The attack on the napkin manufacturer Fasana in May 2025 is one of the most drastic recent cases of a successful cyberattack on a German medium-sized company. Within a few hours, the company had virtually ground to a halt: internal printers suddenly began displaying ransom notes, production came to a standstill, and delivery and order processing systems collapsed. A few days later, the company filed for bankruptcy. For CISOs at medium-sized companies, this case is not only a cautionary tale but also a valuable source of lessons learned.
Only limited technical details about the attack have been published. The following assumptions are based on confirmed facts and plausible scenarios derived from typical attack patterns observed in our incident response operations.
Known Facts
On May 19, 2025, a massive IT outage occurred across the entire company. Multiple sources report that ransom notes were printed out via printers. Production came to a complete standstill, and delivery and order processes could no longer be processed. The company ultimately filed for bankruptcy on June 1, 2025.
What Most Likely Happened
Ransomware attacks often follow recurring patterns, even though the specific sequence of events may vary from case to case. Regarding the attack on Fasana, neither the specific malware variant used nor concrete Indicators of Compromise (IOCs), the exact attack vector, or forensic findings regarding potential data exfiltration are publicly known. Nevertheless, plausible assumptions can be derived from typical attack scenarios, and based on these, appropriate protective measures can be identified.
Initial access can be gained through various means: for example, via phishing emails, stolen VPN credentials, unpatched publicly accessible systems, or credentials from previous data breaches. Especially when employees use the same passwords both in a corporate context and on private or external platforms, compromised credentials can serve as an entry point.
After gaining initial access, attackers typically move laterally within the network, often using legitimate administrator tools such as PowerShell, WMI, or Sysinternals tools, as well as a compromised Active Directory.
It is only in the final phase that the attack becomes visible to the company: data is encrypted, production-critical systems are disrupted, and core business processes are interrupted – in extreme cases, leading to a complete halt in production.
VPN (Virtual Private Network – secure remote access to the corporate network)
WMI (Windows Management Instrumentation – interface for querying and managing Windows systems)
Sysinternals tools (a collection of administrative diagnostic and management programs from Microsoft that allow for detailed analysis and control of processes, user accounts, network connections, and system configurations)
Lessons CISOs should take away
Such attacks often develop undetected within a network over the course of days or weeks. The situation then escalates within a matter of hours. Effective protection therefore does not come from reacting only in an emergency, but primarily from systematic preparation and a robust security architecture.
Many production environments have evolved over time and are closely integrated with office IT. If attackers manage to gain access through a compromised office account, they can often move unimpeded through such structures all the way into the production environment. An IT incident turns into an operational crisis.
Production and office IT should be consistently operated separately. Ideally, this separation is achieved through clearly defined network segments, internal firewalls, and precisely configured access control lists (ACLs) that strictly control data traffic. OT systems should not be directly integrated into the office domain so that compromised user accounts do not gain immediate access to production-related systems
For particularly critical systems, access via so-called jump hosts is also recommended—specially hardened administration systems through which administrators must first authenticate themselves before they can reach production servers. It is essential that dedicated administration accounts with separate passwords be used for these access points. Only in this way will it be possible to prevent compromised office accounts from automatically gaining access to production-critical systems.
ACLs (Access Control Lists – rules that define which users or systems are permitted to access files, folders, or resources)
OT systems (Operational Technology – systems that control industrial processes, such as production machinery or control systems)
Printers are often underestimated vulnerabilities. Technically, they are fully-fledged network devices; however, in many environments, they are not operated with adequate security discipline. In practice, they are frequently still configured with publicly documented default credentials that attackers can test automatically. If a printer is compromised, it can serve as an entry point or a source of information for attackers. Additionally, many devices still support outdated protocols such as SMBv1, an insecure Windows file-sharing protocol that makes it easier for attackers to discover, read, and manipulate systems. Missing updates increase the risk: Unpatched firmware contains known vulnerabilities that can also be exploited automatically.
In many medium-sized companies, legacy systems pose a significant structural problem:
- Production computers with outdated operating systems
- Applications that only work with specific, long-discontinued software versions
- File servers with permission structures that have evolved over time
- Old databases or in-house software without maintenance
These systems are not “forgotten”; in fact, they are often business-critical. Especially in production environments, they cannot easily be replaced because of how deeply they are integrated into machine controls, ERP processes, or supply chains. It is not uncommon, for example, for old Windows systems to continue functioning as control computers for machines. These systems have often been in an end-of-life state for years and contain known, publicly documented vulnerabilities for which security updates are no longer provided. Migration here represents not only an IT project but also a potential risk to ongoing operations.
The general problem: Legacy systems often no longer receive security updates. Modern protection mechanisms such as up-to-date encryption, strong authentication, or EDR integration are often not possible. These systems run with extensive privileges and communicate extensively across the network. Combined with a lack of network segmentation, this creates an ideal propagation scenario for attackers: If such a system is compromised or serves as a bridge between office IT and production, it can act as a distribution point for attacks throughout the entire company.
