{
	"id": "98b8faa6-9c94-4a3e-bb79-2c3fb6bf6e65",
	"created_at": "2026-04-06T00:22:22.47578Z",
	"updated_at": "2026-04-10T03:21:23.098745Z",
	"deleted_at": null,
	"sha1_hash": "88df2e82fadee8f2df829cbdfd49edfe33304719",
	"title": "How a Manufacturing Firm Recovered from a Devastating Ransomware Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125853,
	"plain_text": "How a Manufacturing Firm Recovered from a Devastating\r\nRansomware Attack\r\nBy Kelly Jackson Higgins\r\nPublished: 2019-05-20 · Archived: 2026-04-05 13:05:23 UTC\r\nThe tiny IT team at C.E. Niehoff \u0026 Co. had been working for two weeks to run down and clean up a malware\r\ninfection that had infiltrated its network after an employee clicked on a URL in a phishing email. Unbeknownst to\r\nthe company as it scrambled to quell the attack, the malware, which was later identified as Trickbot, was quietly\r\nspreading among its endpoints and servers, gathering intel about the manufacturing firm and stealing credentials\r\nfrom the compromised machines.\r\nIt wasn't until the morning of Sunday, Oct. 14, when C.E. Niehoff IT manager Kelvin Larrue logged into the\r\ncompany's network from home, that it became clear to the company that the attack was something much more\r\nserious than a bot infection. A stunned Larrue could see that an intruder was running a PowerShell session on one\r\nof the company's servers, moving from server to server with stolen credentials and disabling security tools.\r\n\"I could see what he was actually doing. I knew we were in real trouble and someone was in our system,\" Larrue\r\nrecalls. \"They literally had the keys to the kingdom.\"\r\nLarrue jumped into his car and drove the 20-minute route to the data center on the company's campus in Evanston,\r\nIll., which houses its corporate headquarters and the manufacturing plant where it builds heavy-duty alternators\r\nfor government and emergency vehicles. Racing to shut down the network in order to shut out the attacker, Larrue\r\nand his team pulled the plug in hopes of preventing the attacker from getting any deeper into the network, but it\r\nwas too late.\r\n\"By that time, the perpetrator had done extensive damage to our network,\" he says. The attacker had begun\r\ndropping ransomware: \"He had started routines to encrypt files on all of the servers and any workstations he\r\nhappened to be on at that point,\" Larrue says.\r\nWhat Larrue was witnessing firsthand, he later learned, was a Ryuk ransomware attack on his company. Ryuk is\r\npart of the recent generation of ransomware variants that is typically used for custom and targeted attacks on\r\nbigger and potentially more financially lucrative targets. According to Check Point Security, which has studied\r\nRyuk and its attack methods, Ryuk's authors built it with an encryption scheme that targets critical resources and\r\nassets in a victim's network; for maximum impact, its payload is released manually by the attackers once they\r\nhave the intel and stolen credentials they need.\r\n\"When [Ryuk attackers] infect a new victim, they can stay for a while to observe the network ... and see if the\r\ninfected machine or network is interesting,\" explains Itay Cohen, a security researcher with Check Point who\r\ntracks Ryuk. \"They do not automatically drop Ryuk; they drop it manually\" if they decide it's a useful target.\r\nThat's a departure from earlier ransomware attack campaigns that were more random and automated, he says.\r\nhttps://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760\r\nPage 1 of 4\n\nRyuk has claimed several high-profile victims since the fall of 2018, including newspapers such as the Chicago\r\nTribune and the Los Angeles Times; the city of Stuart, Fla.; and Onslow Water and Sewer Authority, which was hit\r\nwith a ransomware attack in October 2018, around the same time frame as C.E. Niehoff.\r\nRyuk and other ransomware, such as GandCrab and LockerGoga, which crippled Norwegian aluminum\r\nmanufacturer Norsk Hydro, are all about targeting what CrowdStrike calls \"big game,\" or large organizations\r\ntheoretically able to pay a higher ransom than randomly infected consumers or small organizations.  \r\nLarrue says C.E. Niehoff believes the malicious URL in the phishing email that dropped Trickbot was the first\r\nphase of its attack and where the intel-gathering and credential-stealing occurred. In some Ryuk attacks on other\r\nvictims, the gang has used Emotet as the bot and Trickbot as the intel- and credential-stealer in advance of\r\ndropping Ryuk and locking down the victims' machines.\r\n\"What was happening behind the scenes was that Trickbot got in and set up the whole command-and-control\r\nthing, and we later found out what was actually going on. They siphoned off credentials, set up the C2, and then\r\nwe got hit with the big one,\" the Ryuk ransomware, Larrue explains.\r\nWhile he and his team were \"chasing our tails\" trying to quell the infection's spread, the attackers had set up a\r\nreverse-shell attack, he says, possibly exploiting an unpatched vulnerability in Java. The company's Vipre anti-malware tools didn't recognize or catch the variant.\r\nWith the stolen credentials, the Ryuk attackers then set up Remote Desktop Protocol (RDP) connections to the\r\nnetwork and, via the PowerShell commands, set off the Ryuk ransomware payload, server by server, he says.\r\nBut what Larrue and his team didn't realize at the time was that unplugging machines from the network actually\r\nexacerbated the attack: The Ryuk attackers apparently had set the attack to corrupt the firmware of the infected\r\nmachines if the ransomware's encryption process was disrupted. Larrue and his team of three IT staffers had not\r\nseen the ransom note warning them not to shut down or risk their systems getting corrupted when they frantically\r\ndid the shutdown; they finally got a look at the message in the wake of the response.