Data Center

How an Indian Energy Major Cut Ransomware Recovery From Days to Hours

Updated: July 14, 2026

difference between backups and recovery
4 Minutes Read

At a Glance 

  • Organisation: A large power-generation company in western India 

  • Challenge: A recovery drill revealed that restoring critical systems would take four days 

  • Solution: Backup modernisation, modern compute and high-performance storage, an immutable backup appliance, and clean-room cyber recovery 

  • Outcome: Recovery of critical systems cut from ~4 days to under 4 hours, proven in a live test (indicative) 

The progress bar had not moved in forty minutes. 

Kavita Menon (name changed on request) watched it hold at nine per cent, the same nine per cent it had shown when she left to get coffee, and did the arithmetic she did not want to do. If the most important system in the company came back this slowly, the business would be dark for days. 

It was only a drill. That was the single mercy. Nobody had attacked them; she had asked her team to pretend someone had, and to bring the critical systems back from backup while she timed it. The pretending was going badly. 

Kavita runs security for a large power producer in western India, the kind of company that generates around the clock and answers to a regulator when it does not. By the end of that afternoon she had her number, and it was the wrong one. A full recovery would take the better part of four days. 

Four days. For a business that measures downtime by the hour. 

The Problem Beneath the Panic 

Here is the uncomfortable part: the backups were working exactly as designed. The design was the problem. 

They had been built years earlier for an ordinary kind of trouble, a dead disk, a fat-fingered deletion. Slow to restore, but fine for a bad afternoon. What they were not built for was an adversary. And, worse, they sat on infrastructure the production network could reach, which meant that in a real ransomware attack the backups would likely have been encrypted along with everything else. Four days would have become never. 

Kavita brought in Proactive Data Systems for a data-protection assessment. She did not need a long report. Backups reachable from production. No immutable copies. No clean place to recover into. Recovery targets that lived on a slide and had never been tested against a clock. It was not a product gap. It was an architecture gap, and she had just watched it fail in a room with the lights on. 

The Redesign 

Proactive did not pitch a rip-and-replace. It proposed something less dramatic and more useful: a recovery architecture, with a backup modernisation underneath it. 

Fast restores needed modern compute and high-performance storage, so that when data moved, it moved. The copies themselves went onto an immutable backup appliance, written once and impossible for an attacker to alter or delete. And recovery would happen in a clean-room, an isolated, known-good environment, so a restored system could not be reinfected the moment it came back. The systems the plant genuinely could not run without were tiered to return first. 

Then the unglamorous half. Recovery objectives were rewritten as real numbers tied to what the business could actually survive. And recovery would be tested on a schedule, not assumed on a slide. 

All of it went in around the running business. Nothing stopped to make the improvement. 

How Long Did Recovery Take After the Redesign? 

A few months later, Kavita ordered the same drill. 

This time the first critical system was back before her coffee went cold, under an hour. The full critical tier, everything the plant could not run without, was recovered, validated and clean in under four hours. Four days to under four. 

Then the moment that reframed it for the board. Proactive ran the recovery into the clean-room and showed that even if production were fully compromised, the immutable copies would survive and the business could come back from them. The boardroom question stopped being "are we safe?" and became "how fast can we recover?" For the first time, Kavita had an answer she had watched happen. 

The Outcome 

The number people remember is the recovery time: under four hours, down from four days. Kavita cares more about the second change. 

The backups are now immutable and isolated, out of an attacker's reach. Recovery is rehearsed rather than hoped for. And she can sit across from her board, or a regulator, and describe not an intention but a proven capability. The company did not buy better backup software. It turned backup into recovery. 

In Their Words 

"We always said we had backups. The drill taught us we didn't have recovery. Now I can tell the board exactly how long it takes to come back, because we've done it, on purpose, more than once." - Kavita Menon (name changed on request), CISO of a large power producer in western India 

Why It Matters 

The lesson is the one most enterprises learn at the worst possible moment: a backup is not a recovery until it has been tested, and against ransomware it must be immutable, isolated, and recoverable into a clean environment. The organisations that stay calm in an attack are the ones that proved they could recover before they had to. 

Proactive Data Systems designs and runs data protection and cyber recovery for Indian enterprises, built around recovery you can prove, across Veeam, Veritas, Rubrik, ExaGrid and Dell EMC. We are a Cisco Preferred Cloud and AI Partner, Dell Platinum Partner and NetApp Preferred Partner, with 35 years in enterprise IT, more than 1,500 organisations served, and a 24/7 service desk in India. To find out whether your backups would survive an attack, ask Proactive for a cyber-recovery readiness assessment. 

Frequently Asked Questions

It varies widely. Enterprises without tested recovery often take weeks; industry data puts the average enterprise ransomware downtime at around a month, because of the scale and validation involved. With immutable backups, a clean-room and rehearsed recovery objectives, critical systems can be restored in hours. Preparation done before the attack is the deciding factor.
Clean-room recovery means restoring systems to an isolated, known-good environment rather than back into the compromised production network. It prevents reinfection, restoring clean data onto infected infrastructure, simply re-encrypts it. It is a core part of a tested cyber-recovery capability, alongside immutable, isolated backups.
An immutable backup is a copy of data that cannot be altered or deleted once written, for a defined period. This protects it from an attacker, or a rogue insider, who reaches the backup system intending to corrupt or remove it. Combined with isolation and tested recovery, immutability is central to surviving a ransomware attack.
A backup is a copy of your data. Recovery is the proven ability to restore the business and run it again, from data you know is clean, within a time it can survive. Having backups does not guarantee recovery; only a tested restore, into a clean environment and within a measured recovery-time objective, proves you can come back.

Whitepapers

E-Books

Contact Us

We value the opportunity to interact with you, Please feel free to get in touch with us.

 

 

 

 

Share a few details to get started.

We'll get back to you shortly.