020 7193 4905

Cyber Security Incident Response – Ransomware Attack

Our cyber security incident response team works with clients across the globe, helping them recover from ransomware attacks and other cybersecurity incidents.


For those that have to deal with such incidents, they can quickly be overwhelmed due to the speed that attackers work at. First Response have responded to over 200 incidents and were called into help with a 500 user high-street retail & ecommerce organisation, based in Manchester.



With this incident the IT team had unpatched vulnerabilities on their firewalls which the attackers had used to expose admin credentials.


Once the attackers had these credentials they then breached the organisations internal environment, moving around the core servers, including AD, file servers, and even their cloud environment.


The attackers had compromised all of the core infrastructure, this is when they executed their final payload which included multi-threaded AES encryption. This encryption implementation was exceptionally fast and meant that over 900GBs of data was encrypted in a matter of hours.


The IT team had tried to control the situation and after several days finally gave up, this is a regular scenario that we see, especially as the business is often asking questions and demanding answers. Cybercrime has become a pervasive threat for businesses and once attackers see an exploit they will typically push it to its limit.


First Response were introduced by a trusted third-party and quickly brought calm and process to the chaotic situation by providing an objective perspective based on previous experience.


First Response’s cyber security incident response team worked with the local IT team to contain the incident, identify the compromised systems and then prioritise remediation and to bring the affected systems back online.



First Response’s analysis of the firewall logs confirmed the clients initial thoughts about the source of the breach. In this instance the business was fortunate the attackers hadn’t exfiltrated any data for a typical second extortion attempt and initiated that part of the attack.


Once the initial incident response was concluded, we completed a full technical architecture review, identifying gaps, and providing recommendations for improvement – which we helped the client to implement.




If you have a cybersecurity incident, believe you are under attack or have been compromised, then call us immediately for assistance on 020 7193 4905 or email us as incident [at] first-response.co.uk

We also provide 24/7 monitoring and managed cybersecurity services, details are available here.