Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Ransomware recovery

We helped a Fortune 500 manufacturing company recover from a terrifying ransomware attack and reinforce their IT security.

Turning a ransomware attack into an opportunity

A US-based Fortune 500 manufacturing company fell victim to one of the more terrifying IT vulnerabilities facing any business: a ransomware attack that encrypted virtually all of its IT systems, from its enterprise resource planning applications down to each employee’s laptop. By waiting until the beginning of a holiday, the attackers had gained the time they needed to complete such a widespread assault. To guide its recovery, the company called KPMG.

Challenge: Saying “no” to the attackers

A large manufacturing company fell victim to a ransomware attack that encrypted virtually all of its IT systems and employee laptops. It decided not to pay the ransom and instead called KPMG.

Solution: A three-phase approach

KPMG took a three-phase approach to resolving the crisis. First, get the client to a base level of “business as acceptable.” Next, return the client to “business as usual” but with a more secure and resilient cloud-based IT infrastructure. Finally, migrate the client to a fully “business as transformed” state taking full advantage of a cloud-first IT infrastructure.

Results: Better than business as usual

Within days, the client’s employees were back to conducting business using paper templates and email. Within four months they were back to business as usual — but now on a more secure cloud-based IT infrastructure. KPMG then took the client a step further by migrating its remaining systems and management tools to the cloud to enjoy significantly enhanced security protections and greater business agility.

Hacks and attacks: how businesses recover from ransomware

Speed to Modern Tech Podcast Series, Episode 6

On this episode, we explore recovering from a ransomware attack and how businesses can strengthen their IT systems to protect themselves.


As a matter of policy and principle, the client from the outset took paying ransom off the table.

Our mission, therefore, was straightforward: recover as much of the company’s data as possible, deploy replacement information systems in a resilient cloud-based infrastructure, and secure that infrastructure against future attacks.

Our response

We began by identifying and focusing on the most critical business processes first and working closely with the client’s C-suite to continually reprioritize efforts as conditions evolved.

We divided the project into three recovery phases:

  1. Business as acceptable. Enable the company to continue to conduct business, even if that meant temporarily using paper records.
  2. Business as usual. Restore the company’s ability to conduct business with the same level of functionality it had before the attack, but with a more secure and resilient cloud-based infrastructure.
  3. Business as transformed. Fully migrate to a cloud-first IT architecture to allow continuous compliance monitoring and provide the ability to reach from the cloud to remediate any future system issues.

Business as acceptable

To enable employees to conduct business as acceptable, our team focused first on the highest priority activities.

We provided paper templates to record transactions in a consistent and accurate manner so the information could be processed once replacement software systems were operable.

On the technology front, our first order of business was giving employees access to their data. Among other things, this meant ordering and configuring approximately 3,000 new laptops, which we were able to do by working closely with two computer manufacturers who were able to respond in a remarkably short period of time.

We also began replacing the inoperable on-premises IT infrastructure with a cloud-based version built on the Microsoft Azure cloud computing platform. Our first step was to recreate the company’s identity and access management systems to enable employees to log onto their software systems securely, which we accomplished by migrating them to the Azure Active Directory identify management platform and a Microsoft Office 365 tenant. To ensure security, we defined roles and permissions in a carefully crafted hierarchy. In the Azure administration portal, for example, which by default would give any administrator access to the entire infrastructure, we implemented multi-factor authentication and a “landing zone” designed to automate controls and enforce governance. We also required two or more simultaneous peer approvals to take any action that could compromise data or backups.

In concert with these efforts, a separate KPMG team focused on recovering as much data as possible from the client’s encrypted systems. Working closely with our key alliance partner, Microsoft, we recovered a surprisingly large amount of data saved primarily in file shares or development systems. Luck was a factor: we discovered one server that had been taken offline for maintenance just prior to the attack and were able to use it to restore the on-premises Active Directory service. By piecing together thousands of separate threads of information from hundreds of different sources we reconstructed most of the company’s key data. We then cleaned and organized this data to prepare it for import into the replacement systems once they were configured and available.

A pressing deadline

The company faced a pressing deadline during this first phase of recovery: the filing of its 10-K annual report with the Securities and Exchange Commission.

A 10-K details a company’s business and financial condition. To avoid reporting material risks or weaknesses — potentially exposing it to further attacks — the company had to quickly implement new security controls and prove to its auditor that it could successfully manage any further cyber assaults. With only six weeks until the audit, we recommended building controls into Microsoft Azure and storing the company’s critical data there. This approach worked, and the company was able to pass its auditor’s test and issue a clean 10-K.

