strategy, including:
- Data recovery planning without paying the ransom
- Legal and compliance preparations
- Communication and containment protocols
Day 3. Regulatory and legal implications
Due to the General Data Protection Regulation (GDPR), the company had 72 hours to report the data breach to the supervisory authority. The exfiltration of personal and potentially sensitive data triggered mandatory disclosure obligations.
Our legal advisors collaborated with the company’s counsel to:
- File the breach notification in accordance with GDPR
- Begin communication planning with stakeholders and employees
- Review cyber insurance coverage and claim readiness
In parallel, encrypted drives were physically shipped to a data recovery lab to explore decryption or salvage possibilities.
Day 4. Root cause identified: VPN exploit
Detailed analysis revealed the exact point of entry: a vulnerable VPN solution.
Log analysis indicated that the threat actor had likely maintained covert access for 26 days before rolling out the ransomware. The dwell time gave them a comprehensive understanding of the environment, allowing for a highly targeted attack.
Part IV: Stabilisation and recovery
Day 6. Restoration of critical systems
After several days of intense effort, the first significant breakthrough occurred: a partial backup of a critical application server had survived the attack due to being stored off-site. It was successfully restored, kickstarting recovery. While not complete, it was enough to fully restore key business systems.
This discovery shifted the decision calculus significantly.
Day 7. Internal crisis communication launched
With initial recovery in progress, the leadership team formally notified staff. Using pre-planned messaging aligned with the legal team, the company aimed to balance transparency and reassurance while avoiding panic or premature media exposure.
Day 15. Operational reboot
Two weeks post-incident, the company began restoring online operations. Network connectivity was re-established, user accounts were gradually re-enabled, and environments were re-secured.
Day 16. Ransom demand finalised
The adversary formally demanded $900,000 USD in Bitcoin in exchange for the decryption key and a “guarantee” not to leak or sell the stolen data.
At this stage, a critical decision had to be made.
Part V: Risk decisions and negotiation strategy
From Day 26 to Day 42, negotiation efforts intensified. Ransom payments are seldom encouraged, but in real-world scenarios, organisations must evaluate:
- The likelihood of sensitive data being leaked
- Whether paying would prevent reputational or legal fallout
- The reliability of the attacker’s claims
By Day 41, the business had returned to near-normal operations without needing the decryption key.
Finally, on Day 56, a reduced payment of $270,000 was made: not for decryption, but in hopes of preventing the public release of sensitive data.
Part VI: Lessons learned
This case illustrates not only the complexity of ransomware attacks, but also the strategic and technical missteps that often precede them. Key takeaways for cybersecurity professionals include:
1. Patch management is non-negotiable
The vulnerability exploited was known and documented. Organisations must treat patching and vulnerability management as foundational.
2. Backups must be immutable and isolated
The attackers deleted backups with ease. Had the company used immutable or air-gapped backup solutions, their recovery would have been faster and less reliant on ransom-driven negotiations.
3. Dwell time is deadly
The attacker maintained stealthy access for weeks. 24/7 detection and response capabilities are critical for early threat detection and containment.
4. Cyber insurance is not a luxury
Insurance coverage made a tangible difference in this case, helping cover IR costs, legal fees, and part of the ransom payment.
5. You must assume breach
Zero-trust principles are no longer theoretical. Every external-facing service is a potential entry point. Every organisation must operate from an assume breach mindset.
How can Eye Security help?
Eye Security delivers enterprise-grade cybersecurity tailored to the actual risks and budgets of mid-sized businesses. This includes:
- 24/7 Managed Detection & Response (MDR) with real-time alerts and rapid containment via an in-house SOC. Robust endpoint protection is your first line of defence, helping you quickly identify suspicious activity and detect ransomware
- Cyber insurance with streamlined processes and better premiums
- Attack surface scanning to find and remediate vulnerabilities before they’re exploited
- Threat hunting to proactively detect lateral movement and persistence mechanisms
- Expert-led Incident Response with forensic investigations
When ransomware hits, you need a team that is battle-tested and ready to act.
Find out how we do Incident Response.
If you suspect an incident, contact our incident response hotline immediately:
Emergency Incident Response Germany: +49 203 6688 1900
Emergency Incident Response the Netherlands: +31 88 644 4898
