DFIR after a ransomware incident in retail

Sector

Retail · regional chain · 15-25 points of sale · 100-200 employees · centralised ERP.

Initial situation

On a Friday afternoon the IT team detected encryption on file servers and back-office systems. Store operations remained partially available, but the back-office was paralysed. The organisation had no prior DFIR retainer and needed containment, analysis and recovery under pressure.

Approach

We activated the response procedure in less than two hours. The containment phase isolated compromised segments, suspended accounts with anomalous activity and preserved volatile evidence from affected systems. The forensic phase reconstructed the event chain: entry vector, escalation, lateral movement, exfiltration prior to encryption and dwell time. Recovery was prioritised by business criticality rather than chronological order of impact, validating integrity before each service returned to production.

Result

Basic operations restored in 4 days, full recovery in 11 days, no ransom paid and a legally preserved copy was available for both the police report and the insurer. The post-incident report led to six structural actions with defined deadlines.

Lesson

The difference between an expensive incident and a catastrophic one lies in what has been decided in advance, not in what is decided under pressure.

Time and effort

Active response 11 days · forensic report + structural plan 3 additional weeks · peak team of 3-5 people.