Ransomware Scenario: Friday Evening, 6 PM – A Step-by-Step Walkthrough

Friday, 5:52 PM: The Calm Before the Storm

Muller Maschinenbau GmbH in Schwaebisch Hall manufactures specialized tools for the automotive industry. 100 employees, five of them in IT. The company runs an on-premises ERP system, an engineering department with CAD workstations, a file server with 12 terabytes of project data, and a VPN connection for the field sales team. The IT infrastructure is solid but not state of the art. There is a backup system, but the last restore test was eight months ago.

It is Friday, shortly before 6 PM. Production has clocked out; the offices are emptying. IT manager Thomas Brenner is still at his desk working through the last tickets. Three of the five IT staff are already off for the weekend. CEO Petra Muller is on her way home.

At 5:52 PM, the monitoring system reports unusually high disk activity on the file server. Thomas notices the alert but initially assumes it is the weekly virus scan, which sometimes causes load spikes. Eight minutes later, that assumption becomes obsolete.

Friday, 6:00 PM: Detection

At 6:00 PM, the last employee in accounting calls. She was trying to save one more invoice and now sees a file called "README_RESTORE.txt" on the network drive. At the same time, all her Excel files have acquired a new extension: .locked. Thomas opens the text file and reads the sentence no IT manager ever wants to read:

"All your files have been encrypted with military-grade encryption. Transfer 4.5 Bitcoin to the following wallet within 96 hours, or your data will be published on our leak site."

At this moment, the clock starts ticking. What Thomas does in the next 60 minutes determines whether Muller Maschinenbau GmbH will be operational again by Monday or be out of commission for weeks.

What Is Happening Technically Right Now?

The ransomware has likely gained access to the file server through a compromised user account and is systematically encrypting all accessible files. Depending on the variant, the encryption is simultaneously spreading to other network shares, SharePoint shares, and connected systems. Every minute that passes means more encrypted data.

What Thomas does not yet know: the attackers have probably been in the network for days or weeks. Ransomware groups rarely encrypt immediately. They move laterally through the network, identify critical systems, exfiltrate data, and in the best case even disable backup mechanisms before starting the encryption. Friday evening is no coincidence. Attackers deliberately choose times when IT staffing is minimal.

Friday, 6:05 PM: The First Five Minutes

Thomas now follows the emergency plan he created a year ago with an external consultant. He has a printed copy in his desk drawer—because a digital plan on the encrypted file server is useless.

Immediate Action 1: Network Segmentation

Thomas physically disconnects the file server from the network by pulling the network cable. He does not shut down the server, because the encryption key or other forensically valuable data may still reside in RAM.

Then he checks the other servers: ERP system, domain controller, backup server. The ERP system does not appear to be affected yet. He immediately disconnects the backup server from the network as a precaution—because if the attackers have also encrypted the backups, the situation would be exponentially worse.

Immediate Action 2: Gain an Overview

Thomas opens the Active Directory console on his workstation (which still works) and checks recent sign-ins. He sees that the account of an engineer who has been on vacation for two weeks had a sign-in to the file server today at 3:30 PM. That is the likely attack vector.

He immediately disables the compromised account and simultaneously resets the passwords of all service accounts that had access to the file server.

Immediate Action 3: Start Documentation

Thomas reaches for a notebook (paper, not digital) and begins logging every action with timestamps. This documentation will later be critical for forensic analysis, regulatory reports, and the insurance claim.

Friday, 6:15 PM: Escalation

Now the escalation chain begins. Thomas calls three people, in exactly this order:

Call 1: CEO Petra Muller

Thomas describes the situation in three sentences: "We have a ransomware attack. The file server is encrypted; I've disconnected it from the network. Production is not directly affected at the moment, but I can't say that with certainty yet."

Petra asks the right question: "What do you need from me?" Thomas needs two things: authorization to engage the external incident response provider (cost: starting at EUR 15,000 and up), and a decision on whether Saturday production should run as scheduled or be halted as a precaution. Petra authorizes the service provider engagement and decides to cancel the Saturday shift until the situation is clear.

Call 2: External Incident Response Provider

Thomas had proactively signed a retainer agreement with an IR provider. That pays off now—without a contract, he would have difficulty reaching anyone on a Friday evening. The provider has a 24/7 hotline and confirms that a forensics team will be on-site Saturday morning. In the meantime, the consultant gives specific instructions over the phone: do not shut down any systems, do not delete any data, secure a RAM dump of the file server if possible, and export all log files from the firewall and domain controller to a clean USB drive.

