Situation overview

Imagine a business at the heart of the UK’s retail ecosystem, providing the systems that underpin food safety and employee wellbeing across thousands of sites. This multinational, trusted to process and protect sensitive medical and personal information, suddenly faces a high-stakes ransomware attack: all servers and endpoints down and the integrity of the entire supply chain, including industrial refrigeration, lighting, and critical systems now at risk. Compounding the crisis, the possibility of leaked confidential health data threatened the company’s reputation and compliance standing.

Strategic response: partnership in action

Recognising the critical business implications, from regulatory repercussions to brand trust and operational continuity, the company immediately engaged Quorum Cyber and legal breach counsel. The mission: to contain the threat, discover what had happened and enable secure, rapid recovery.

Key business objectives

• Rapidly identify and close the entry point to contain financial and reputational damage
• Confirm whether customer and medical data was accessed or exfiltrated, limiting legal and regulatory exposure
• Verify that industrial control systems, essential to every supermarket’s operations, remained uncompromised
• Restore business operations with minimal downtime

Execution and assurance

Fast-tracked digital forensics & monitoring

Quorum Cyber deployed advanced remote forensic tools to swiftly gather time-critical evidence from operational systems, while working offline with preserved disk images from affected devices. Within hours, the organisation was onboarded into Quorum Cyber’s Security Operations Centre (SOC). Industry-leading protections; Microsoft Defender and Sentinel, were rapidly deployed, enabling round-the-clock vigilance.

Uncovering the attacker’s playbook

Our experienced team of cyber investigators traced the blueprint of the attack and discovered:

• Initial Access: The attackers gained entry by exploiting leaked credentials and abusing VPN access, bypassing perimeter security with legitimate-looking logins.
• Lateral Movement & Privilege Escalation: Once inside, they methodically navigated the environment, escalating privileges and probing connected systems to maximise their reach.
• Domain Trust Exploitation: Leveraging established trust relationships between global business units, the threat actors moved seamlessly from one region to another, demonstrating a deep understanding of the organisation’s infrastructure.
• Stealth and Persistence: For nearly two months, the attackers operated undetected, carefully gathering intelligence, exfiltrating sensitive data, and setting the stage for their ransomware deployment.
• Orchestrated Ransomware Detonation: Only after ensuring maximum impact did they trigger the ransomware, effectively disrupting operations at the most vulnerable moment.

By dissecting each stage, we not only restored business functionality but also provided actionable insights to harden defences against future threats

Business continuity for the supply chain

Recognising that industrial refrigeration and logistics directly affect food security, Quorum Cyber undertook forensic analysis of over 700 industrial control systems (ICS) endpoints. After exhaustive examination, we were able to certify, in a formal attestation, the safety of these critical environments, allowing our client to assure partners and regulators that food supplies were never at risk.

Protecting customer confidence

Intensive analysis of servers containing sensitive data assured leadership that, while attempted, there was no evidence of large-scale exfiltration from key databases. This enabled fast, transparent communication with stakeholders and regulatory bodies, preserving trust and mitigating legal exposure.

Lessons in leadership and resilience

Throughout the crisis, Quorum Cyber operated as a proactive advisor, delivering real-time tactical guidance and sharing up-to-the-minute attacker Indicators of Compromise. With our recommendations, the company not only remediated the breach, but emerged with enhanced security posture and renewed confidence from its leadership, partners, and customers.

The takeaways

• Preparation and Partnership Matter: Rapid engagement with trusted cyber security and legal experts can fundamentally change outcomes in a crisis.
• Business-Critical Infrastructure is a Prime Target: Safeguarding industrial systems must be an executive priority, as the downstream impact extends to supply chains and public wellbeing.
• Resilience is a Competitive Advantage: The ability to respond decisively, communicate transparently and recover securely turns a crisis into an opportunity to demonstrate leadership.