Cybervize – Cybersecurity Beratung
All articles

Logs in Ransomware Attacks: Why Server Failure Costs Millions

Alexander Busse·February 8, 2026
Logs in Ransomware Attacks: Why Server Failure Costs Millions

The €400,000 Question: Where Are Your Logs During a Ransomware Attack?

It's one of those stories you never forget. A mid-sized company CEO tells me about his ransomware incident over coffee. Months have passed, but the wound runs deep. Not because of the attack itself, but because of a fatal mistake that cost him €400,000.

The mistake? A simple question that nobody had asked: Where are our logs when everything fails?

The Moment Everything Collapsed

After the ransomware attack, everything initially went according to protocol. The IT department had responded, systems were isolated, the insurance company was notified. The company even had a cyber insurance policy, specifically for such cases.

The insurance asked the usual questions:

  • When was the attack first detected?
  • Which systems were specifically affected?
  • Who made which decisions and when?
  • What measures were taken and in what order?

All legitimate questions. Questions that should be documented. Questions whose answers are found in the system logs.

The CEO was absolutely certain: "We documented everything." His IT department had assured him that all activities were being logged. Logging was implemented, compliance requirements were met.

Then came the call that changed everything.

The Fatal Flaw in Log Architecture

The IT department had to admit: The logs were stored on the same server that had been encrypted by the ransomware. All evidence, all timestamps, all decision paths, everything was gone. Encrypted. Inaccessible.

In that moment, a manageable IT security incident became an existential crisis.

The Consequences Were Devastating

The insurance company drastically reduced coverage. Without reliable documentation of the incident and response measures, the company couldn't prove it had exercised due diligence. The insurance argued that insufficient precautions had made the damage worse than necessary.

The supervisory board asked uncomfortable questions. How could this happen? Why weren't basic security measures implemented? Who bears responsibility?

The IT department became the scapegoat. Although they had acted within their capabilities, they were blamed for the oversight. Yet it wasn't solely their fault.

The Real Problem: Nobody Asked the Right Question

The tragic element of this story: It wasn't a technical failure. The IT department had implemented logging. They had established processes. They weren't incompetent.

The problem was a strategic oversight at the leadership level. Nobody had ever asked:

"Where are our logs when the systems we're monitoring are compromised?"

One question. Five seconds to ask. Would have saved €400,000.

Best Practices for Secure Log Management

This case yields clear action recommendations that every mid-sized company should implement:

1. Centralized, External Log Storage

Logs must be stored physically and logically separated from the monitored systems. This means:

  • SIEM systems (Security Information and Event Management) on separate infrastructure
  • Cloud-based log management solutions as an additional security layer
  • Geographically distributed backup locations for critical log data

2. Immutable Log Storage

Modern attackers try to cover their tracks by manipulating or deleting logs. Immutable log storage prevents this through:

  • Write-Once-Read-Many (WORM) technology
  • Blockchain-based log integrity verification
  • Automatic digital signatures for log entries

3. Regular Testing of Log Availability

Implementing a system isn't enough. You must regularly test:

  • Are the logs actually available in an emergency?
  • Does access work even when primary systems fail?
  • Can authorized personnel retrieve logs under stress conditions?

4. Clear Retention Policies

Define which logs must be retained and for how long:

  • Legal requirements (e.g., GDPR, industry-specific regulations)
  • Insurance requirements from your cyber insurance policy
  • Business requirements for forensics and incident response

5. Automated Alerting Mechanisms

Implement warning mechanisms that immediately alert when:

  • Log data streams are interrupted
  • Unusual access patterns to log systems are detected
  • Storage capacities reach critical thresholds

The Role of Executive Leadership

This case clearly demonstrates: IT security is a C-level responsibility. Executive leadership must ask the right questions, even without understanding technical details in depth.

Questions every CEO should ask their IT leader:

  1. Where are our security logs stored?
  2. Will these logs still be available during a ransomware attack?
  3. How quickly can we access historical log data in an emergency?
  4. Does our log strategy meet our cyber insurance requirements?
  5. When did we last test the availability of our logs in a crisis scenario?

Insurance and Legal Perspective

Many companies underestimate how critical comprehensive documentation is for insurance claims. Cyber insurance policies often contain clauses requiring:

  • Appropriate security measures were implemented
  • The incident was detected and documented promptly
  • Response measures are traceable through logs

Without reliable logs, insurers can:

  • Reduce or deny coverage
  • Claim gross negligence
  • Drastically increase future premiums

Compliance and Legal Requirements

Beyond insurance aspects, there are also regulatory requirements:

  • GDPR Article 33: Notification obligation within 72 hours, requires detailed incident documentation
  • ISO 27001: Requires logging and monitoring of security events
  • NIS2 Directive: Stricter incident reporting requirements for certain sectors

Missing or inaccessible logs can also lead to fines and legal consequences.

The Cost of Inadequate Log Management

Let's break down what inadequate log management actually costs:

Direct Financial Losses:

  • Reduced or denied insurance payouts (€400,000 in this case)
  • Regulatory fines for non-compliance
  • Extended downtime due to difficult forensic analysis
  • Higher future insurance premiums

Indirect Costs:

  • Reputation damage from inadequate incident handling
  • Loss of customer trust
  • Competitive disadvantage
  • Employee morale and retention issues

Opportunity Costs:

  • Management time spent on crisis management
  • Resources diverted from business growth
  • Delayed digital transformation initiatives

Implementation Roadmap: From Vulnerable to Resilient

If you've identified gaps in your log management strategy, here's a practical roadmap:

Phase 1: Assessment (Week 1-2)

  • Inventory all systems currently generating logs
  • Document current log storage locations and retention periods
  • Review cyber insurance requirements
  • Identify regulatory compliance requirements

Phase 2: Planning (Week 3-4)

  • Design centralized log architecture
  • Select appropriate SIEM or log management solution
  • Define retention policies and access controls
  • Calculate budget and resource requirements

Phase 3: Implementation (Month 2-3)

  • Deploy centralized log collection infrastructure
  • Migrate critical logs to separated storage
  • Implement immutable storage solutions
  • Configure automated alerting

Phase 4: Testing and Validation (Month 4)

  • Conduct disaster recovery drills
  • Test log accessibility during simulated outages
  • Validate compliance with insurance requirements
  • Train staff on emergency log access procedures

Phase 5: Continuous Improvement (Ongoing)

  • Regular testing and validation
  • Quarterly review of log retention policies
  • Annual audit of log management effectiveness
  • Continuous monitoring of emerging threats

Real-World Solutions and Tools

Here are practical solutions suitable for mid-sized companies:

Cloud-Based SIEM Solutions:

  • Microsoft Sentinel
  • Splunk Cloud
  • LogRhythm
  • Rapid7 InsightIDR

Immutable Storage Options:

  • AWS S3 with Object Lock
  • Azure Immutable Blob Storage
  • Dedicated WORM appliances

Open Source Alternatives:

  • ELK Stack (Elasticsearch, Logstash, Kibana) with proper architecture
  • Graylog with external storage
  • Wazuh for security monitoring

The Human Factor: Creating a Security-Aware Culture

Technology alone isn't the answer. The real lesson from this €400,000 mistake is about organizational culture:

  • Encourage questions from all levels, especially non-technical leadership
  • Bridge the communication gap between IT and business stakeholders
  • Regular executive briefings on security posture in plain language
  • Tabletop exercises involving both technical and business teams

Conclusion: The Question You Should Ask Today

This CEO's story isn't an exception. It happens daily in mid-sized companies. The difference between a manageable incident and an existential crisis often lies in seemingly trivial details.

The €400,000 question is: Where are your logs when everything fails?

If you can't answer this question immediately and with certainty, you have work to do. The good news: It's never too late to ask the right questions and take necessary action.

Your Next Step

Schedule a meeting with your IT team this week and go through this checklist:

  • [ ] Where are our security logs stored?
  • [ ] Are they physically and logically separated from monitored systems?
  • [ ] Have we tested log availability in emergency scenarios?
  • [ ] Do we meet our cyber insurance documentation requirements?
  • [ ] Is there a documented process for log access during crises?

Five minutes of investment. Potentially hundreds of thousands saved.

Do you know where your logs are when everything fails?

Back to all articles