Autopsy of a Ransomware Attack

Early in 2025, a Thrive customer noticed something odd. One seemingly innocuous CPU spike was the first indicator of a problem that could have potentially destroyed an entire multi-state manufacturing company.

The Background Before the Attack

This company (Example Corp, for anonymity) had been a Thrive customer for awhile. In the spring of 2025, they were using Thrive for managed services, including performance and event monitoring, but were using their internal teams for MDR and security services. The customer is headquartered in Florida but has other major operations hubs throughout the southeastern United States.

Manufacturing and logistics are often heavily reliant on proprietary operational technology (OT) that’s hard to secure and often lacks comprehensive security monitoring. Many organizations integrate OT into their IT networks without proper segmentation, increasing the risk of devastating impact should either side be breached. Combined with limited IT resources, fewer cybersecurity regulations, and low downtime tolerance, this makes them highly likely to be targeted by ransomware, no matter the size of the organization. Thrive’s intelligence shows manufacturing, construction, and logistics are targeted 7.5 times more than financial services by ransomware groups like RansomHub, Akira, and Play. This mix of weak defenses and high impact makes manufacturing a prime ransomware target.

Thankfully, that wasn’t the case at Example Corp. Their CTO had a strong grasp of the internal environment and knew exactly what was needed—phase by phase—to bring operations back online quickly. He also leaned heavily on Thrive’s deep expertise in incident response and threat actor behavior to avoid common pitfalls, ensure a secure restoration, and remediate any potentially lingering threats. With 24/7 support from Thrive, his disciplined leadership and reliance on proven best practices were critical to saving Acme that day in February.

The Attack

Early on Friday morning, the Thrive event management team noticed an atypical CPU spike on a server. Since it was very early in the morning – hours before the start of the workday – the Thrive team decided to check on what was going on.

The Thrive team discovered that the CPU usage was coming from an abnormal process, and they called in the Thrive security team to take a look (even though, at the time the customer wasn’t using Thrive for security services). The security team recognized ransomware executables and shut down the server immediately to try to limit the scope of the attack.

Thrive also began trying to contact the CTO and other IT points of contact, which took almost an hour. In that time, Thrive had begun isolating affected systems and using forensic tools to identify the extent of the attack. Thrive had also attributed the damage to a specific threat actor. After learning of this attribution and the impact details provided by Thrive, the client engaged their cyberinsurance provider. The forensics team assigned through the insurer decided to use the data already collected by Thrive to conduct their investigation. This allowed them to begin their analysis quickly and supported a rapid restoration without introducing further delays.

Timeline to Recovery

Example Corp did not have an incident response plan, but their teams had deep knowledge of their systems and domains, so once the Thrive and customer IT teams were able to connect, they started rolling on mitigating the damage and recovering their operations.

• Thrive and Example Corp held near-hourly standup calls to quickly address their most immediate actions and next steps, with everyone working collaboratively. These meetings were short and focused on completing tasks, removing roadblocks, and outlining next steps with clear timelines.
• They shut down any VPN tunnels and site-to-site tunnels between their five sites.
• Using the forensics tools, they began reviewing timelines and affected systems.
• Within the first hour, Thrive had confirmed there had been data exfiltration (stolen data) and had run a damage assessment. The attackers had tried to download lightweight assets like text files, documents, PDFs, spreadsheets, and images.
• Example Corp contacted their cyberinsurance agency, and they used the insights from Thrive to run a parallel investigation.
• Example Corp had people onsite at three of the five locations on the same day; the other two were restored remotely when the main site was restored.

The recovery went fairly smoothly. One of the affected systems was a virtual host, so all of the associated virtual machines had to be rebuilt; in addition, a couple of domain controllers were lost and had to be restored. Thrive rebuilt all affected servers and restored most data from backup with minimal loss.

The initial attack was sparked Friday morning; all five had been restored to full operations by Sunday afternoon. By contrast, other manufacturing businesses typically take 7-14 days to restore to full functionality.

What Went Right

Technology is only one part of the People – Process – Technology Framework. This customer had all three pillars in place long before their ransomware attack.

• Prepared team. Many organizations only think to call their service provider or cyberinsurance company and then wait to be told what to do. Example Corp didn’t have a formal incident response plan, but all of their IT personnel had a thorough understanding of their systems, services, and dependencies, as well as a full asset inventory. This allowed them to move very quickly, which ultimately minimized the damage.
• Effective communication and time management. Example Corp and Thrive teams were cohesive and worked very well together, across multiple states.
  • Held response team meetings every couple of hours
  • Limited length to less than 30 minutes
  • Focused only on what was new, what was next, and any blockers.
• Clear ownership. CTO took ownership of critical internal systems. They also created a running, prioritized list of services and tasks in the background but worked to keep from overwhelming the team by only adding new actions as the current ones were completed.
• Solid system management and architecture practices. Example Corp had good IT practices in place, such as using separate Active Directory domains for different sites and services. They also had routine backups in a separate location, so no backup data were corrupted in the attack. these basic tasks made it possible to quickly replace and recover their systems.
• High level of urgency. This incident had the risk to collapse the company, but the entire customer team, from the CTO to the practitioners, was focused on the potential impact to their employees and customers. One of the potentially affected systems included payroll services, and their primary objective was to make sure everyone got paid on time.

What Were Their Next Steps

Example Corp came through the entire event unscathed, but the threat had truly been existential. They had several major business deals which would have failed had there been any disruption in operations for days, much less weeks.

Their CTO had already been talking with Thrive about switching their in-house security services, so the first changes that they looked at were in bolstering their security resources:

• Scheduled penetration testing and created list of follow-up actions
• Bought advisory services for ongoing reviews and feedback on their processes and technology stack
• Migrated to Thrive’s MDR services
• Began drafting a formal incidence response plan

One tenet of cyber resilience is that it is wasted effort to try to prevent all attacks. It is a much more strategic decision to focus on security technologies that allow greater visibility into systems, solid IT practices, and well-trained and committed teams. That allows you to recover quickly, no matter what happens.

You can find out more about Thrive’s disaster recovery services or contact Thrive for a chat. You can also check out our on-demand webinar on cybersecurity tech trends.