Ransomware on 800 endpoints at an automotive supplier · full recovery in 9 days
An automotive supplier in the Marmara region was hit by a LockBit variant on a Friday evening. 800 endpoints + 12 PLCs were encrypted and the production line stopped for 9 days. DSET delivered a full recovery without paying ransom through an incident response + digital forensics + hardening process.
01 The Challenge
At 22:14 on Friday, after a maintenance window, a LockBit 3.0 variant spread laterally across the network. By Monday morning 800 Windows endpoints · 12 Siemens PLCs · 3 file servers · 1 ERP DB had been encrypted. The ransom demanded was 1.8M USD. Automotive OEM customers warned "if you cannot supply, the contract is cancelled." A supply chain disruption translated to a loss of 12,000 € per minute.
02 DSET's Approach
T+0 · First response
The DSET incident response team made phone contact in 47 seconds · on site in 2 hours 11 minutes. To isolate lateral movement on the network, we took 3 important core switches offline.
T+8h · Forensic collection
We imaged the affected systems. The initial access vector was identified: an attacker who had entered 4 weeks earlier via brute force over the supplier VPN had remained dormant.
T+24h · Decryption analysis
Using the LockBit 3.0 builder leak, we tested whether the encryption keys could be regenerated. Key recovery was possible for some files.