Inside a Ransomware Incident: How We Contained an Attack in Under 3 Hours

Note: All identifying details in this case study have been changed to protect the organisation identity. The technical details are accurate.

Incident Profile CONFIDENTIAL — Details Anonymised

Incident Type

Ransomware + Spear Phishing

Industry

Financial Services

Region

Nairobi, Kenya

Initial Access

Phishing — Macro-Enabled Excel

Impact

Partial Encryption — 6 Hosts

Data Exfiltration

None Detected

Dwell Time

82 Minutes Undetected

Containment Time

< 3 Hours from First Contact

Recovery Method

Offline Backup Restore

It was a Tuesday morning when we received the call. The IT manager of a mid-sized financial services firm in Nairobi had noticed that files on the company's shared drive were being renamed with an unknown extension. By the time he called us at 9:14 AM, roughly 30% of the shared drive was already encrypted.

What followed was a controlled, methodical incident response that resulted in full containment of the ransomware within three hours of first contact, preventing further encryption and enabling recovery to begin.

Attack Timeline

07:52
AM

Initial Compromise T1566.001

Accounts payable staff member opens a macro-enabled Excel attachment from a spoofed supplier email. VBA macro executes a PowerShell dropper and downloads the ransomware payload from a remote C2 server.

07:54
AM

Payload Execution & Privilege Escalation T1059.001

Ransomware process spawns and begins local privilege escalation using a known Windows service misconfiguration. Achieves SYSTEM-level access within ~2 minutes of initial execution.

07:57
AM

Credential Harvesting & Lateral Movement T1003

Ransomware dumps LSASS memory to harvest domain credentials. Uses harvested credentials to authenticate to adjacent workstations and the primary file server via SMB.

08:02
AM

Shadow Copy Deletion & Encryption Begins T1490

Ransomware deletes Volume Shadow Copies (VSS) via vssadmin delete shadows /all /quiet to prevent local recovery. File encryption begins simultaneously across 3 workstations. Files renamed with .enc2024 extension.

08:14
AM

File Server Targeted Lateral

Ransomware spreads to the primary file server using harvested domain admin credentials. Shared drive encryption begins. Approximately 12% of data encrypted in the first 10 minutes.

09:14
AM

IT Manager Detects Unusual File Activity Detection

Staff report inability to open files. IT manager notices mass renaming of files on the shared drive. ~30% of file server data is already encrypted at this point. Netcaru IR team contacted immediately.

09:14
AM

Netcaru IR Engagement Begins Response

Netcaru incident response team engaged. Remote triage begins. Immediate containment instructions issued to IT manager: network isolation of affected workstations, domain login lockdown, file server isolation.

09:47
AM

Network Containment Achieved Contained

All affected systems isolated. Ransomware spread halted. Remote forensic access established to clean management workstation. Event log analysis begins to establish full attack timeline.

10:31
AM

Ransomware Variant Identified & Scope Confirmed Analysis

Variant identified as modified strain of known ransomware family. Scope confirmed: 3 workstations fully encrypted, 2 partially, file server 47% encrypted. Offline backups confirmed intact and untouched.

10:31–
12:02 PM

Eradication & Recovery Recovery

Affected workstations wiped and rebuilt from clean images. File server restored from offline backup (22 hours old). Full domain credential reset executed. IOCs extracted and added to detection rules.

12:02
PM

Full Containment & Operations Restored Resolved

All systems returned to operation. Total incident duration from first contact: 2 hours 48 minutes. Client briefed on root cause, remediation steps, and recommended hardening measures.

Phase 1: Triage and Initial Containment (9:14 — 9:47 AM)

Our first priority upon receiving the call was to stop the spread. Ransomware moves fast, and every minute of delay means more encrypted files.

Our remote triage team immediately began assessing the network while providing the IT manager with immediate containment instructions:

Disconnect affected workstations from the network (physically unplug, don't just disable WiFi)
Do not shut down affected systems — preserve volatile memory for forensics
Identify and isolate the primary file server
Prevent new logins to the domain until we understood the scope

Within 15 minutes, we had remote access to a clean management workstation and began analysing event logs. We identified the initial infection vector: a phishing email opened by an accounts payable staff member at 7:52 AM — over an hour before anyone noticed anything was wrong.