Call 3: IT Colleagues

Thomas calls his two most experienced IT colleagues and asks them to come to the office. One takes over securing the firewall logs; the other systematically checks all remaining servers and workstations for signs of compromise.

Friday, 6:30 to 8:00 PM: Containment

The small IT team is now working under high pressure. The next ninety minutes are dedicated to containment.

Expanding Network Segmentation

Thomas and his team isolate the entire corporate network into three zones: the "compromised" zone (file server, affected workstations), the "suspicious" zone (all systems that communicated with the file server), and the "clean" zone (systems verifiably not affected, such as the isolated backup server).

The external VPN connection is immediately disabled. While this also cuts off the field sales team from access, it prevents the attackers from following up through the VPN tunnel. Wi-Fi is also shut down in case the ransomware is spreading via internal network shares.

Verifying Backup Integrity

This is the moment of truth. Thomas starts the isolated backup server in a sandboxed environment and checks the most recent backups. The good news: the daily backups from the past week are intact. The attackers apparently did not reach the backup server—probably because it sits in a separate VLAN and is not accessible via regular domain credentials.

The less good news: the last full backup is from Thursday night. Everything worked on Friday is lost, to the extent it only resided on the file server. Thomas notes this for the later damage assessment.

Determining the Scope of Compromise

Using the firewall logs and Active Directory logs, the team reconstructs the approximate sequence of events: the compromised engineer's account was likely hijacked via a phishing email he clicked before going on vacation. The attackers signed in with his credentials and explored the network over several days. On Friday evening, they launched the encryption.

Affected: the file server (fully encrypted), three CAD workstations (partially encrypted), and a print server (encrypted but non-critical). Not affected: the ERP system, the domain controller, the email server (Exchange Online, hosted by Microsoft), the production control system (separate network, no Windows domain), and the backup server.

Friday, 8:00 PM: Communication Begins

Technical containment is complete. Now the communication phase begins—often underestimated but equally critical as the technical measures.

Internal Communication

Petra Muller sends an email at 8:00 PM to all employees (via Exchange Online, which still works):

"Dear colleagues, this evening we detected an IT security incident affecting parts of our internal systems. Our IT team and external specialists are already working on the resolution. The Saturday shift is cancelled. Please do not turn on any company devices and do not access the corporate network via VPN until we give the all-clear. An updated status will follow on Monday. For urgent questions, you can reach Thomas Brenner at his mobile number."

The message is deliberately brief. It informs, gives specific instructions (do not turn on devices, no VPN), and avoids panic. The word "ransomware" is intentionally absent to prevent speculation and premature press contacts.

Legal Assessment

Thomas and Petra speak with the corporate attorney. Three questions need to be clarified:

First: Is Muller Maschinenbau GmbH subject to NIS2? As a supplier to the automotive industry with more than 50 employees and over EUR 10 million in annual revenue, it falls under NIS2 as an "important entity." This means: initial report to the BSI within 24 hours.

Second: Is personal data affected? The file server contains personnel files, job applications, and customer contact data. It must be assumed that the attackers exfiltrated this data before the encryption. This means: GDPR data breach notification to the data protection authority within 72 hours of becoming aware.

Third: Is there insurance coverage? Muller GmbH has a cyber insurance policy. Thomas meticulously documents all measures and costs, as the insurer requires seamless documentation.

Friday, 10:00 PM: Shift Handover and Night Plan

By 10:00 PM, the team has stabilized the situation. Thomas sets up a watch shift: one IT employee stays on-site overnight to monitor the isolated systems for further activity. The task is clearly defined: observe, document, call Thomas immediately at any anomaly. Do not independently modify any systems.

Thomas himself drives home, sets his alarm for 5:30 AM, and places his phone next to the bed. He knows Saturday will be the hardest day.

Saturday, 7:00 AM: The Forensics Team Arrives

Saturday morning, the external incident response team arrives. Two forensic analysts and a negotiation specialist. Yes, negotiation specialist—not because they intend to pay, but because communicating with the attackers is sometimes tactically useful to buy time or determine the extent of data exfiltration.

Forensic Analysis

The forensic analysts begin with a RAM dump of the still-running file server. Then they create forensic images of the affected hard drives. This work takes several hours but is indispensable—without it, neither the exact attack path nor the actual extent of data exfiltration can be determined.

