SC190-WS: Ransomware Attack – What to Do When Everything Comes to a Standstill? Emergency Operations and Recovery from Real-World Practice

Agenda:

• When everything comes to a standstill: What happens in the first 24 hours?
  • Typical course of a ransomware attack – technical, organizational, and communication impacts
    
    
• Decisions under pressure
  • Pay the ransom or not? Communication with attackers, authorities, customers, and insurers
    
    
• Setting up emergency operations: Business continuity in practice
  • Prioritizing critical processes, manual workarounds, organizing the crisis team
    
    
• Managing recovery in a structured way
  • Forensics, restoring from backups, clean rebuild vs. partial recovery
    
    
• Lessons learned & prevention
  • Which measures truly make organizations stronger after an incident
    
    
• Q & A – Ask your questions
  • Space for specific practical questions from your day-to-day business context

Objectives:

• Clear decision-making foundations for an incident
  • Who makes which decision in the first hours?
  • What information must be available before deciding on ransom payment or shutdown?
  • Which external bodies (BSI™, LKA, insurance provider, forensic service provider) should be involved early?
• A pragmatic emergency playbook (immediately actionable)
  • Best practices from real incidents:
    • Establish a crisis team with clearly defined roles (IT, executive management, legal, communications)
    • Offline-accessible emergency contacts and runbooks (not only within the compromised network)
    • Prioritize business-critical processes over technology
    • Clear communications strategy – internal, external, and customer-facing
• Concrete recovery recommendations from practice
  • Regularly test backups for restorability, not just for existence
  • Prepare “golden images” for rapid rebuilds
  • Review network segmentation
  • After the incident: conduct a thorough root-cause analysis instead of rushing to quick fixes
• Economic perspective
  • Realistic assessment of downtime costs per day
  • Importance of cyber insurance – and its prerequisites
  • Why preparedness is cheaper than any ransom payment

• How to act in a structured way in an incident instead of reacting in panic
• Which three to five measures deliver the greatest protection and resilience effect
• How to plan emergency operations and recovery systematically
• Which organizational weaknesses are typically underestimated

Target audience:

• Managing directors and owners (SMEs)
• IT managers and system administrator
• ISMS, BCM, and compliance officers
• CFOs and commercial managers
• HR and communications managers

Prerequisites:

• Basic knowledge of typical IT/security environments
• Understanding of the key interested parties and their expectations of the organization
• Understanding of critical protection objectives and the potential impacts of their violation
• Overview of available resources for handling security incidents and limiting damage

Description: