Secure & Simple — Podcast for Consultants and vCISOs on Cybersecurity Governance and Compliance

Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt

Feb 24, 2026

Yannick Hirt, founder and CEO of Odysseus and incident-response specialist, recounts a real ransomware attack on an international industrial firm. He describes phishing of a privileged account, standing up a war room, mapping critical apps, and choosing restore-from-verified-cloud-backups. They cover negotiating via intermediaries, recovery timelines, insurer coordination, forensics tradeoffs, and the value of realistic war-room training.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Privileged Admin Phishing Led To Overnight Encryption

An IT admin likely opened a phishing attachment and the attacker used that privileged access to move laterally and encrypt servers overnight.
Yannick Hirt described the attack as an overnight encryption discovered the next morning with ransom notes on systems.

ADVICE

Organize Recovery In Parallel Streams

Run the incident response as parallel recovery streams (infrastructure, endpoints, apps, communications, threat intel) to separate responsibilities and accelerate work.
Yannick organized the response as a small program with dedicated stream leads and SLAs.

ADVICE

Test Backups And Restore To A Clean Environment

Validate and test backups frequently so you can restore without paying ransom; Yannick's client restored critical systems from cloud backups two months after migration.
They verified backups during negotiations and rebuilt into a fresh infrastructure.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Dejan Kosutic interviews Yannick Hirt from ODCUS about his experience with a real ransomware attack on an international industrial company. They discuss likely phishing entry via a privileged IT account, overnight encryption, and setting up a war room. The company restored critical systems from verified cloud backups without paying, while briefly negotiating via a Dutch specialist as the attacker threatened data release. Key lessons include tested backups, detection and provider SLAs, privileged access controls, BIA/process mapping, strong documentation and forensics, communications, insurance coordination, and regular training.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining

(00:00) - Interview with Yannick Hirt
(00:54) - How the Attack Started: Cloud Transformation, Gaps, and a Phishing Entry Point
(04:06) - Day Zero Response: Disconnecting Systems and Standing Up the War Room
(07:54) - Early Critical Decisions: Recovery Streams, Stakeholders, Police & Insurance
(09:08) - Restore vs Rebuild: Mapping Critical Apps and Validating Backups
(11:11) - Talking to the Attackers: “Service Desk” Negotiations and Typical Ransom Size
(14:09) - To Pay or Not to Pay: Strategy, Data-Leak Risk, and Criminal “Reliability”
(16:12) - Recovery Timeline & Aftermath: Dark Web Leak, Employee Calls, and Government Response
(21:20) - Who Decides the Recovery Order? IT + Business Alignment
(23:47) - PR in the War Room: Internal Updates, Guidelines & External Liaison
(25:06) - Senior Management’s Real Job During Recovery
(27:38) - Working With Cyber Insurance: Support Now, Paperwork Later
(30:37) - Forensic Report Deep Dive: Entry Point, Lateral Movement, and Tradeoffs
(32:25) - Consultants in a Ransomware Crisis: Networks, Pragmatism, and Calm
(41:30) - Resources for Consultants and Cybersecurity Professionals