In parallel, one analyst identifies the ransomware variant. It is a variant of the LockBit family, acquired through an Initial Access Broker and rebranded with customized branding. The good news: a public decryptor exists for older versions of this variant. The bad news: this version is newer and not yet cracked.

Assessing Data Exfiltration

The forensic analysts examine the network logs from the past two weeks. They find unusual outbound data flows to an external IP address—approximately 800 gigabytes over a five-day period. This confirms the suspicion: the attackers copied data before the encryption. This is known as double extortion, where not only the encryption but also the threat of publication is used as leverage.

For Muller GmbH, this means: the probability that personal data and trade secrets are in the attackers' hands is high. This intensifies both the GDPR reporting obligation and the business consequences.

Saturday, 10:00 AM: Regulatory Reports

Petra Muller and Thomas sit down together to draft the regulatory reports.

NIS2 Initial Report to the BSI

The initial report must be filed within 24 hours of becoming aware of the incident. Since the incident was detected Friday evening at 6:00 PM, the deadline runs until Saturday evening at 6:00 PM. Thomas uses the BSI reporting portal and enters the known information: type of incident (ransomware), affected systems, suspected attack vector, countermeasures taken so far. The report does not need to be complete—it is an initial report. A more detailed follow-up report is due within 72 hours, and a final report within one month.

GDPR Report to the Data Protection Authority

Since personal data is affected and data exfiltration is probable, a report must be filed with the competent state data protection authority within 72 hours of becoming aware. The deadline runs until Monday evening at 6:00 PM. Thomas prepares the report, which must include: the nature of the breach, categories and approximate number of affected individuals, likely consequences, and remedial measures taken.

Criminal Complaint

The corporate attorney recommends filing a criminal complaint with the Cybercrime Unit of the competent public prosecutor's office. This has no immediate practical impact on recovery but is relevant for the insurance claim and may aid long-term prosecution.

Saturday, 2:00 PM to Sunday: Recovery

After the forensic analysts give the green light (evidence collection is complete and the entry point is identified), recovery begins.

Recovery Sequence

The team creates a prioritization list:

1. Domain controller (Active Directory): All passwords are reset, the Krbtgt account is rotated twice to prevent Golden Ticket attacks. Suspicious accounts are locked.

2. ERP system: Was not directly affected but is nonetheless checked for integrity before being reconnected. The database is verified against the last known clean backup.

3. File server: Completely rebuilt (clean OS install) and data is restored from the Thursday backup. Friday's data is lost.

4. CAD workstations: Rebuilt via the deployment system. Local project data not stored on the file server is lost.

5. All other systems: Print server, monitoring, additional clients are checked and rebuilt as needed in sequence.

Security Measures Before Go-Live

Before any system is allowed back on the production network, the following measures are implemented:

• All user passwords are reset, without exception
• Multi-factor authentication is enabled for all VPN connections and all administrator accounts (this should have been done earlier)
• Firewall rules are tightened: outbound traffic is restricted to known services
• The backup server receives its own access credentials separate from the domain admin
• Network segmentation is reviewed and hardened

Sunday Evening: Test Run

Sunday evening, the team conducts a controlled test run. The ERP system is brought up; test transactions are executed. The file server is accessible again; data from the backup is consistent. The CAD workstations work; engineers can start work Monday, though they lose Friday's work.

Monday, 7:00 AM: The Restart

Monday morning, Petra Muller gathers the entire workforce in the cafeteria. She explains what happened—without technical details, but honestly and transparently:

"We had a cyberattack on Friday. Criminals encrypted parts of our data and may have copied some as well. Our IT team has been working around the clock since Friday evening, and the systems are running again. Work from Friday has been lost on some systems, but all other data could be restored. We are working with external specialists and the authorities."

Then come the concrete instructions:

• Every employee must change their password before signing in
• Suspicious emails from the past two weeks should be reported to IT
• Until further notice, no USB drives may be connected to company computers
• The VPN connection works again, but only with the new MFA method

Customer Communication

In parallel, Petra begins customer communication. Muller GmbH supplies twelve automotive tier-one suppliers, three of whom had sensitive engineering data on the file server. These three customers are called personally—not by email—and informed about the incident. The message is clear: there was an attack, the data may have been compromised, and Muller GmbH is working with forensic specialists on the full investigation. It is uncomfortable but necessary, and in many cases contractually required.

