How can network analytics help after a ransomware attack?

Network analytics tools that use Deep Packet Inspection (DPI) retain historical traffic flow data that can be used forensically after an attack. When a ransomware incident occurred at an IaaS provider with no perimeter firewall or usable logs, Illuminate analytics allowed investigators to trace every historical data flow, identify the command-and-control server, pinpoint where the encryption key was sent, and — critically — confirm that no customer data had been exfiltrated. This evidence prevented potential prosecution of the provider.

What is Illuminate analytics and how does it work?

Illuminate is a firewall-independent Layer 7 Deep Packet Inspection analytics tool built into the Nepean Networks Antares platform. It operates independently of the firewall layer, providing unbiased, always-on traffic visibility across the network. Because it works at the packet level across all traffic flows, it captures forensic-grade data that remains available even when firewall logs are absent or compromised.

Why should MSPs use independent network analytics rather than relying on firewall logs?

Firewall logs are a single point of failure for forensic investigation — if the firewall is compromised, misconfigured, or simply absent, there are no logs to analyse. Independent network analytics, operating at a separate layer from the firewall, provide a continuous and unbiased record of all traffic flows regardless of the security stack in place. During a ransomware or data exfiltration incident, this independent visibility is often the only source of ground truth available to investigators.

How Illuminate Analytics Helped an IaaS Provider Survive a Catastrophic Ransomware Attack

Published: July 2025 | Updated March 2026

In June 2022, a ransomware attack encrypted everything an IaaS provider hosted for its clients — virtual desktops, email, applications, servers. There were no backups and no perimeter firewall logs. What saved the business from prosecution was a single tool deployed one week earlier: Illuminate, Nepean Networks’ Layer 7 DPI analytics platform. This is the case study of how forensic network visibility became the difference between business survival and criminal liability.

Overview

In June 2022, a large IaaS (Infrastructure as a Service) provider—one of Nepean Networks’ resellers—was hit by a devastating ransomware attack that encrypted every piece of data they hosted: client files, workstations and servers.

What followed was a business nightmare… and a critical test of resilience.

The Incident: One Morning Changed Everything

At 4:45 AM, malicious code executed within the provider’s environment and quickly “phoned home” to a command-and-control server hosted in the U.S.

Moments later, ransomware began tearing through the network, encrypting everything it touched. Hours later, it was all over. The damage was done.

The provider—fast asleep—was jolted awake by calls from panicked clients. Virtual desktops were unreachable. Exchange email wasn’t syncing. Applications were failing.

Logging into their core infrastructure, the horror became clear: The entire VMWare environment was gone.

The Gut Punch: No Backups. No Way Out.

As their teams scrambled to lock down systems, find the infection source, and restore services, the realization hit like a truck:

“We never set up offsite backups. Everything—everything—was on the same hypervisor. It’s all encrypted.”

No usable client data. No backups. Years of trust, business, and infrastructure—wiped out in minutes.

The Investigation Begins

Rebuilding from scratch was the only option.

Clients demanded answers (many of whom were Law Firms). A third-party cybersecurity team was brought in to investigate. But they were flying blind:

No perimeter firewall
No usable logs
Only OS-level software firewalls

What they desperately needed:

Forensic insight
Data flow history
Proof of whether customer data had been exfiltrated

The Turning Point: Enter Nepean Networks and Illuminate

Just one week earlier, the provider had deployed Nepean Networks’ Illuminate — a firewall-independent L7 Deep Packet Inspection (DPI) analytics tool.

This changed everything.

With Illuminate’s visibility, the cybersecurity team could:
Trace every historical data flow
Identify the exact command and control server IP and Host
Monitor all pre and post-infection traffic
Pinpoint where the encryption key was sent (Megashare, New Zealand)
Most importantly: confirm no customer data left the premises

That final insight saved the provider from prosecution — and likely the business itself.

Rebuilding: From Chaos to Resilience

Although many clients were lost, enough remained to rebuild.

With Nepean’s help, the company transformed its approach:

Security-first architecture
Segmented, monitored, and protected ingress/egress points
Cloud and on-prem environments protected with vendor-agnostic tools

Key Takeaway: Visibility Saves More Than Logs Ever Will

Many MSPs chase the dream of an all-in-one vendor: one box that handles routing, firewall, and analytics. But when disaster strikes, that’s a single point of failure.

Nepean’s model separates these layers—network, security, and visibility—giving MSPs freedom to choose best-of-breed solutions and retain independent analytics across all vendors.

The result?
An unbiased, always-on, retroactive lens into your network. Illuminate delivers the “extra set of eyes” every MSP needs—before, during, and after an incident.

Request a Live Demo

If you’re an MSP or IT professional looking to protect your clients—and your business—get a firsthand look at what Illuminate can do.

contact@nepeannetworks.com | nepeannetworks.com

Key Takeaways:

The ransomware executed at 4:45 AM, phoning home to a US-based command-and-control server before encrypting the entire VMware environment within hours
No offsite backups, no perimeter firewall, and no usable logs left the incident response team flying blind — until Illuminate’s historical traffic data was accessed
Illuminate traced every historical data flow, identified the command-and-control server IP, pinpointed the Megashare (New Zealand) destination for the encryption key
Most critically: Illuminate confirmed no customer data had left the premises — the forensic evidence that prevented prosecution of the provider by law firm clients
Independent network analytics (separate from the firewall layer) provided ground truth that firewall logs — had they existed — could not have matched in completeness
Post-incident, the provider rebuilt with segmented, monitored infrastructure using vendor-agnostic security tools — Illuminate remains the persistent visibility layer

Written by

Ronald Bartels

Director: South Africa · Nepean Networks · Johannesburg, South Africa

Ronald has over 30 years of hands-on networking experience spanning financial services, ISPs, and enterprise technology. He led infrastructure at Investec for nearly eight years, managed core IP networks at iBurst, and served as a solutions architect designing data centre migrations for governments and financial institutions. Since joining Nepean Networks in 2019, he has been the driving force behind SD-WAN adoption in South Africa — engineering resilient connectivity solutions purpose-built for the realities of the local market, including load shedding, mixed-quality last mile, and infrastructure variability. Ronald holds a BSc in Computer Science from Stellenbosch University and is a Certified Data Centre Professional (CDCP).