Earlier this month, a major Managed Service Provider (MSP) suffered a devastating ransomware attack that left all its hosted systems compromised. The attack disrupted operations for numerous businesses that depended on the MSP for hosting critical infrastructure. While CYFOR Secure, was not directly engaged by the affected MSP, we stepped in to support several of its customers, who were left in operational chaos.

Our role was unconventional in this instance. Rather than investigating the breach or engaging directly with the attackers, our primary focus was on helping third-party businesses recover their data, implement interim solutions, and rebuild operational capacity.

Challenges Faced

Supporting third-party organisations in the wake of a ransomware attack presented a set of unique and complex challenges. Unlike traditional Incident Response (IR) situations, we were working without access to the compromised systems and had to rely on fragmented information from clients. Each organisation faced its own hurdles, but some common themes emerged:

  1. Loss of Backend Systems: The ransomware attack wiped out the MSP-hosted systems, including financial systems and databases. Organisations were left without access to the tools and data that structured their daily operations.
  2. Fragmented Data Sources: While some critical data still existed in emails, PDFs, and attachments, it was unstructured and required significant time and effort to process manually.
  3. Uncertainty About Original Systems: With no clear timeline or guarantee for restoring the MSP-hosted systems, we had to ensure that the solutions we implemented could function as either temporary or permanent replacements.
  4. Urgency for Continuity: Many clients were facing immediate operational disruption, which required us to deliver fast yet thoughtful solutions to keep their businesses running.
  5. Communication and Coordination: Without direct access to the MSP or its systems, we had to navigate recovery efforts with limited insight while coordinating with multiple clients, each with unique needs and priorities.

Our Response

In such a dynamic and challenging environment, we had to adopt a flexible and innovative approach to meet the needs of the affected organisations. The solutions we provided focused on enabling rapid recovery while ensuring scalability for future transitions.

  1. Implementing Temporary Systems for Continuity: The loss of MSP-hosted systems meant that many organisations couldn’t perform basic functions. To address this, we quickly helped implement temporary systems tailored to each client’s operational requirements. These systems provided immediate relief, allowing businesses to resume workflows while we worked on more permanent solutions.
  2. Data Reconstruction Through Custom Software Development: For organisations that still had critical data stored in emails and documents, we designed and developed custom software to extract and structure the information into CSV files. This approach saved weeks of manual data processing and enabled clients to restore their financial and operational systems efficiently.
  3. Disaster Recovery Expertise: Using our expertise in disaster recovery, we helped clients identify and restore critical systems from available backups. We worked closely with each organisation to prioritise their most pressing operational needs, ensuring that they could resume key functions as quickly as possible.

Outcomes

Our efforts resulted in meaningful, measurable outcomes for the affected organisations. By focusing on efficiency and adaptability, we were able to turn a potentially devastating situation into an opportunity for recovery and resilience.

  • Rapid Recovery: The custom software we developed enabled clients to regain access to critical data and resume operations within days.
  • Operational Continuity: Temporary systems allowed businesses to maintain functionality while permanent solutions were explored.
  • Enhanced Preparedness: The scalable solutions we implemented positioned clients to better manage future disruptions and recover more effectively.

Reflection from Our Cyber Security Team

This experience provided a valuable opportunity to reflect on the broader impact of cyber incidents, particularly on third-party organisations. Supporting affected businesses rather than responding to the attack itself presented unique challenges but also demonstrated the value of our expertise in recovery and resilience.

"It was a fascinating challenge to see firsthand how cyber incidents impact organisations indirectly. Planning support solutions without knowing if or when the original systems would be restored required strategic thinking, but it was rewarding to help our clients get back on their feet."

- Technical Director, Will Poole.

Conclusion

By combining technical expertise, creative problem-solving, and a client-focused approach, our experts provided meaningful support to organisations in crisis. This experience underscores the importance of flexibility and innovation in helping businesses recover and rebuild after cyber-attacks.