How We Helped a UK Haulage Company Recover From a Ransomware Attack in 72 Hours
By Daniel Agyemang Prempeh, Founder, DefendVistaLast reviewed:
Executive summary
A 75 vehicle UK haulage company called DefendVista on a Friday evening after their Transport Management System, planning spreadsheets and shared drives were encrypted by ransomware. Drivers were already heading into a weekend run with no electronic PODs and no visibility of customer instructions. We took the call at 19:42, had a containment team online within the hour, and brought core dispatch back up by Monday morning. Three weeks later the operation was running on a hardened environment with an immutable backup chain, EDR on every endpoint, segmented operational and corporate networks, and a tested incident response plan owned by the operations director rather than the IT provider.
Who the business was
Sector
Road haulage and palletised distribution
Fleet
75 HGVs across two depots in the Midlands and North West
Employees
92 staff including drivers, traffic office, warehouse and finance
Annual turnover
£14m, primarily contract work for FMCG and building products customers
Key systems
TMS, telematics portal, electronic POD app, Sage 50 accounting, Microsoft 365
IT support
Outsourced break/fix MSP, two part time internal champions
The starting point
The business had grown from 30 to 75 vehicles in four years, mostly on the back of a single contract win with a national FMCG brand. That contract demanded electronic proof of delivery, live ETA updates and a service level agreement with financial penalties for missed delivery windows.
Like most hauliers of this size, the company ran a Windows file server in the back office, an on premises TMS database, and a mix of company laptops, personal phones and depot terminals. Their MSP looked after patching for the servers when there was a problem ticket. Cyber security was not in scope of the MSP contract.
Backups were running nightly to a NAS in the same server cupboard. There was no offsite or immutable copy. Nobody had ever tried to restore the TMS from a backup. Nobody had a written incident response plan.
What went wrong
On a Friday at around 18:30, the traffic manager noticed planning spreadsheets opening as gibberish. Within minutes the TMS would not load. The MSP was called and advised a server reboot. By the time the on call director arrived at the depot at 19:30, every Windows machine on the network was showing a ransom note demanding £180,000 in Bitcoin.
The attacker had also encrypted the NAS used for backups, deleted the volume shadow copies, and left a note threatening to publish stolen driver and customer data unless the ransom was paid within 72 hours.
The traffic office was already trying to plan Monday morning loads by hand from printed sheets and memory. Drivers were calling in for run sheets that nobody could produce.
What was at stake
£610k
Direct revenue at risk
Lost margin and contractual penalties forecast over a four week disruption scenario if systems could not be restored.
60+
Vehicles standing
Number of HGVs likely to be parked by Monday lunchtime without a working TMS and dispatch process.
£25k
Insurance excess exposure
Self insured retention on the cyber policy before insurer would contribute to forensic and recovery costs.
12 years
Data at risk
Volume of driver records, customer pricing files and operational data sitting on the encrypted estate.
What would have happened if nothing changed
- Permanent loss of the FMCG contract, which represented around 40 per cent of revenue and was already under pressure from a recent tender.
- ICO investigation and potential UK GDPR enforcement following theft of driver records and customer data, including identifiable personal information.
- Cyber insurance dispute if the insurer concluded that the lack of MFA, EDR and tested backups breached policy warranties.
- Repeat attack within weeks. The vast majority of ransomware victims who do not address root cause are attacked again, often by the same group selling access on.
- Public disclosure of stolen data. The attackers operated a leak site and had already named other UK SMEs in the previous month.
Worried this could be your business?
Book a free 30 minute consultation with a UK cybersecurity specialist who understands transport and logistics. No sales pressure, just a frank conversation about your exposure.
What the forensics showed
- Initial access was a credential stuffing attack against the customer portal, then lateral movement using a service account with the password ‘Welcome2022!’ that had not been changed since installation.
