Recovery after a ransomware attack, a hot topic at the CIO Council National Conference 2023

The 2023 CIO Council National Conference featured Martin Lohnert, managing director of Void SOC Cybersecurity Operations Center of Soitron Group, with a local presence through Datanet Systems, as one of the invited speakers. The VOID Cybersecurity Center of Soitron is distinguished by a high level of technical expertise and the necessary scalability to manage the entire spectrum of cyber threats and attacks. Among VOID SOC Soitron’s clients are organizations worldwide in various sectors, including energy, finance, IT, healthcare, aerospace, local and governmental administration, and others.

Martin Lohnert’s presentation addressed the topic of “Recovery after a ransomware attack,” drawing on the experience gained at VOID Soitron, highlighting the essential measures that need to be taken in the first hours and days following such a ransomware attack.



Ransomware is a significant menace in the digital landscape, being the most widespread and devastating cyberattack. According to the ENISA 2023 Threat Report, plasat de către această agenție pe primul loc în topul amenințărithis agency has ranked ransomware as the top cyber threat. Ransomware attacks have caused damages amounting to $449.1 million in just the first six months of 2023, and major ransomware attacks have been reported throughout the European Union, including Romania.

Soitron’s experience demonstrates that these attacks are becoming increasingly sophisticated, and the target organizations are often caught off guard. These attacks often occur during weekends or in the middle of the night when IT teams are not on duty, particularly during peak periods. Additionally, apart from encrypting operational systems, the attackers also encrypt all forms of backups, and delete or block access to backup copies stored in the cloud. Furthermore, some attackers exfiltrate sensitive data and then blackmail the victims by threatening to sell this data. As a result, companies are often compelled to pay a substantial ransom to retrieve their stolen data.


Post-Ransomware Attack Actions


During his presentation, Martin Lohnert asked a simple question to the audience, composed of a diverse group of CIOs: ‘How do you respond when faced with such an attack?’

The harsh reality is that most organizations lack a proper incident response plan, or if they do have one, it’s often incomplete or ineffective. As a result, victims are left uncertain about the precise steps to take, wasting valuable time that attackers exploit, or, in the worst-case scenario, implementing measures that prove to be ineffective. From Soitron’s perspective, it’s crucial to swiftly adopt firm and appropriate measures in the initial hours following a cyberattack to limit the damage. These measures include:

  • Isolating the Attacked Segment and Halting All Types of Traffic.
  • Immediate Blocking of Cloud Access and Creating Snapshots.
  • Using Only New PCs for Administrative Tasks, Not Existing Equipment.
  • Identifying the Impact and Examining the Situation to Understand the Attack’s Progression.
  • Changing All Passwords, from Common to Privileged, for All Users, as Quickly as Possible.
  • Detecting Any Vulnerabilities and Backdoors and Eliminating Them as Swiftly as Possible (New Accounts, Tasks, Configuration Changes, Processes, Tools, etc.).
  • Collecting and Archiving All Evidence for Subsequent Actions, Including Reporting to Authorities.
  • Transparent and Consistent Communication with Authorities, Employees, and Business Partners.


In the next stage, it is recommended to take the following actions:

  • Implementing Multi-Factor Authentication, if not already in place.
  • Transitioning to a new IT network infrastructure with the reinstallation of all components.
  • Micro-segmenting the network and enforcing strict rules on each segment.
  • Revoking any access privileges.
  • Closely monitoring for any anomalies to identify if attackers are still in the network and can launch a second attack anytime.
  • Initiating backup restoration actions with caution to avoid restoring copies that contain malware.
  • Reinstalling any systems and applications where possible.
  • Applying all necessary patches.
  • Conducting a thorough analysis to precisely understand how the attack occurred and identify the root cause.
  • Documenting the entire incident to learn from the experience and improve the incident response plan.
  • Continuously monitoring and adhering to cybersecurity hygiene practices.
  • Creating an incident response plan and periodically testing it, including through realistic simulations.


Martin Lohnert’s presentation can be watched below.


Cybersecurity Strategy Assessment Services


To help companies better prepare for such incidents, Soitron and Datanet Systems offer cybersecurity strategy assessment services based on a comprehensive analysis. These services, carried out by an experienced team, provide a detailed overview of the organization’s current security status and present a plan of action for improvement. Clients will receive a document containing an executive summary, an assessment of the maturity levels of key security domains, findings concerning identified risks in each area, recommendations for remediation, an implementation strategy, and technical requirements for future acquisitions.

For further information about the services offered by the VOID Cybersecurity Operation Center and cybersecurity strategy assessments, please don’t hesitate to contact us at