Never waste a good crisis: How to handle a ransomware attack

At VNOG, we provide essential fire-fighting services and assistance in the event of accidents, disasters and crises to the 870,000 citizens of North and East Gelderland in the Netherlands. In this blog post, I’ll tell the story of my most memorable day as VNOG’s Chief Information Security Officer (CISO).

Introduction: The life of a CISO

My journey to the CISO’s office wasn’t a straight line. I started out as an electrical engineer when I responded to a newspaper ad. I ended up entering the world of IT around the turn of the millennium, where I eventually specialized in networking infrastructure. Soon, I found myself fascinated by the cat and mouse game going on between hackers and cybersecurity specialists. Attacks — I learned — are inevitable, which means cyber resilience is crucial. I decided to take on the challenge of becoming a CISO, which means responsibility for information security for the entire VNOG organization comes down to me.

The ransomware attack: Never waste a good crisis

My most memorable day at VNOG started peacefully. It was a Saturday in September 2020, and I was on a fishing trip with my son. The tranquility was shattered by the buzzing of my phone — the call every CISO dreads. An employee suspected a security breach. I asked if he could reach our backups. When he answered “yes,” I instructed him to disconnect the backup environment immediately. That decision would turn out to be pivotal.

Shortly after, we received the ransomware demand; our security had definitely been breached. To contain the attack, we literally pulled the plugs on network connectivity for the organization. Control room processes stayed up and running, but they were isolated from the compromised part of our IT environment.

My motto is: “never waste a good crisis.” If there’s any organization that’s used to keeping a cool head in an emergency, it’s VNOG. We initiated a two-pronged response: recover from the crisis situation to normal operation and kick off a forensic analysis of the attack.

Fortunately, we could restore using our backup infrastructure, which had been insulated from the attackers when we made the preemptive decision to disconnect it. Unluckily, it was an old, slow server that wasn’t designed for restore jobs. I decided to look for support from data protection experts.

At 11:15 p.m. that night, I found the Veeam Benelux contact using a search engine and gave him a call. To my surprise, he picked up! He explained that Veeam partner it2grow would be best placed to help us. Before I could phone them, they called me, and a great relationship was born.

Since our email systems were still down, I ended up purchasing Veeam using my personal email address, which raised a few eyebrows. It took us a few weeks to recover fully from the attack, but it could have been so much worse.

We also took the opportunity to redesign our cyber-security policy and the underlying toolset, with help from Veeam technology and it2grow expertise. Today, the 3-2-1-1-0 Rule is in force at VNOG, so we retain at least three copies of data, two of which are stored on different media, and one immutable copy in a remote location. We can also restore with zero faults. If the worst should happen (again!), we know we’re in a much stronger position to emerge unscathed thanks to Veeam.

Conclusion: Overreact and ask for help!

I learned a few lessons the day my fishing trip was interrupted. Always trust your instincts. It’s better to overreact than underreact. And the ability to restore data is just as important as the ability to back it up. Most importantly: never be afraid to ask for help — even if you’re not a Veeam customer quite yet!

For more advice on how your company can recover fast after a ransomware attack, read Veeam’s dedicated whitepaper: 6 Capabilities You Need for Rapid Recovery.

 

Exit mobile version