MSP Helps Client Recover from Ransomware in 6 Hours

of service were infected
30 minutes
to identify the root cause
6 hours
in total to recover

I knew what we had to do to figure out the attack, and I know the reports and capabilities of Netwrix Auditor — they lined up perfectly. You want to know what is compromised, and where the account went and what it did. A quick one-page report from Netwrix Auditor showed the unusual behavior, and we knew exactly what to do.

Brian Joiner, Lead Cloud Solutions Architect, 4sinfosec

  • 4sinfosec was called in to help a US-based insurance company (500 employees) respond to a ransomware infection that had spread from its parent company (50,000 employees) due to domain trusts and network integration. The goal was to assess the damage and get the client back up and running as soon as possible.
  • The ransomware had encrypted 80% of the insurance company’s servers, so all services were completely down. The parent company was decimated, with 100% servers infected.

My major takeaway is that Netwrix Auditor is such a valuable tool against ransomware that organizations should implement special measures to protect the system where Netwrix Auditor runs. We had to vet that it was clean and didn’t have any lingering infection before we could actually start using it. If it hadn’t been for that, we’d have recovered even faster.

Brian Joiner, Lead Cloud Solutions Architect, 4sinfosec 

Netwrix Solution

When Brian Joiner, Lead Cloud Solutions Architect of 4sinfosec, saw that the client was a Netwrix customer, he felt immediate relief. Brian had used Netwrix Auditor in other projects, so he knew that it would give his team all the reports they needed to respond effectively to the ransomware attack. With Netwrix Auditor, they achieved the following results:


30-minute incident investigation. Netwrix Auditor provides detailed reports on unusual behavior, so Brian and his team were able to identify all compromised accounts and track the ransomware’s actions almost step-by-step. It took them just 30 minutes to identify the root cause. If the customer hadn’t had Netwrix Auditor in place, it could easily have taken the team a week to diagnose the problem.


Fast recovery. Netwrix Auditor delivered a clear picture of the damage, from a holistic picture of which servers were encrypted down to exactly which files were affected. With this actionable intelligence, Brian and his team were able to prioritize recovery efforts to minimize downtime for the client. Attending to only the servers that were hit by the ransomware — instead of having to restore everything indiscriminately — made the process go a lot quicker.


New recurring revenue. The quick recovery demonstrated the true value of Netwrix Auditor to the customer, building trust in the MSP. Until then, the customer had been using the solution only to report on the number of users and files; they were astonished to learn that it can also be used as a forensics tool. In fact, the customer was so impressed by how the 4sinfosec team handled the ransomware that they decided to engage them full time to manage their whole ecosystem. Brian plans to enhance their security by using Netwrix solutions to classify their data, implement a least-privileged model, and perform regular risk assessment and mitigation.

Key Benefits
  • Quick incident investigation
  • Less downtime with targeted remediation
  • New permanent customer won
Customer Profile

4sinfosec is a managed service provider (MSP) that provides IT services to healthcare, finance and government organizations. Customers can opt for full-time support if they don’t have internal IT staff, or engage the MSP for complex projects where advanced expertise is needed. 4sinfosec has 17 engineers and 11 support professionals and is based in Florida, US.

Customer: 4sinfosec

Industry: Technology

Website: www.4sinfosec.com/