Pharma ransomware containment under the CERT-In 6-hour clock — Ahmedabad plant + Mumbai HQ recovered with USFDA-inspection-ready evidence
An Ahmedabad-headquartered listed pharma manufacturer detected ransomware activity on the corporate-network at 03:42 IST. By 09:30 the CERT-In incident report was filed. By hour 72, containment was complete, the Ahmedabad plant had resumed batch operations from clean backups, and the evidence pack was assembled to USFDA Pre-Approval Inspection standard. Initial-access was traced to a vendor-portal credential reuse from a 2024 third-party breach.
- Client
- Indian Listed Pharma Manufacturer (Gujarat / Ahmedabad)
- Sector
- Manufacturing
- Region
- India
- Engagement
- DFIR
- Year
- 2026
- Duration
- First 72h + 30-day recovery
What the client was up against.
USFDA-inspection window + CERT-In 6-hour clock
The client had a USFDA Pre-Approval Inspection scheduled for the Pirana site three weeks out. Any plant-floor disruption risked the inspection slot. CERT-In's 6-hour reporting window started at 03:42 IST detection; the bank's previous CERT-In incident response (a phishing event two years earlier) had filed at hour 9 and drawn an in-writing reminder from the sectoral CERT. This engagement could not repeat that pattern.
Corporate-IT + plant-OT interdependency
The Ahmedabad plant ran SAP S/4 batch-process integration with the Mumbai corporate-IT estate. The ransomware was active on the corporate-IT side; the plant's batch-execution system depended on the corporate ERP. Containment had to isolate without breaking the plant's in-progress batch records — 21 CFR Part 11 audit-trail integrity is the USFDA-defining control.
Domain Controller compromise suspected
Initial telemetry showed the ransomware encryptor running with SYSTEM-level privileges on multiple file servers. Domain Admin compromise was the working hypothesis until forensics could confirm. KRBTGT extraction risk drove the recovery sequence even before the forensic confirmation arrived 11 hours into the engagement.
How we ran the engagement, phase by phase.
01 · Detection → Incident Command (hour 0–1)
- Confirmed encryption activity across 12 corporate-IT file servers and 3 application servers
- Identified ransomware family (LockBit variant; ransom note + leak-site banner match)
- Activated Incident Command — CISO, IT-Ops Lead, Plant-Operations Lead, Legal, Macksofy DFIR retainer mobilised
- VLAN-level isolation of affected segments; memory captures from non-encrypted hosts using winpmem
02 · Containment + CERT-In reporting (hour 1–6)
- Cut external connectivity to affected segments; preserved Mumbai-Ahmedabad WAN link for ERP-batch-record traffic
- Disabled AD accounts known-good before encryption window to halt lateral spread
- Snapshot all VMs; began disk imaging on patient-zero candidates
- Filed CERT-In incident report at hour 5:48 via incident.cert-in.org.in
03 · Forensic preservation + scope expansion (hour 6–24)
- Memory captures from every still-running endpoint (priority: DCs, file servers, jump hosts)
- Disk imaging from 22 hosts using FTK Imager with SHA-256 hash chain-of-custody
- Patient-zero identification — vendor-portal credential reuse traced to a 2024 third-party breach (verified via HIBP API)
- DPDP § 16 cross-border-transfer evidence assembled (data didn't leave India in the encryption-only phase; exfil window analysed and bounded)
04 · KRBTGT double-reset + tier-0 rebuild (hour 24–72)
- KRBTGT reset #1; Repadmin /syncall across all DCs
- 24-hour wait window; documented evidence of ticket expiry
- KRBTGT reset #2; replication health verified
- Privileged credential reset sweep; LAPS rotation across server local-admins; ADFS administrators reviewed and pruned
05 · Recovery + evidence + USFDA-ready report (day 4–14)
- Corporate-IT file servers restored from offline backup with malware-free validation (YARA scan against LockBit family)
- Endpoints wiped and re-imaged; EDR baseline before re-joining domain
- Plant-floor SAP batch-execution validated for 21 CFR Part 11 audit-trail integrity
- Final report assembled to USFDA Pre-Approval Inspection standard — chain-of-custody, indicator timelines, root-cause, remediation evidence
What we surfaced — severity, title, real-world impact.
Initial-access via vendor-portal credential reuse
Patient-zero credential was a procurement-team account used at the client AND at a 2024 third-party SaaS that was breached. The credential was identical (same password used) and had been on HIBP since the third-party breach. MFA was not enforced on the vendor-portal at the time of attack. Closed with bank-wide MFA enforcement + the HIBP-credential monitoring service activated for the procurement team.
Domain Admin reached via golden-ticket-feasible window
Forensics confirmed lsass.exe dumps from a DC during the attacker's dwell. KRBTGT extraction could not be definitively ruled out. KRBTGT double-reset executed as a precaution; no post-IR re-engagement attempts observed in the 30-day monitoring window.
Backup-server credential reused for production
The Veeam backup-service-account had the same password as a domain-admin equivalent account. Attacker pivoted from compromised endpoint to backup infrastructure within 4 hours of initial access. Backup encryption attempted but defeated by an air-gapped offsite copy that had been refreshed 18 hours earlier. Closed with credential-isolation and an explicit air-gap-validation cadence.
EDR alert backlog not triaged
Three EDR alerts in the 48 hours preceding the encryption event indicated lateral-movement patterns. None were investigated by the in-house SOC team because the alert queue was 800 deep. Closed with an alert-triage SLA and an EDR detection-tuning engagement layered into the post-IR program.
Plant-OT engineering laptop in same VLAN as corporate-IT
An engineering laptop with vendor-mandated batch-process-control software was in the corporate-IT VLAN — IEC 62443 zoning violation. The ransomware did not reach the OT side, but the path was open. Closed with IT-OT zones-and-conduits redesign in a follow-on engagement.
What changed for the client.
CERT-In reporting hit at hour 5:48 (within 6-hour window)
First file at hour 5:48; updated reports filed at hour 24, day 7 and day 30 as scope evolved. The sectoral CERT response was a single-line acknowledgment with no clarification request — a measurable improvement vs the client's prior incident.
USFDA Pre-Approval Inspection passed three weeks later
The Pirana site inspection went ahead as scheduled. The 21 CFR Part 11 audit-trail integrity was demonstrated for every batch in the affected window; the post-IR evidence pack was specifically reviewed and accepted. No 483 observation, no Warning Letter follow-up.
Plant-floor batch operations resumed at hour 38
Plant-floor batch operations resumed at hour 38 — well inside the worst-case 72-hour business-survival window the client's BCP had modelled. Corporate-IT applications restored progressively over days 4–10.
Zero post-IR re-engagement in 30-day monitoring window
Sigma rules deployed for the specific TTPs the attacker used were monitored 30+ days. Zero attacker re-engagement attempts; the threat-intel signal from Macksofy's broader feed showed the actor group active against other Indian-pharma targets in the same window, confirming the closure held.
“The CERT-In clock starting at 03:42 is the moment that defines whether you have a cyber event or a regulator problem. Macksofy mobilised inside the retainer SLA, filed at hour 5:48, and the plant batch operations were back at hour 38. The USFDA inspection three weeks later cleared without observation. That's what 'IR-ready' has to mean.”
More work in the same space.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements