Ransomware is no longer just a topic for conferences or polished slides. It is a concrete threat that stops real companies, halts production and puts entire business models at risk. To understand how devastating an attack can be, you need to look closely at what happens inside an organization the moment criminals break in and start moving.
This is not simply about “encrypted files”. Long before encryption happens, attackers perform reconnaissance, steal data, destroy backups and place the company in a corner. By the time the ransomware note appears, the game has already been lost for hours, often days.
This is the story of one such incident.
The incident: how the attackers got in and what happened next
In recent years, cybercriminals have shifted their focus from individual servers to entire virtualization infrastructures. The reason is straightforward: encrypting virtual machine files allows them to impact dozens of systems in minutes with a single action.
In the case we analyzed, the initial access came through a VPN without MFA, a scenario that is still far too common. The compromised credentials belonged to an external consultant who regularly accessed the infrastructure for support activities. The forensic analysis uncovered a critical detail: the consultant was also using a personal computer for work, with no adequate protection, no enterprise controls and no secure password management practices.
A stealer-type malware installed on that system collected and exfiltrated all stored credentials, including those for the company VPN. What might seem like a simple mistake is in reality a classic supply chain attack: criminals target the weakest link, often outside the organization.
Once inside, the attackers found an additional gift. Those same VPN credentials also granted privileged access to internal systems. From there, the attack unfolded quickly and quietly:
- network reconnaissance
- collection of virtualization infrastructure credentials
- identification and compromise of backup systems
- data exfiltration
- mass encryption of virtual machines
The company had no ransomware-resilient backups. The outcome was severe: complete loss of the information assets, halted production, staff placed on temporary leave, contractual penalties and weeks of recovery just to return to minimal operations.
Remediation: what was done and what companies really need
In the short term, the priority was clear: contain the damage and rebuild the minimum necessary to resume activity. But the real lesson comes later, when the company understands that no recovery is complete without structural improvement.
Several measures were introduced, all essential:
- network segmentation to limit lateral movement
- deployment of next generation EDR solutions across endpoints and servers
- implementation of multi factor authentication on VPN and critical systems
- introduction of a corporate password manager
- creation of truly resilient backups, including immutable copies
- activation of an MDR service for continuous monitoring and incident response
An MDR service, in particular, could have changed the outcome. Indicators such as VPN logins at unusual hours, connections from unexpected foreign IP addresses and unusually rapid lateral movement would have triggered early alerts, allowing defenders to block access and isolate systems before encryption occurred.
Beyond Technology: what actually changes organizations
Technology alone is not enough. Tools are necessary, but without governance, clear policies and widespread awareness, they remain empty boxes. Security must begin with leadership, because only a conscious management team can enforce robust processes, continuous controls and responsible decision making.
This is exactly the direction pushed by directives such as NIS2, which frame cybersecurity as an organizational responsibility rather than a purely technical matter.
Ransomware attacks are not exceptions. They are a daily, concrete risk. The question is no longer whether an organization will be attacked. The real question is: will we be ready when it happens?
By Andrea Coli – Incident Response Manager