\r\n\"They were expecting us to come in Monday morning [to the ransom message],\" he says. \"They didn't expect us\r\non Sunday.\"\r\nUnplugging the machines \"was a mistake on my part,\" Larrue adds. \"Part of the encryption scheme ... was if we\r\ndid pull the plug, something would corrupt the firmware on all the servers,\" including the manufacturing firm's\r\nemail and ERP servers.\r\n\"At that point it was totally lost. Even if we wanted to pay ransom, we couldn't,\" he recalls.\r\nIt turned out the ransom note had warned that only the attackers could help decrypt the files, and that resetting or\r\nshutting down systems could damage the files. It didn't include a ransom fee, but instead instructions on how to\r\nproceed in working with the attackers to get the files decrypted.\r\n\"I've had bad days in my life, but I've never had one like that,\" Larrue says. \"I had the weight of the world bearing\r\ndown on me.\" \r\nhttps://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760\r\nPage 2 of 4\n\nPaper and Pen\r\nC.E. Niehoff is a relatively small, privately held manufacturing firm, with 400 employees and a three-person IT\r\ndepartment that also works on security issues. Its customers include the US military, which uses its industrial\r\nalternators for vehicles, for instance. One of the first worries in the wake of the attack was the loss of its ERP\r\nmanufacturing server to the Ryuk attack.\r\nThe good news was the attackers hadn't stolen any customer or sensitive information, but the bad news was the\r\nmanufacturing process had to rely on paper and existing orders to keep the shop floor open. \"We had enough\r\npaperwork to keep the manufacturing floor running on jobs already issued,\" Larrue says. \"The ERP system\r\nprovides information to execute on the shop floor, but we can still produce without it. Production didn't come to a\r\ngrinding halt.\"\r\nBut \"we couldn't see too far into the future\" until the ERP system was back online, he recalls.\r\nBy some stroke of luck, the company's human resources and payroll server wasn't infected with ransomware.\r\nNeither was its two backup appliances, although there were signs the attackers had tried to encrypt the Arcserve\r\n8200 Series devices but had failed for some unknown reason. One appliance sat in Building A, and the other in\r\nBuilding B, on the campus, and were set to run a data backup rotation and handle file compression for terabytes of\r\nthe firm's data.\r\n\"So this was more or less all we had,\" as well as some older backup tapes that only contained data for the past four\r\nyears, Larrue says.\r\nAnd C.E. Niehoff had not actually set up the appliances for full system recovery yet — the devices were relatively\r\nnew — so Larrue had to get help from an Arcserve engineer/technician to restore the backups to the new\r\ncomputers, which the manufacturing firm had to quickly purchase to replace the compromised systems. A couple\r\nof the systems that had been configured for bare-metal restoration were back online quickly, he recalls, but there\r\nwere challenges with several other systems that had not been configured for full restoration.\r\n\"We had to more or less rebuild the machine,\" which took longer to restore, he says.\r\nOne way to keep backup systems safe from ransomware attacks is to keep them on a separate domain, advises\r\nGary Sussman, the Arcserve engineer who helped Larrue restore the manufacturing company's systems. He also\r\nrecommends setting them with strong credentials and ensuring that hardware encryption \"is turned on.\"  \r\nIn all, it took C.E. Niehoff two-and-half weeks to get all of its systems fully back up and running, starting with its\r\nemail server. \r\nLarrue says the company since has added additional layers of security and is working on beefing up redundancy in\r\nits systems and storage, including some cloud-based storage. Ransomware threats are the new normal.\r\n\"The lessons learned here is this is an ongoing campaign and it's not going to stop,\" he says of the threat of\r\nransomware attacks.\r\nRelated Content:\r\nhttps://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760\r\nPage 3 of 4\n\nAbout the Author\r\nEditor-in-Chief, Dark Reading\r\nKelly Jackson Higgins is the Editor-in-Chief of Dark Reading and VP, cybersecurity editorial at Informa\r\nTechTarget, where she leads editorial strategy for the company's three cybersecurity media brands: Dark Reading,\r\nSearchSecurity and Cybersecurity Dive. She is an award-winning veteran technology and business journalist with\r\nthree decades of experience in reporting and editing for various technology and business publications and major\r\nmedia properties. Jackson Higgins was selected three consecutive times as one of the Top 10 Cybersecurity\r\nJournalists in the U.S., and was named as one of Folio's 2019 Top Women in Media. She has been with Dark\r\nReading since its launch in 2006.\r\nSource: https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/13\r\n34760\r\nhttps://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"
	],
	"report_names": [
		"1334760"
	],
	"threat_actors": [],
	"ts_created_at": 1775434942,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88df2e82fadee8f2df829cbdfd49edfe33304719.pdf",
		"text": "https://archive.orkl.eu/88df2e82fadee8f2df829cbdfd49edfe33304719.txt",
		"img": "https://archive.orkl.eu/88df2e82fadee8f2df829cbdfd49edfe33304719.jpg"
	}
}