Ransomware Attack Resolved in 48H by TechForing

Summary

Our client was a shipping company that faced a targeted ransomware attack that locked important files and shut down their shipment tracking system.

The attack stopped operations, caused shipment delays, and blocked customers from tracking their deliveries, leading to a loss of trust and money.

TechForing's Incident Response Team joined within a few hours to stop the attack and check how much damage was done.

Our team quickly acted to:

• Separate infected systems
• Remove the ransomware
• Get back the locked data
• Bring back key operations - all without paying the ransom.

The company’s tracking system was back to work within 48 hours, avoiding serious problems.

In the shipping business, timing is everything. If a company can’t track its shipments or update customers on delivery status, things can fall apart quickly. That’s exactly what happened to a mid-sized logistics company when a ransomware attack hit their systems.

This case study shares how we helped the company bounce back in just 48 hours and made sure they were stronger and safer going forward.

Our client was a mid-sized logistics company that handled hundreds of shipments every day across Asia and Europe. One evening, their IT team noticed some strange activity on the network - unknown login attempts from places they didn’t recognize. At first, it didn’t seem serious, but things got worse very quickly.

In just a few minutes, they lost access to their shipment tracking system. Important files on their servers were locked, and a message showed up asking for a ransom to be paid in cryptocurrency. Their whole system - the one that managed orders, helped warehouse teams, and updated customers - was shut down.

With no way to track or manage shipments, everything stopped. The warehouse teams didn’t know what to do, and customers started calling in with complaints because they couldn’t check where their deliveries were. The company started losing money and time with every passing hour.

To make things worse, their backup system didn’t work properly either. They couldn’t bring things back online quickly. The company was in danger of losing major clients and harming its reputation.

That’s when they reached out to TechForing. We started investigating immediately.

Challenges

When TechForing’s Incident Response Team joined the case, the situation was already serious. The logistics company was dealing with several big problems at once:

• Full System Lockdown: Their shipment tracking system and internal communication tools were completely locked and couldn’t be used.
• Ransom Demands: The attackers asked for a large amount of cryptocurrency and said they would delete all data if payment wasn’t made within 72 hours.
• No Clear Backup Path: The company’s backup systems were not up to date, and some of them were also hit by the attack.
• Operational Paralysis: Shipments got delayed, warehouse teams couldn’t work properly, and customer support was flooded with complaints.
• Security Gaps: The company didn’t have strong cybersecurity protection or a clear plan for dealing with such incidents.

Objectives

We focused on these main goals:

1. Contain and isolate the ransomware attack to stop it from spreading to more parts of the network.
2. Identify the method of entry and check how much damage was done through digital investigation.
3. Recover and restore critical systems, especially the shipment tracking system, without paying the ransom.
4. Secure all remaining endpoints and servers to stop the attackers from coming back.
5. Implement immediate protective measures to make the network stronger and more secure.
6. Provide staff awareness training and give advice on how to avoid such attacks in the future.

We used the following cybersecurity tools and software such as:

• CrowdStrike Falcon
• SentinelOne
• FTK Imager
• Autopsy
• Wireshark
• Zeek
• Recuva
• R-Studio
• Splunk
• IBM QRadar
• Acronis Backup
• Veeam
• pfSense
• CIS-CAT Pro

We followed a six-step process to stop the ransomware attack:

1. Immediate Containment & Threat Isolation

Our first task was to stop the ransomware from spreading any further.

• We quickly disconnected infected computers from the network using CrowdStrike Falcon and SentinelOne, which helped us notice in real time which devices were affected.
• With tools like Zeek and Wireshark, we looked at network traffic and found that the infected devices were communicating with a server in Eastern Europe, most likely controlled by the attackers.
• We blocked this connection using pfSense firewall rules and turned off all remote desktop connections (RDP), which the hackers were using to move between systems.

2. Digital Forensic Investigation

Then we started a detailed forensic investigation to figure out exactly what happened, using tools like FTK Imager, Autopsy, and Volatility Framework.

• We found that the ransomware came in through a malicious Excel file with a hidden macro, sent through a fake email pretending to be from one of their regular shipping partners.
• The infected computer was connected to the company’s domain, and the attacker used saved login details to gain higher-level access across the network.
• By checking Windows event logs, Sysmon data, and PowerShell commands, we confirmed the attacker used tools like Mimikatz to steal admin passwords and moved around using PsExec and WMIC.

3. Payload Analysis & Behavior Profiling

We extracted the ransomware file and tested it in a controlled environment using Cuckoo Sandbox and ANY.RUN to understand how it worked.

• It turned out to be a customized version of Dharma ransomware, made to target specific file types like SQL databases, CSV files, and software used for logistics.
• The ransomware used AES-256 encryption to lock files and RSA-2048 to protect the keys, which made it impossible to decrypt without the attacker's help.
• However, we discovered it didn’t delete Volume Shadow Copies, which gave us a way to recover some data.

4. Data Recovery & System Restoration

Our main goal now was to bring back important systems without giving in to the attacker’s demands.

• We used tools like Recuva and R-Studio to recover files that hadn’t been fully encrypted or were stored in leftover areas of the disks.
• On some devices, we were able to recover files using Shadow Copies, and for others, we restored backups using Veeam and Acronis, which hadn’t been touched by the attack.
• We carefully rebuilt and restored their core systems - including the domain controllers, ERP software, shipment tracking, and CRM - and ran full tests to make sure everything worked properly.

This entire recovery process took about 36 hours.

5. Network Hardening & Security Reinforcement

Once systems were up and running again, we made sure to close all security gaps so the company wouldn’t face another attack.

• We added multi-factor authentication (MFA) for all admin accounts and for anyone using the VPN.
• We changed Group Policy settings to block dangerous scripts and turned off old, risky protocols like SMBv1.
• We installed Sysmon with a custom configuration to keep better track of everything happening on their systems.
• We connected everything to Splunk Enterprise Security so that future threats could be detected from one central place.
• We also applied all the latest security updates using WSUS and tools like PDQ Deploy to make sure every system was fully patched.

6. Staff Training & Awareness

Finally, we worked on training the employees, because many cyberattacks succeed due to human error.

• We ran a company-wide phishing test and training to help staff recognize fake emails and report suspicious activity.
• We also held department-specific sessions - especially for operations and finance - to teach them what to look out for and how to act quickly if they ever notice something wrong.

By following this technical recovery plan, we helped the client restore their operations in under 48 hours.

• The company’s main systems, including shipment tracking and internal communication tools, were back up and running within 48 hours.
• The client didn’t have to pay the ransom.
• The ransomware was completely removed from all devices and servers.
• We were able to recover over 95% of the important files and databases.
• We made the company’s systems much safer by adding extra security layers such as two-step verification, network protection, and ongoing monitoring.
• Because the systems were restored so quickly, the company didn’t lose any major clients and avoided penalties for delayed deliveries.

This case shows how a fast and well-planned response can turn a serious ransomware attack into a successful recovery. Within 48 hours, TechForing helped the logistics company get back to work, recover their data without paying the ransom, and improve their overall cybersecurity.

If you’re dealing with an attack now or want to protect your business for the future, our team is ready to help you 24/7.

Get Immediate Ransomware Help