- No multi factor authentication on Microsoft 365, the TMS admin console or VPN. Two finance accounts had been quietly logged into from IP addresses in Eastern Europe for around eleven days before the ransomware was deployed.
- Backups had been compromised because the NAS was joined to the same Active Directory and the attackers had Domain Admin within four hours of initial access.
- No endpoint detection and response. The legacy anti virus on the file server had not received signature updates for 47 days.
- Around 38GB of data, including driver licences, vehicle compliance documents and a customer pricing spreadsheet, had been exfiltrated to a cloud storage account in the days before encryption.
What we did in the first 24 hours
- 01
Containment within 90 minutes
Pulled the affected sites off the internet, force expired every Microsoft 365 account, revoked all active sessions and disabled the compromised service account. Isolated unencrypted laptops and depot terminals so they could be reused for emergency dispatch.
- 02
Stand up a clean control plane
Built a clean Windows administrator workstation off the network to use for the recovery work, with our team operating side by side with the client's MSP. All recovery actions were logged in a single timeline that later supported the insurance and ICO conversations.
- 03
Emergency dispatch on paper plus mobile
Helped the operations director set up an interim dispatch process using printed manifests, WhatsApp groups for drivers and a shared spreadsheet on a clean Microsoft 365 tenant we provisioned within four hours so deliveries could continue on Monday.
- 04
Forensic preservation
Captured forensic images of two encrypted servers and the compromised finance laptops before any restore activity, in line with insurer requirements and to support potential law enforcement reporting to Action Fraud and the National Crime Agency.
- 05
Stakeholder communications
Drafted holding statements for the FMCG customer, the wider customer base and staff. Briefed the directors on what they could and could not say, and prepared the ICO notification within the 72 hour window.
How we got the business back on its feet
- 01
Restore the TMS from the cleanest available copy
Recovered the TMS database from a 36 hour old export that the software vendor had taken for an unrelated upgrade. Verified the export against forensic timelines before bringing it online in a segmented recovery network.
- 02
Rebuild Active Directory
Rather than attempting to clean the existing domain, we rebuilt Active Directory in parallel, migrating only verified clean users with new passwords and enforced multi factor authentication from day one.
- 03
Reimage every endpoint
Wiped and rebuilt every Windows laptop and depot terminal from clean images. Deployed managed EDR before any user logged in. No old endpoint was allowed back onto the new network.
- 04
Bring services back in priority order
Dispatch and electronic POD first, then finance, then HR, then less critical systems. Each service was tested by an operations user before sign off, against a written acceptance checklist.
- 05
Threat hunt and confirm eviction
Reviewed 30 days of email, identity and endpoint logs in the rebuilt environment to confirm no persistence mechanisms had survived the rebuild. Closed off the leaked credentials at the customer portal.
What we built so it could not happen again
- Immutable cloud backups with 30 day retention, independently authenticated and never joined to Active Directory.
- Microsoft 365 hardened to a Cyber Essentials Plus aligned baseline, including MFA, conditional access, restricted legacy authentication and audited admin roles.
- Managed EDR rolled out to every endpoint and server, monitored by DefendVista with 24/7 alerting.
- Network segmentation between the corporate domain and the operational telematics and TMS environments, with a documented joiner, mover, leaver process.
- Quarterly tabletop exercises with the operations director and traffic office, rotating through ransomware, supplier compromise and invoice fraud scenarios.
- A written incident response plan owned by the operations director, not the MSP, with a one page decision tree pinned in the traffic office and on every depot wall.
Measurable results
62 hours
Time to restore dispatch
£0
Ransom paid
100%
Vehicles back on the road by Monday PM
0
Customer contracts lost
Paid in full
Cyber insurance claim outcome
0
Repeat incidents in 18 months since
The client did not pay the ransom. They restored operations within 72 hours of the initial call, kept the FMCG contract, and successfully claimed against their cyber insurance. The ICO accepted the breach notification and closed the case with no enforcement action after reviewing the documented containment, communications and remediation work. Eighteen months on, the business has grown to 88 vehicles, holds Cyber Essentials Plus, and uses its incident as a credible differentiator in tender responses.
