Case Study: How an Energy Supplier Contained a Ransomware Attack in 4 Hours

A regional energy supplier became the target of a ransomware attack. Thanks to prepared network segmentation and a tested incident response plan, the spread was stopped within 4 hours.

TL;DR

A regional energy supplier with 1,200 employees was targeted by a ransomware attack from the BlackCat/ALPHV group in October 2024. Thanks to prepared network segmentation and a tested incident response plan, the spread was stopped within 4 hours. The KRITIS-relevant OT systems remained completely protected.

Initial Situation

The company operates power and heating networks for a region with over 300,000 inhabitants. As a KRITIS operator, it is subject to strict security requirements. The IT environment comprises around 800 endpoints, 60 servers, and a separate OT network for control technology.

The attack began via a compromised VPN connection of an external service provider. The attackers used stolen credentials to move laterally within the IT network.

Detection and Response

Minute 0 (02:14 AM): The EDR system detects unusual PowerShell execution on a file server and automatically isolates the endpoint.

Minute 15: The on-call service is automatically alerted via SMS. The IT manager activates the crisis team.

Hour 1: Initial forensic analysis identifies the attack vector (compromised VPN account). All VPN connections of the service provider are terminated.

Hours 2-3: Lateral movement on 3 additional servers is identified. All affected systems are isolated. The OT network is protected by an air gap and unaffected.

Hour 4: Containment confirmed. No access to customer data or OT systems. BSI (Federal Office for Information Security) report is triggered.

Success Factors

Network segmentation: Strict separation of IT/OT prevented access to control technology
EDR with auto-isolation: Initial containment occurred automatically before human intervention
Tested IR plan: Tabletop exercise 3 months prior with an identical scenario
External IR retainer: Forensics team activated remotely within 2 hours

Lessons Learned

Service provider VPN access must be time-limited and secured with MFA
Automatic endpoint isolation was the crucial time saver
OT segmentation protected KRITIS operations
The 3-month-old tabletop exercise made the difference between chaos and control

Key Facts

Industry: Energy supply (KRITIS)

Attacker: BlackCat/ALPHV Ransomware

Containment time: 4 hours

Affected systems: 4 of 60 servers, 0 OT systems

Data loss: None (backups intact, no exfiltration detectable)

Fact: Only 43 percent of German SMEs have an IT emergency plan, according to Bitkom.

Fact: Ransomware groups achieved estimated ransom payments of 1.1 billion dollars worldwide in 2024, according to Chainalysis.

Frequently Asked Questions

How important is network segmentation for KRITIS operators?

Indispensable. In this case, the separation of IT and OT protected the hospital operations. The BSI recommends strict segmentation as a basic measure for all critical infrastructures.

Should you have an IR retainer?

Yes. Without a pre-arranged retainer, it can take hours to days to find an available incident response service provider in an emergency. The monthly costs are minimal compared to the potential damage.

NIS2 Directive: What Companies Need to Know

Cyber Insurance 2026

Zero Trust: The 7 Most Common Mistakes

Should you pay the ransom?

The BSI and BKA strongly advise against it. Payment funds criminal structures and does not guarantee decryption. According to Cybereason, 77 percent of payers were attacked again. Instead: file a report and commission professional incident response.

Related Case Studies

About the author: Tobias Massow

Read article

ransomware