CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
Manufacturing · DFIR
India · Mid-market · 2025

LockBit variant contained in 11 hours — manufacturer back to 80% production within 72h of first encrypted file

A 1,400-employee manufacturer in Pune called Macksofy at 02:14 IST after a LockBit variant began encrypting file shares. Forensic team on-site by 06:30. Containment achieved at hour 11. Eighty per cent of production systems back online within 72 hours from clean backups.

ManufacturingDFIRRansomwareLockBitPuneOT SecurityIncident Response
Talk to a senior consultantSee the DFIR service
Engagement summary
Client
Mid-size Manufacturer (Maharashtra)
Sector
Manufacturing
Region
India
Engagement
DFIR
Year
2025
Duration
Containment 11h · Full IR 21 days
11h
Time to containment
72h
Time to 80% recovery
0
Ransom paid
0
Confirmed data exfiltrated
The challenge

What the client was up against.

First encrypted file at 23:47, panic by midnight

An IT engineer noticed file extensions changing on a shared drive at 23:47. By 00:30 multiple systems were encrypted. The internal team had a tabletop-grade IR plan but had never run live containment against a credentialed adversary already inside the network.

OT exposure was the real fear

Beyond the corporate file-share, the plant's MES (Manufacturing Execution System) shared a flat network with corporate IT. If the ransomware crossed into OT, the plant would lose visibility into batches in progress — a regulatory and contractual problem with auto-OEM customers.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · 30-minute bridge call · 02:14 IST

  • Triage call with CIO + IT manager + plant operations head
  • Established a unified incident bridge (Slack + voice) with strict comms discipline
  • Stand-down internal 'fix it ourselves' attempts before they destroyed evidence
Phase 02

02 · On-site forensic team · 06:30 IST

  • Two-person forensic team on-site at the Pune plant
  • Triage agents deployed across DC, OT-edge gateways and the file servers
  • Volatile-evidence preservation on patient-zero before any reboots
Phase 03

03 · Containment · hour 11

  • Identified patient-zero: an internet-exposed RDP host with leaked credentials
  • Cut the AD-trust between corp and plant networks at hour 7
  • Isolated 18 actively-encrypting hosts; killed PsExec lateral movement at hour 11
Phase 04

04 · Eradication + recovery

  • Validated backup integrity offline before any restoration
  • Rebuilt domain controllers from gold images; rotated all privileged credentials
  • Restored 80% of production-critical systems from backups within 72h of first encryption
Phase 05

05 · Lessons-learned + tabletop exercise

  • CERT-In incident-reporting filed within statutory window
  • Root-cause analysis: exposed RDP + leaked credentials + flat network
  • Tabletop exercise re-run with new playbooks 6 weeks post-incident
Findings

What we surfaced — severity, title, real-world impact.

Critical

Internet-exposed RDP on a legacy bastion

A historical jump-server retained 3389/tcp exposed to the internet. The credentials had appeared on a credential-stuffing dump six months prior — never rotated.

Critical

Flat L2 between corporate IT and the plant MES network

No segmentation between corporate file shares and the plant MES network. If the actor had pivoted 4 hours later, plant visibility would have been lost.

High

Weekly backups, no offline copy

Backups existed but were online and writeable from a compromised tier-1 admin account. Two recent backup chains were already encrypted; older chains were viable.

High

Lateral movement via PsExec unflagged

The estate had no detection on PsExec or remote service creation — the actor's primary lateral-movement technique ran unnoticed for two hours.

Outcome

What changed for the client.

Production back online inside 72 hours

Eighty per cent of production-critical systems restored from clean backups in under 72 hours from the first encrypted file. Zero confirmed data exfiltration. No ransom paid.

OT/IT segmentation hardened

Within 30 days the manufacturer rolled out a hardware firewall between corporate and plant networks, with one-way replication for MES telemetry. The flat-network class of risk was eliminated.

Backup architecture rebuilt

New 3-2-1 backup posture with an air-gapped offline copy, immutable storage on the cloud tier, and quarterly restore drills now run by Macksofy as part of an ongoing IR retainer.

We called at 2 AM. By breakfast their forensic team was on our shop floor. Eleven hours later the bleeding stopped. We're now on a Macksofy IR retainer — never want a 2 AM scramble like that again.
CIO · Mid-size Manufacturer (Maharashtra)
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.