Restoring Operations for a 90-Vehicle Haulier After Ransomware

Business challenge

A regional haulier woke up to encrypted dispatch and finance systems. Drivers were stranded, customers were calling, and the leadership team had no plan.

Operational risk

Encrypted dispatch and finance systems on a Friday evening, with no offline backups and no rehearsed incident plan. Drivers were due on shift in nine hours.

Potential impact

Without a controlled response the operator faced a full weekend of missed retailer drops, six-figure SLA penalty exposure, a probable cyber insurance refusal and the realistic loss of two major retail accounts that take years to win back.

Approach

We took on incident command within two hours. Isolated affected systems, validated clean backups, stood up an offline dispatch process on paper, and led customer communications.

Actions taken

• Took on incident command within two hours and isolated affected systems without powering them down to preserve forensic evidence
• Validated that one set of cloud backups was untouched and stood up an offline paper-based dispatch process for the Saturday morning shift
• Led customer communications using pre-written templates, calling the top ten accounts before they called us
• Rebuilt the environment into a hardened tenant with MFA, segmentation and immutable backups before any production data was restored
• Documented every decision with timestamps for the insurer and the ICO notification

Outcome achieved

Core dispatch was back within 48 hours with zero ransom paid. We rebuilt the environment with segmentation, MFA on every account, and a written incident playbook the team has used twice since.

Lessons learned

• Offline or immutable backups are non-negotiable for any operator that cannot afford a 48 hour outage
• A pre-written customer comms template, ready to send, is worth more than any technical control in the first six hours
• Cyber insurance only pays if the controls promised at renewal are genuinely in place at the moment of the incident