What other operators should take from this
Backups joined to your domain are not backups
If a backup target trusts the same credentials that ransomware will steal, it will be encrypted alongside everything else. Immutable, identity isolated backups are the single highest impact control for a haulier.
MFA on email is not optional any more
Both compromised finance accounts could have been blocked by basic Microsoft 365 MFA. The cost of enabling it is essentially zero. The cost of not enabling it nearly closed the business.
Operations needs to own the IR plan
When the TMS is down, the operations director is making the calls, not the MSP. The IR plan has to live in their world and use their language, or it will not be used.
The recovery is the cheap bit
Most of the cost of a haulage ransomware incident is lost margin, contractual penalties and customer churn, not the ransom. A 24 hour faster recovery is worth far more than any individual security tool.
Document everything from minute one
The insurer paid this claim in full because every containment and recovery decision was logged with a timestamp. The ICO closed the case for the same reason. Documentation is not bureaucracy, it is leverage.
If this sounds uncomfortably familiar
If you run a UK haulage or transport business, we can help you avoid this story or recover from one already in progress. We assess your TMS, telematics, identity and backup posture against the controls that actually matter for hauliers. We deliver Cyber Essentials and Cyber Essentials Plus, managed EDR, immutable backup, 24/7 incident response and a written, sector specific IR plan you will genuinely use. Every recommendation is grounded in how a working transport business runs, not how a textbook says it should.
Explore related services, guides and case studies.
Cybersecurity for Haulage Companies
Sector specific protection for UK haulage operators.
Ransomware Protection for Logistics Firms
Prevention, detection and recovery for transport SMEs.
Incident Response Plan Consultancy
Tabletop exercises and a 24/7 IR retainer.
Transport Cybersecurity Survival Kit
Free downloadable toolkit including a ransomware recovery checklist.
Or browse the full case study library, our cybersecurity services, the industries we specialise in, or free transport cyber resources.
Common questions on this kind of incident
How long does it take to recover a haulage company from ransomware?+
It depends on the state of backups, the spread of the attack and how quickly the business can stand up an interim dispatch process. For a well prepared haulier with immutable backups and an IR plan, core dispatch can often be restored in under 48 hours. For an unprepared business, two to three weeks of significant disruption is typical.
Should a haulage company ever pay a ransomware demand?+
Paying the ransom is rarely the right answer and is actively discouraged by the National Cyber Security Centre. It funds organised crime, marks you as a future target, and rarely produces a clean restore. In every case we have run, businesses recovered without paying when they engaged proper incident response support early.
Will our cyber insurance pay out after a ransomware attack?+
Most modern UK cyber policies will pay if the insured has met the security warranties in the policy, typically MFA on email, EDR on endpoints, and tested backups. Insurers are increasingly walking away from claims where these basics were not in place. We help clients document their controls so claims are paid in full.
Do we have to report a ransomware attack to the ICO?+
If personal data has been accessed or exfiltrated, you are required to notify the ICO within 72 hours of becoming aware. We routinely help clients prepare these notifications and have not yet had a client face enforcement action when the containment and remediation work was solid.
How do we stop this happening again?+
The combination of immutable backups, MFA everywhere, managed EDR, network segmentation and a tested IR plan eliminates almost every common ransomware path into a haulage business. We deliver all of these as part of a single sector specific managed package.
How quickly can DefendVista respond if we are under attack right now?+
Managed plan clients have a 24/7 incident response line. Off plan, we triage on a best efforts basis as fast as we physically can, often within the hour. If you are reading this during a live incident, stop reading and call us.
Do not wait for your own case study to be written.
Book a free consultation with DefendVista. We will tell you, in plain English, where your operation is exposed and what to do about it first.