Business as usual

For the next phase of the recovery, KPMG completed a secure restore of the company’s core software solutions, including its ERP, customer resource management, and human resources systems. They were built in the cloud and secured with Microsoft security features such as Single Sign-On, Multi-Factor Authentication, Web Firewalls, and Endpoint Detection and Response.

Business as transformed

The final phase of the project involved helping the client migrate its remaining systems to the cloud and managing both cloud and on-premises systems.

Using capabilities embedded in the company’s Microsoft 365 E3+ license, we implemented Azure monitoring, patch management, and MicrosoftSentinel, a cloud-native security information and event manager platform. Taking advantage of Microsoft Azure ARC, a set of technologies that bring Azure security and other cloud-native services to hybrid and multicloud environments, we also extended the capabilities of these tools to the few remaining on-premises systems. We sent all data to Microsoft Defender for Cloud to detect configuration drifts.

As part of this final phase we also helped update much of the client’s network infrastructure, including replacing outdated telecom provider circuits, re-architecting the network in Azure, moving the company’s virtual private network to Azure, and relocating processing-intensive and time-sensitive activities to data centers closer to where data was being generated or used.

In addition to guiding these software implementations we helped the client rethink its IT operations, beginning with development of an IT roadmap and project portfolio. We then helped the company create a new internal cyber security team complete with a staffing model and budget. We armed this team with the tools and processes needed to conduct both penetration testing and automated security audits.

During this phase of the project we also helped our client create a more robust disaster recovery framework that included provisions for handling any future ransomware attacks. Phishing was the most likely source of the original attack, and this new framework incorporated phishing testing capabilities to help spot any places where the company’s systems may still be susceptible to human vulnerabilities.

Finally, we helped the company create an IT architecture review board to guide future development efforts and establish the next set of priorities.

More than one infrastructure

As with many large organizations, our client had fueled its growth through acquisitions, swallowing as many as 60 smaller firms in recent years.

This had left it with a tangle of disparate IT systems that made the recovery effort significantly more complex. While addressing the most important of these subsidiary’s systems we designed and documented the processes we used to update them. The client’s internal team was then able to use these processes to take over the effort and safely integrate the remaining systems into the new cloud-based architecture. These same processes will act as the framework for integrating IT systems in future acquisitions.

Enabling technologies

We selected the Azure cloud computing platform to serve as the backbone of the client’s new IT infrastructure, including:
  • Azure Active Directory for identity and access management
  • Microsoft Dynamics 365 for ERP and CRM
  • Microsoft Power BI for analytics
  • Microsoft Defender for Cloud for continuous monitoring of controls

Microsoft Azure Arc was used to manage the company’s proprietary, non-Azure systems as if they were Azure native.

Employee laptops were configured with Microsoft Office 365 E3, a suite of cloud-based productivity apps including Word, Excel, PowerPoint, Outlook and Teams.

The team

Within hours of receiving the call, KPMG assembled a team of 50 technology and cyber security professionals to address the client’s immediate needs.

We included people with experience and expertise in:

  • Project management
  • Disaster recovery
  • Microsoft Azure
  • VMWare
  • Security operations

A key mission for the latter group: ensure the attackers would not be able to return.


Within days of KPMG’s engagement, the client’s employees were conducting business using our paper templates and Microsoft 365.

Phase one — business as acceptable — was completed in less than two months. Phase two — the return to business as usual — came just two months after that. By then, all key data had been recovered and restored in the new cloud-based IT environment, and the company was able to file its 10-K annual report with the SEC on time — without reporting any significant deficiencies.

Today the client is a transformed business operating with significantly enhanced security protections and greater business agility. Its modern, cloud-first IT infrastructure leverages the full breadth of Microsoft technology to maintain operations and protect against future cyberattacks.

Speed to Modern Technology

Over the last dozen-plus years, we’ve built a leading technology organization designed specifically to help information technology leaders succeed at the pace business now demands.

Unlike business-only consultancies, our more than 15,000 technology professionals have the resources, engineering experience, battle-tested tools and close alliances with leading technology providers to deliver on your vision — quickly, efficiently and reliably. And unlike technology-only firms, we have the business credentials and sector experience to help you deliver measurable business results, not just blinking lights.

Meet our team

Accelerating business transformation requires speed of insights and deep expertise.

Our professionals immerse themselves in your organization, applying industry knowledge, powerful solutions and innovative technology to deliver sustainable results. Whether it’s helping you lead an ESG integration, risk mitigation or digital transformation, KPMG creates tailored data-driven solutions that help you deliver value, drive innovation and build stakeholder trust.

Image of Marcus Brakewood
Marcus Brakewood
Director, CIO Advisory, KPMG US
Image of Jason A Haward-Grau
Jason A Haward-Grau
Principal, Advisory, Cyber Security Services, KPMG US

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.