Detected lateral movement, isolated affected systems, restored from clean backups, no ransom paid
An EDR alert escalated to a confirmed ransomware event at 11pm on a Sunday at a 50-person fintech. Initial compromise traced to a phished credential at a third-party MSP, and lateral movement was active across the file server estate when the engagement started. As an NYDFS Part 500 covered entity, the company also faced a 72-hour regulatory notification clock.
Containment in under 6 hours from engagement start, full recovery within 24 hours. No exfiltration confirmed by forensic analysis. No ransom paid. Customer notified the DFS within the required 72-hour window. Engagement transitioned to a 90-day hardening project covering the third-party access path that was the initial vector.