The remaining customers receive a written notification that factually describes the incident and the measures taken.

Supplier Communication

IT service providers and suppliers with network access are also informed. If the attackers captured credentials for supplier portals or partner VPNs, those connections must also be reviewed and passwords changed.

Monday Through Friday: Post-Incident Work

The acute crisis is over, but the work is far from finished. The week after the incident involves the following tasks:

GDPR Notification to Affected Individuals

The forensic analysis confirms that personnel files of 100 employees and contact data of approximately 500 customer employees were exfiltrated. Under Art. 34 GDPR, affected individuals must be notified, as there is a high risk to their rights and freedoms. Thomas and the data protection officer draft a notification letter explaining the incident, naming the types of affected data, and providing recommendations (change passwords, watch for phishing, check credit card statements).

NIS2 Follow-Up Report

Within 72 hours of the initial report, Thomas submits the follow-up report to the BSI, which is now significantly more detailed: attack vector (phishing, compromised account), ransomware variant, extent of data exfiltration, countermeasures taken, and current restoration status.

Insurance Claim

The cyber insurer is informed with the complete damage report. The damage consists of: costs for the IR provider (approx. EUR 25,000), overtime and weekend work costs for the IT team, production downtime on Saturday (revenue loss approx. EUR 40,000), lost working time from Friday's data, and costs for accelerated security measures (MFA rollout, firewall upgrade). Thomas estimates the total damage at approximately EUR 120,000 to 180,000, depending on the follow-on costs of the data exfiltration.

Weeks 2 to 4: Lessons Learned

Two weeks after the incident, the entire incident response team sits down for a structured lessons-learned workshop. Not to assign blame, but to systematically analyze what worked and what did not.

What Worked?

• The printed emergency plan was available and structured the first minutes
• Network segmentation prevented the production control system from being affected
• The retainer with the IR provider reduced response time to under 12 hours
• Backup integrity was confirmed; the restore worked
• The CEO's communication was clear and prevented panic

What Did Not Work?

• The compromised account had no MFA, even though it had been planned for months
• The last restore test was eight months old—too risky
• Network segmentation between the file server and backup server existed, but the backup server was accessible via an SMB share protected only by a different password. That could easily have gone wrong
• There was no pre-prepared communication plan for customers; everything had to be drafted under time pressure
• IT staffing on Friday evening was too thin. An on-call rotation would have accelerated detection

Action Plan

The workshop produces a concrete action plan:

What This Case Teaches

Muller Maschinenbau GmbH was fortunate in their misfortune. The backups were intact, the production control system was not affected, and the team acted correctly in the first minutes. Still, the costs were considerable, the stress immense, and business relationships temporarily strained.

The central lessons from this scenario can be summarized in five points:

Preparation beats improvisation. The printed emergency plan, the retainer with the IR provider, and the existing network segmentation made the difference. Without that preparation, Thomas would have started from zero on Friday evening.

The first hour is decisive. Disconnect the network, secure evidence, activate the crisis team. These three steps must be second nature—no deliberation, no debate. Practice them regularly in tabletop exercises. Tools like ISMS Lite support you in documenting emergency plans, incident data, and reporting deadlines so you can act in a structured and timely manner in an emergency.

Communication is not an afterthought. Anyone without pre-prepared communication templates writes under time pressure. That leads to mistakes, misunderstandings, and loss of trust. Prepare the texts while you have the calm to do so.

Reporting obligations run in parallel. NIS2 (24 hours), GDPR (72 hours), criminal complaint, insurance, customers. All of this happens simultaneously with the technical recovery. Without clear responsibilities and checklists, something will fall through the cracks.

Backups are only as good as their last test. Muller GmbH had working backups, but that was more luck than planning. An eight-month-old restore test is not proof of confidence—it is a risk. Test monthly, document the results, and secure the backup server as if it were your most valuable asset—because it is.

Ransomware does not only hit large corporations. It hits machinery manufacturers, skilled trades businesses, medical practices, and accounting firms. The difference between an incident resolved in two days and one that shuts down the company for weeks lies not in the technology but in the preparation.

Further Reading

• Ransomware Attack: Immediate Actions, Communication, and Recovery
• Creating an Incident Response Plan: From Blank Document to Working Process
• Communicating Security Incidents: Internally, Externally, and to the Press
• Backup Strategy and Restore Tests: Your Last Line of Defense
• NIS2 Initial Report to the BSI: How to Meet the Deadline