Key FindingThe ransomware had been active for 82 minutes before detection. This is why continuous monitoring matters. In many environments, ransomware can remain undetected for days or even weeks before encryption begins.

Phase 2: Identification and Scoping (9:47 — 10:31 AM)

We identified the ransomware variant as a modified version of a well-known strain, delivered via a macro-enabled Excel attachment in a spear-phishing email. The email had been highly targeted — it appeared to come from one of the firm's actual suppliers, complete with accurate invoice formatting.

The scope assessment revealed:

3 workstations fully encrypted
2 workstations partially encrypted
1 file server with 47% of data encrypted
We found no immediate indicators of data exfiltration during the investigation.
Backup systems were intact — the ransomware had not reached the offline backup storage

Phase 3: Eradication and Recovery (10:31 AM — 12:02 PM)

With backups confirmed intact, recovery was methodical. We initiated system rebuilds for the affected workstations and began restoring the file server from the most recent clean backup. Restoration completed later that day.

We also conducted a full credential reset for all domain accounts as a precautionary measure, given that the ransomware had domain-level access during its activity period.

Indicators of Compromise (IOCs)

The following IOCs were extracted during forensic analysis and shared with the client for integration into their detection tools and email filtering rules. Organisations running similar environments should check for these indicators immediately.

Extracted IOCs — Nairobi Financial Sector Incident TLP: WHITE

Type	Indicator	Description	Severity
SHA-256	a3f9c2e1b47d08f5 6c91e4b2d73a0f88 d5e2c1b9a4f70e3d	Ransomware payload binary dropped by VBA macro. Detected as Ransom.Win32.Enc2024	Critical
SHA-256	7b2d4e9f1c6a08b3 5e7d2f4a1c9b6e3f 8d5a2c7b4e1f9d6a	VBA macro dropper embedded in Excel attachment (Invoice_Oct2024.xlsm)	Critical
Domain	update-srv-cdn[.]net	C2 server used for payload delivery. Registered 6 days before the attack. Hosted on bulletproof infrastructure.	Critical
Domain	supplier-invoice-portal[.]com	Spoofed domain used in phishing email. Visually similar to legitimate supplier domain. Registered via anonymous registrar.	High
IP Address	185.220.101[.]47	C2 callback IP. Associated with Tor exit node infrastructure. Seen in multiple ransomware campaigns across East Africa in Q4 2024.	Critical
IP Address	91.108.4[.]203	Secondary exfiltration check-in IP. No data exfiltration confirmed, but connection attempt logged.	High
File Path	C:\Users\Public\ svchost32.exe	Ransomware binary dropped to public directory masquerading as a Windows system process. Persistence via scheduled task.	Critical
File Path	C:\Windows\Temp\ ps_drop_01.ps1	PowerShell dropper script. Executes encoded payload download. Deletes itself after execution.	Critical
Registry	HKCU\Software\ Microsoft\Windows\ CurrentVersion\Run \SvcUpdate32	Registry persistence key created by ransomware to survive reboots. Value points to dropped binary in Public folder.	High
MD5	f3c9a1e2b4d7085f 6c91e4b2d73a0f88	Email attachment hash. Subject line: "Outstanding Invoice — Action Required". Sender spoofed as supplier@[legitimate-domain]	High

How to Use These IOCsBlock the listed domains and IPs at your perimeter firewall and DNS resolver. Add file hashes to your endpoint protection blocklist. Search your email logs for the attachment MD5. If you find a match, assume compromise and initiate your incident response procedure immediately.

Lessons Learned

What Saved This Client

Offline backups — The single most important factor. Without them, recovery would have required paying the ransom or accepting total data loss.
Fast response — Each minute of action taken after the call prevented additional file encryption.
No panic — The IT manager followed our instructions precisely. Panicked responses (like shutting down servers) often destroy forensic evidence needed for recovery.

What This Client Needed to Improve

Email filtering — the phishing email should have been caught before reaching the inbox
Macro policies — Office macros should be disabled by policy for most users
User training — staff needed phishing awareness training
Network segmentation — the ransomware spread too easily between systems
Monitoring — 82 minutes of undetected activity is far too long

Is Your Organisation Prepared?Every organisation should have an incident response plan before an attack occurs. Netcaru offers IR readiness assessments and retainer agreements that guarantee rapid response when you need it most.