What is a vulnerability assessment portrait.jpg
What is a Vulnerability Assessment?
What can you do to protect yourself from this risk? Read on to learn how Vulnerability Assessments can benefit and defend your organisation.
Read More

Turning a ransomware attack into lasting protection.

The story behind the attack

This client operates in the plant and equipment hire industry, where system availability directly impacts revenue, logistics, and customer service. With four depots relying on shared systems, any downtime quickly affects bookings, asset availability, invoicing, and day-to-day operations on the ground. 
 
The business operated a centralised Microsoft environment, combining on-premises servers, Microsoft 365, and remote access through a firewall. This supported a core hire management system, shared business data, and end-user devices across all locations. 
 
In November 2025, the business suffered a ransomware attack that breached the network through a firewall vulnerability. The attack quickly spread across the environment, encrypting servers and user devices and bringing operations across all depots to a standstill. 
 
What followed was not just a technical recovery exercise, but a critical business recovery, requiring systems to be restored quickly, securely, and in a way that reduced the risk of a similar incident happening again. This client operates in the plant and equipment hire industry, where system availability directly impacts revenue, logistics, and customer service. With four depots relying on shared systems, any downtime quickly affects bookings, asset availability, invoicing, and day-to-day operations on the ground. 

When operations came to a standstill

The business experienced a full network compromise following a ransomware attack that entered the environment through a firewall vulnerability. 

Once inside, the attacker moved quickly across the network, encrypting all servers and user devices. 

This resulted in:

  • Loss of access to shared files and business data. 
  • User devices encrypted across all four depots.
  • User accounts and passwords being compromised.
  • Serious risk to Active Directory and administrator access. 
  • Major disruption to daily operations and staff productivity. 

During recovery, additional issues surfaced. When secure remote access was reconfigured to work with Microsoft 365, legacy onpremises identity data overwrote current cloud settings. This caused sign in issues, email changes, and problems with distribution groups. 
 
A separate issue affecting the hire management system was also identified and confirmed to be unrelated to the ransomware. This was protected and validated during recovery to ensure no further business impact.

Restoring and rebuilding trust

ROCK, as their Managed Service Provider (MSP) took control of the situation with a clear, structured recovery project focused on three priorities: stop the threat, recover the business, and reduce the risk of it happening again. 
 
Immediate containment: Access to the firewall was secured straight away by removing unauthorised users and changing all access credentials. This closed the entry point used in the attack and prevented any further malicious access. 
 
Threat detection & control: ROCK Cybersecurity was deployed across all servers and user devices. This provided visibility of activity across the environment.
 
Data recovery: Clean data was restored from backups, allowing shared file access to be safely brought back online without paying a ransom. 
 
Server modernisation: Older, unsupported servers were replaced with modern, supported systems. This removed known security risks and improved overall system stability.

Identity & access reset: All user, admin and service account passwords were reset. User access was reviewed, permissions were validated, and multi-factor authentication was enforced to protect accounts going forward. 
 
Microsoft 365 identity fix: Identity conflicts caused by legacy sync settings were corrected, restoring accurate user sign ins, email addresses, and group access. 
 
Endpoint & network rebuild: Every user device across all depots was wiped and rebuilt. Network switches and wireless access points were factory reset and securely reconfigured to remove any hidden risk. 
 
Application validation: Business critical applications were checked to confirm correct access and permissions, ensuring systems were stable and secure once services were restored.

Lasting protection for the future

The business was fully restored with a stronger, simpler, and more secure IT environment, allowing operations across all depots to return to normal without paying a ransom. 

Key benefits delivered:

  • Business-critical data fully recovered with no ransom paid 
  • All malicious access removed, with attacker activity fully contained 
  • Proactive threat detection and response in place across servers and user devices through the ROCK Cybersecurity platform 
  • Faster visibility of suspicious activity, reducing the risk of future attacks spreading unchecked.
  • Secure user access with multi-factor authentication enforced across the organisation
  • Removal of outdated systems that previously increased cyber risk 
  • Stable Microsoft 365 sign-ins and email services restored 
  • Staff able to return to work quickly and safely across all depots 

Beyond the immediate recovery, the business gained the confidence of having ROCK on hand as a trusted managed security partner. In the event of future incidents, they now have experienced support available to act quickly, contain threats, and minimise business disruption. 
 
Instead of reacting to incidents after damage is done, the organisation has moved to a more proactive security posture, with continuous monitoring, faster response, and clearer control over their environment.

The bigger win

This wasn’t just about fixing a breach; it was about making the business safer going forward. 

The business moved from a vulnerable, legacy-heavy setup to a clean, modern environment secured by ROCK Cybersecurity. Threats are now detected early, suspicious activity is visible in real time, and attacks can be contained before they spread. 
 
With stronger controls across servers, user devices, and identities, the business now has confidence in its security day to day, not just after an incident. If something does go wrong, they know it will be identified quickly and handled decisively. 
 
The result is a business that can focus on running operations, not worrying about cyber threats, with security that actively supports resilience and growth instead of slowing it down.

Next

From field to cloud, compliant IT for every site.

© 2026 ROCK. All rights reserved.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×