The First 48 Hours Are Crucial – A CISO on the Real Deal
In an interview, a CISO of a German mid-sized company discusses a real ransomware attack and the first 48 hours that followed. His most important takeaway: Technical preparation alone is not enough.
TL;DR
In an interview, a CISO of a German mid-sized company discusses a real ransomware attack and the first 48 hours that followed. His most important takeaway: Technical preparation alone is not enough – communication and decision-making processes must be clear beforehand.
The following account is based on an anonymized interview with a CISO whose company was targeted by a ransomware attack in 2023. The name and industry have been changed at the request of the interviewee.
SecurityToday: How did you notice the attack?
CISO: Monday morning, 6:47 AM. Our monitoring system alerted us to an unusually high number of SMB connections from a single server. When I checked the logs, it was clear: Someone was systematically encrypting our file shares. By 7:15 AM, we had convened the crisis team.
SecurityToday: What was the first measure you took?
CISO: Network segmentation. We immediately isolated the affected VLANs. This stopped the spread – but by then, four file servers and two databases were already affected. Production ran on a separate segment and remained unaffected. That was a mix of luck and good planning.
SecurityToday: How did the communication go?
CISO: That was the most challenging part. The executive board wanted to know immediately if customer data was affected. The legal department asked about reporting obligations. The communications department prepared a press release. And my team needed quiet for the forensic analysis. We had an incident response plan, but reality was more chaotic than any drill.
SecurityToday: Did you pay the ransom?
CISO: No. We had functioning backups – tested, offline, current. The restoration still took five days. But we could prove that no data was exfiltrated, which significantly simplified the regulatory side.
SecurityToday: What would you do differently?
CISO: Three things. First: More tabletop exercises with the executive management, not just with IT. Second: Predefined communication templates for various scenarios. Third: A standing retainer with an external incident response service provider. It took us three hours to find one that was available on short notice.
Key Facts
Ransomware detected within 23 minutes thanks to monitoring
Network segmentation limited the damage to 4 out of 30 servers
No ransom paid thanks to functioning offline backups
Full restoration in 5 days
Total costs: approx. 280,000 EUR (incident response service provider, downtime, forensic analysis)
Fact: The most common ransomware entry method is compromised remote access (RDP/VPN), according to the Verizon DBIR.
Fact: 77 percent of ransomware victims who paid the ransom were attacked again, according to Cybereason.
Frequently Asked Questions
How do you prepare for the first 48 hours?
With a tested incident response plan that includes not only technical measures but also communication channels, decision-making authorities, and external contacts (incident response service provider, lawyer, insurance, BSI (Federal Office for Information Security)).
Should you pay the ransom?
The BSI advises against it. Payment does not guarantee decryption nor does it prevent a repeat attack. Offline backups are the only reliable safeguard.
Further Articles
NIS2 Directive: What Companies Need to Know
Zero Trust: The 7 Most Common Mistakes
Should you pay the ransom?
The BSI and the Federal Criminal Police Office (BKA) strongly advise against it. Payment funds criminal structures and does not guarantee decryption. According to Cybereason, 77 percent of payers were attacked again. Instead: File a report and hire professional incident response services.
Related Articles
- Hybrid Warfare and Disinformation: The Underestimated Cyber Threat to Companies
- Cyber Warfare 2026: When States Upgrade Digitally
- Case Study: How an Energy Supplier Contained a Ransomware Attack in 4 Hours
More from the MBF Media Network
Header Image Source: Pexels / Yan Krukau