A structured vulnerability management approach that covers as many systems as possible continuously reduces the attack surface and ensures that security vulnerabilities do not remain undetected for long. Print servers and legacy systems should be operated in clearly separated, isolated network segments and be accessible only to authorized systems or users. Old protocols such as SMBv1 and unnecessary services should be consistently disabled to prevent automated spreading. Firmware updates for printers and available security updates for legacy systems should be regularly scheduled and implemented.
In practice, however, many older devices and systems are already outside the manufacturer’s support and no longer receive security updates. Such systems should therefore be strictly isolated and accessible only via clearly defined access paths. Access can be controlled, for example, via a Privileged Access Management (PAM) system. A PAM system centrally manages privileged access, grants it only for a limited time, and logs all administrative activities. This makes access to particularly critical systems controllable, traceable, and significantly more secure. Enabled audit logging makes unusual commands, administrative activities, or access attempts visible and provides early indications of a compromise.
More about Vulnerability Management
More about Privileged Access Management
While many medium-sized companies do have backups, few test them under real-world conditions. In our incident response operations, the same pattern emerges time and again: Backups do exist, but they are located on the same network as the production systems, use the same admin accounts, or have simply never been tested for recoverability. The risk is obvious: In an emergency, the backups are either also encrypted or cannot be restored in time – business operations remain blocked.
Backups should be stored in an immutable (offline) format, and restoration should be regularly tested and documented to ensure reliable operation in an emergency. Additionally, backup credentials should be strictly separated from domain admin accounts so that compromised admin accounts do not automatically grant access to backup systems.
Almost every major ransomware attack shows warning signs beforehand. Typical early indicators include unusual internal connections – automated attempts by a compromised system to reach other computers. In doing so, attackers assess which systems they can take over next, e.g., via RDP (Remote Desktop Protocol) by attempting to log in to remote computers, or via SMB (Server Message Block) by accessing shares, printers, and servers. They search for open systems, test passwords, verify stolen credentials, or take over additional servers. Other notable indicators include unusual login patterns, numerous failed login attempts, unexpected PowerShell or print commands, and sudden mass access to file servers. The problem: The warning signs exist but are not analyzed – the attack is visible but goes unnoticed.
Effective protection can only be achieved through comprehensive telemetry and an integrated detection and response model. Modern EDR (Endpoint Detection & Response) solutions monitor endpoints such as clients and servers in real time, detect suspicious activity directly on the system, and enable both automated and manual countermeasures against attacks before they can spread laterally across the network. EDR thus forms the first line of defense, as endpoints are often the entry point for attackers and early detection here significantly reduces subsequent damage.
A SIEM (Security Information and Event Management) system acts as a central hub that collects and correlates security-related data from EDR, vulnerability management, network telemetry, and other sources, enabling structured analysis. This consolidates individual events into a coherent, understandable picture of the situation and makes attacks visible across multiple systems. SIEM is therefore indispensable for evaluating alarming events not in isolation, but within the context of the entire IT operation. Additionally, a SIEM enables long-term analysis of historical activities. In many cases, attackers move very cautiously within the network over an extended period of time (“low and slow”) to avoid detection. Through the long-term storage and evaluation of log data, such activities can be analyzed retrospectively or identified as unusual patterns using modern analytical techniques and machine learning methods. For this reason, we recommend in practice retaining log data for at least one year to ensure that even long-term attack activities can be traced.
A Security Operations Center (SOC) ensures that this technology is put to effective use: Specialized analysts interpret the telemetry, recognize patterns, identify anomalies, and initiate escalations or countermeasures. A SOC ensures that alerts do not disappear into the log archive but are evaluated, prioritized, and coordinated. Especially for medium-sized companies, the combination of technology and expert knowledge is crucial, as setting up their own 24/7 monitoring is often not feasible internally.
More about the Security Operations Center and Endpoint Detection & Response
Conclusion: Cyber resilience is a management challenge
The Fasana case clearly demonstrates how quickly a single cyberattack can pose an existential threat to a medium-sized company. The decisive factor was likely not a single vulnerability, but rather a combination of a lack of network segmentation, inadequately secured systems, and insufficient visibility.
The processes described are not conclusively proven for the Fasana case, but represent plausible inferences based on typical attack patterns and our experience from incident response operations. They are intended to help companies derive concrete protective measures from the incident.
The most important takeaway for CISOs: Cyber resilience does not come from individual products, but from the interplay of architecture, processes, and monitoring. Segmented networks limit damage, hardened access points prevent propagation, monitoring detects attacks early, and tested backups ensure the ability to act.
Cybersecurity does not mean preventing every attack, but ensuring that no attack endangers the company’s existence.
WEBINAR
Security Operations Center in medium-sized business
Recommendations and practical guidelines for the right level of security
April 14, 2026 | 10:00 – 11:00 a.m.
Microsoft Teams
Best practice architecture for SMEs
When platforms such as Microsoft, elastic & Rapid7 make sense
What you should look for when choosing a provider