Anish Pandey · 2026-01-15 · 11 min read
In September 2025, Prakash Stampings — a metal components manufacturer in Faridabad with 180 employees — received what appeared to be a vendor invoice over email. One of the accounts team members opened the attached PDF. Within 3 minutes, Trend Micro's endpoint protection agent on that machine detected anomalous behaviour: the PDF had spawned a process that was attempting to enumerate shared network drives. The process was quarantined automatically. The IT alert went to the our team monitoring desk. The attack was over before most of the office had finished their morning chai. This article tells that story, and explains what would have happened if the endpoint agent had not been there.
Ransomware attacks on Indian manufacturing SMBs follow a predictable pattern. The entry point is almost always a phishing email — an invoice, a GST notice, a delivery confirmation, or a job application attachment. The payload (often a macro-enabled Office document or a malicious PDF) executes when opened. Once on the first machine, the ransomware attempts to spread laterally across the network by exploiting shared drives and unpatched Windows vulnerabilities. In most Indian SMB environments — where machines run Windows 10 or Windows 7 (still in use at many factories), shared drives are mapped for ERP access, and Windows Defender is disabled to improve performance — the lateral spread is fast. In a real-world attack on an Indian textile factory documented by CERT-In in 2024, ransomware encrypted 340 machines across a factory network in under 2 hours.
Before our team deployed Trend Micro Apex One in August 2025, Prakash Stampings had Windows Defender (the built-in Windows antivirus) on some machines and nothing on others. Their factory floor machines — running CAD software and ERP — had antivirus disabled because a 2021 IT audit had flagged performance issues and the IT contractor at the time had turned it off as a 'temporary fix' that was never reversed. Their network had no segmentation: the accounts PCs, engineering workstations, and factory floor terminals were all on the same flat network. A compromised accounts machine had full network access to every CAD file and ERP database on the factory floor. The CISO role did not exist — the owner's son handled IT on the side.
Endpoint Detection and Response (EDR) solutions like Trend Micro Apex One do three things that Windows Defender does not. First, behavioural detection: instead of only checking files against a database of known malware signatures, EDR monitors running processes for suspicious behaviour — a PDF that opens and immediately tries to enumerate network drives is not in any signature database, but its behaviour is definitively malicious. Second, automatic containment: when a threat is detected, the endpoint agent quarantines the process and can isolate the machine from the network — preventing lateral spread — within seconds, without waiting for human intervention. Third, centralised visibility: every endpoint's security status is visible on a central console. The IT team can see which machines have been targeted, what was blocked, and whether any threats require follow-up — across all 80 machines simultaneously.
At 11:14 AM, the phishing email arrived. At 11:17 AM, the accounts manager opened the attachment. At 11:17:43 AM — 43 seconds after opening — Trend Micro Apex One detected the process spawned by the PDF attempting to enumerate shared drives. The process was quarantined and the machine isolated from the network automatically. At 11:19 AM, the alert reached our team's monitoring desk. At 11:23 AM, a our team engineer had remotely accessed the quarantined machine, confirmed the threat, verified that no other machines had been reached, and released the machine from isolation after cleaning. At 11:31 AM, the accounts manager received a call from our team explaining what had happened and advising them to change their email credentials. Total business disruption: 14 minutes for one machine, zero for the rest of the factory.
CERT-In's published analysis of ransomware incidents in Indian manufacturing estimates average recovery costs at ₹18 to ₹95 lakh depending on company size and the extent of encryption. For Prakash Stampings, a conservative estimate based on their environment — 80 machines, 4 TB of CAD and ERP data, 12-day average recovery time for similar-sized companies — puts potential recovery costs at ₹65 to ₹90 lakh. This includes IT forensics (₹5 to ₹15 lakh), data recovery attempts (₹8 to ₹20 lakh), hardware replacement for encrypted machines (₹12 to ₹25 lakh), and most significantly, production downtime while systems are restored — at ₹2.5 lakh per day for a factory this size, a 12-day shutdown costs ₹30 lakh in lost orders and penalties alone. The Trend Micro Apex One deployment across 80 machines costs Prakash Stampings ₹1.84 lakh per year.
Most Indian manufacturing SMBs are not under-funded for cybersecurity — they are under-informed about their actual risk. The standard objections — 'we are too small to be targeted', 'we have nothing valuable to steal', 'we cannot afford it' — are contradicted by every CERT-In quarterly report. Small manufacturers are targeted precisely because they are assumed to have weak defences. The starting point for any manufacturing company is endpoint protection on every machine, including factory floor terminals. The second priority is email security — filtering phishing emails before they reach employees. The third is regular backups that are stored offline (not on a network drive that ransomware can reach). our team can deploy endpoint security, email security, and backup solutions as a bundled managed security service starting at ₹8,000 per month for 20 to 25 machines.
Prakash Stampings' story ended well because they had deployed endpoint protection one month before the attack. The investment was ₹1.84 lakh. The attack they dodged would have cost ₹65 to ₹90 lakh. The mathematics of cybersecurity for Indian manufacturing is not complicated — the risk is measurable, the protection is affordable, and the gap between them is enormous. If your factory, warehouse, or manufacturing facility runs computers without enterprise endpoint security, you are carrying a risk that a single phishing email can trigger. Get a security assessment. Know what you are protecting and what it would cost to replace it.
Topics: Endpoint Security, Ransomware, Cyber Security, Manufacturing, Trend Micro, India, CERT-In