Get A Qoute

Global Pharmaceutical Ransomware Recovery

A multi-site ransomware attack shut down operations across Europe and the US. Here’s how we stabilised the environment, restored critical systems, and enabled the business to return to full operation.

Book a Consultation
Speak to an Expert

Overview

A multinational pharmaceutical manufacturer suffered a devastating, multi-stage ransomware attack that took down its entire IT estate across five global sites. Infrastructure, directory services, virtualisation platforms, networks, firewalls, and endpoints were all compromised.

Every internal backup was destroyed.
Every system was offline.
Every site was fully operationally down.

The only surviving assets were the organisation’s immutable cloud backups, protected and managed through Direct Cloud Backup’s Fully Managed Backup & Disaster Recovery Service.

Thanks to these isolated backups — and a coordinated rebuild with global cyber-forensics specialists — the business was fully recovered.

The Challenge

Infrastructure Impact

  • 100% of virtual servers offline
  • VMware hosts compromised with backdoors installed
  • Backup servers encrypted or disabled

Security Compromise

  • Full Kerberos key breach, enabling impersonation
  • Domain admin accounts compromised
  • Lateral movement into core identity systems

Business Impact

  • Manufacturing halted across multiple regions
  • 875GB of R&D data exfiltrated
  • Customer and operational systems offline

The organisation had no clean environment to fail over into, and no active DR capability. Recovery required stabilising identity services before any restoration work could begin.

How the Attack Was Carried Out

The attackers gained domain-level access by capturing Kerberos keys. From there, they moved laterally into VMware and implanted persistent access mechanisms. Server snapshots were damaged or removed, making on-premise recovery impossible.

Key points:

  • Identity compromise enabled complete impersonation
  • VMware hypervisors were accessed and tampered with
  • Data exfiltration occurred before encryption
  • Backup servers were targeted to delay recovery

Our Response & Recovery

Phase 1

Containment

  • Reset and rebuild core identity services
  • Establish a secure recovery environment
  • Isolate compromised hosts to prevent reinfection

Phase 2

Forensics & Stabilisation

  • Trace attacker movement and persistence
  • Validate clean service copies
  • Confirm integrity of recovery-ready backups

Phase 3

Restore & Rebuild

  • Restore priority workloads from immutable cloud backups
  • Rebuild infrastructure and replace compromised hosts
  • Restore applications across all affected sites
  • Conduct staged go-live to minimise operational risk

This approach ensured recovery was controlled, verifiable, and secure at every stage.

How the Attack Was Carried Out

Six-Week Silent Infiltration

Forensic analysis later revealed attackers had been inside the environment for six weeks before detonation. During this time, they:

  • Identified key systems
  • Mapped identity paths
  • Installed backdoors
  • Exfiltrated 875GB of sensitive data
  • Targeted backup infrastructure
  • Prepared scripts for staged destruction

Kerberos Key Compromise

The attackers successfully breached the organisation’s Kerberos authentication keys, giving them the ability to impersonate any account, including Domain Admin.

This gave them unrestricted access to:

  • Servers
  • Virtualisation layers
  • Storage systems
  • Network devices
  • Privileged accounts

Nothing was off-limits.

VMware Hypervisor Compromise

Once the attackers gained hypervisor control, they:

  • Installed persistent access backdoors
  • Manipulated VM security
  • Positioned themselves for a rapid, total shutdown

Boot Sector Wipes in Coordinated Waves

Destructive actions occurred in three phases:

  • Phase 1: 30% of servers wiped
  • Phase 2: Another 30% wiped the following week
  • Phase 3: Final critical systems wiped 72 hours before encryption

This ensured no local recovery would be possible.

Malicious Domain Controller Trap

One domain controller was intentionally left active.
Its purpose:

  • Redirect VPN-connected users
  • Wipe laptops on connection
  • Spread further destruction

Hundreds of endpoints were rendered inoperable.

Final Attack — 12 Minutes to Total Shutdown

When the attackers were ready:

  • Hypervisors were disabled
  • Datastores encrypted
  • Servers forcibly shut down
  • Authentication collapsed
  • All sites went dark

Complete global outage in 12 minutes.

The Only Thing That Survived: Immutable Cloud Backups

Internal backups were specifically targeted and destroyed.

But Direct Cloud Backup’s backups were:

  • Immutable (undeletable, unchangeable)
  • Stored offsite in cloud isolation
  • Protected by MFA and zero-trust access controls
  • Completely inaccessible to threat actors

This is the only reason the business was able to recover.

Our Response & Recovery

Phase 1

Forensic Validation & Safe Recovery Point Identification

Within 12 hours, we:

  • Identified safe, uncompromised backups
  • Validated restore points for malware/backdoors
  • Established a clean recovery baseline
  • Coordinated forensic approvals

This step prevented reinfection during recovery.

Phase 2

Zero-Trust Environment Rebuild

Because the original estate was irrecoverably compromised, we rebuilt core infrastructure from scratch:

  • Active Directory
  • DNS/DHCP
  • Firewall & network architecture
  • Privileged access & MFA
  • Routing and identity trust paths
  • Secure connectivity between global sites

This created a clean, stable environment for restoration.

Phase 3

Large-Scale Data Restoration

Over six weeks, Direct Cloud Backup performed:

  • 1,180+ individual restore operations
  • Recovery of hundreds of terabytes
  • Full rehydration of ERP, manufacturing, logistics, finance, and scientific workloads
  • Rebuild of core services across all 5 global sites

This was one of the largest coordinated restore efforts in the organisation’s history.

Phase 4

Hardened Recovery & Ongoing Protection

Once restored, we:

  • Enforced zero-trust policies
  • Applied strict MFA and admin governance
  • Rebuilt backup chains on new, clean infrastructure
  • Implemented advanced monitoring
  • Strengthened change-control processes

The new environment is significantly more secure than the original.

Outcome

The business recovered fully without permanent data loss.
Production and operational systems were restored, identity was stabilised, and all global sites returned to operation.

Global sites affected 5
Systems recovered 100%
Critical data restored 100%
Total data recovered 875 GB+
Time to full rebuild 8 weeks
Outcome The organisation adopted a modernised backup and DR strategy to reduce future exposure.

Lessons for Modern Organisations

1. Attacks Are Multi-Stage

Ransomware is now a chain of identity theft, persistence, exfiltration, and system destruction.

2. Identity Is the First Target

Active Directory compromise gives attackers unrestricted reach.

3. Legacy Infrastructure Fails Under Pressure

Unsupported servers and flat networks accelerate breach impact.

4. Immutable, Isolated Backups Are Critical

This organisation recovered because backups were isolated, immutable, and cloud-based.

5. DR Plans Must Be Practised

Annual validation is essential. Most organisations don’t discover weaknesses until a real disaster.

Could Your Organisation Recover From an Attack Like This?

Most can’t. Recovery depends on whether backups are isolated, tested, and viable — and whether identity systems can be rebuilt.

Book a Consultation

Verify backup configurations, immutability, and recovery readiness.

Speak to an Expert

Review your DR design, risks, dependencies, and ability to restore critical systems.