UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Financial Services · Ransomware Recovery

How a £2bn asset manager recovered from ransomware without paying — and shaved 32% off backup costs in the process

Customer: FCA-regulated asset manager
Sector: Financial Services
Size: 120 staff · £2bn AUM
Region: City of London + Singapore
Headline Outcomes
£0
Ransom paid
36 hrs
Time to restored production
32%
Reduction in annual backup cost vs prior Veeam-only design
0
Enforcement actions from FCA
Yes
Achieved Cyber Essentials Plus within 11 weeks
CE+
SII renewal premium reduced 18%
Act 1 — The Challenge

Saturday 02:14 — every server encrypted.

  • Veeam backup repository hosted on the same Windows file share as production — encrypted alongside production VMs
  • Three years' worth of trade history, portfolio data and client onboarding documents inaccessible
  • FCA SUP 15.3 incident notification clock starts on detection — the operations team had hours, not days, to clarify scope
  • Singapore office was unaffected but couldn't serve as a recovery base because data sovereignty rules prevented EU client data being restored there
  • Insurance broker required a CHECK-scheme forensic firm engaged within 24 hours, but the customer had no retainer
Act 2 — What Servnet Did

Servnet was on the phone within 18 minutes of the customer's first call. On-site in the City within 90 minutes.

01

Containment + forensic preservation

Servnet engineers, working alongside the customer's incident response retainer (engaged via Servnet's partner network), isolated affected systems, preserved forensic images, and stood up a clean management network on a previously unused VLAN.

CrowdStrikeVeeam
02

Backup audit + IRE provisioning

The team identified that an immutable AWS S3 Object Lock copy existed (set up reluctantly 14 months earlier on Servnet's recommendation). Within 6 hours a Rubrik Isolated Recovery Environment was provisioned in AWS, the immutable backup verified clean, and recovery testing began.

RubrikAWSVeeam
03

Production recovery — without paying

Production VMs rebuilt onto clean Dell PowerEdge hosts (delivered same-day from Servnet UK stock) over a 36-hour window. The Singapore office continued operating from its locally-stored data throughout, with VPN traffic re-routed.

Dell PowerEdgeRubrikVeeam
04

Post-incident hardening

Backup architecture redesigned end-to-end. Single immutable copy → 3-2-1-1 (three copies, two media types, one offsite, one immutable). Cyber Essentials Plus certification achieved 11 weeks later. FCA SUP 15 closure letter received with no enforcement.

RubrikCrowdStrikeMicrosoft Entra IDFortinet
Servnet were already on site before our COO was. They didn't panic, didn't upsell, didn't blame us — they just got production back. We pay them more now than we did before the incident and we'd still recommend them to anyone.
Chief Operating Officer · FCA-regulated asset manager · City of London
Vendors referenced

Facing something similar?

One call. Direct to an engineer who can size up the requirement honestly.