At 4.45 p.m. on May 20, the Schmersal Group, a family-run company based in Wuppertal and provider of machine security, was officially informed that cyber criminals were planning a targeted attack on the company network. After verifying the call, the IT managers consulted briefly and made a far-reaching decision at lightning speed: they shut down the entire company network. Within ten minutes, the connection to the Internet was severed and within 90 minutes the entire IT system was shut down worldwide. Nothing worked anymore - from the telephone system to the entire ERP system infrastructure and the entire production to the fully automated warehouse, at all locations.

As it soon turned out, this was the only right decision, and it came at exactly the right time. IT forensic experts were able to identify and isolate the really aggressive malware. Apparently, the attacker was still in a preparatory phase when the systems were shut down. The task now was to prevent the attacker from completing the attack. Therefore, the systems had to remain shut down as a precaution until they could be finally cleaned. The 'offline' state remained in place for a number of days: All production came to a standstill while administration and sales worked hard to keep customers, suppliers and other business partners informed. Philip Schmersal, Managing Partner: "In situations like this, it becomes clear just how dependent a company is on IT these days. Making phone calls, sending emails, taking orders: We had to find alternative channels for every process. We therefore went to great lengths to contact our customers in every conceivable way and keep them up to date. After all, we had to affect our customers' supply chains as little as possible." At the same time, there was a lot of 'manual work' to be done: As this Schmersal-specific malware was not initially detected by any standard scanner, each computer had to be processed with an individual cleaning routine. At the same time, communication was maintained via replacement servers, thousands of emails with orders were printed out and processed manually, and the software programs were restarted.

After a week of very intensive work, the ERP system and therefore also the central warehouse in Wuppertal were up and running again. The global communication network between the seven production sites and 64 international subsidiaries and sales representatives was also successfully reactivated. It took another week before production at the German sites was able to resume in full.

Philip Schmersal comments on the 'lessons learned' from the incident, which put the company in a 14-day state of emergency: "First of all, we were lucky that we were warned and were able to act early. I was really impressed by the commitment of the workforce, who maintained emergency operations without a company network even at weekends, regardless of working hours and departmental affiliation." Those responsible also found the good cooperation with neighboring companies and network partners from the region to be very positive. Philip Schmersal: "The extensive work required on the IT infrastructure was only possible with the neighborly help of the Bergisch SMEs. We would also like to thank some companies in the automation sector who have already been victims of such attacks and have supported us selflessly over the past fortnight. We would also like to thank our customers for their understanding - and especially our employees for their great commitment during this difficult phase."

The attack has shown: The usual standard protection with anti-virus programs and firewalls is powerless against targeted attacks with previously unknown malware. Schmersal immediately provided the relevant anti-virus program providers with information about the malware. The providers have upgraded their protection accordingly so that this virus is highly unlikely to cause any more damage. Philip Schmersal: "However, we have learned that corporate IT in SMEs needs to redefine itself - and how quickly the topic of 'security' becomes a top priority."