Preloader

What Should You Do When Ransomware Strikes?

What Should You Do When Ransomware Strikes?

What Should You Do When Ransomware Strikes?

Should you negotiate? Should you pay the ransom? These are the pressing questions every organization faces when cybercriminals lock down their data. Once attackers have encrypted your systems, the focus shifts from prevention to response. At that point, how the breach occurred matters less than what decisions you make next.

Ransomware Gangs: Organized and Ruthless

Ransomware gangs are becoming increasingly structured and aggressive, operating much like legitimate businesses—with customer support, payment portals, and even negotiation guides. No organization is immune: hospitals, schools, critical infrastructure, and global corporations are all targets.

According to a report by Zscaler, a $75 million ransom payment to the Dark Angels group may have emboldened other gangs to demand higher sums.

Good News: Resistance Is Growing

According to the latest Chainalysis report, more victims are refusing to pay ransoms. This shift is partly due to recent global law enforcement actions against ransomware gangs, including:

  • Disruption of LockBit infrastructure

  • Indictment of the Phobos ransomware operator

  • Takedown of the Radar/Dispossessor group

  • Removal of ALPHV/BlackCat data leak sites

Still, this remains a constant game of cat and mouse between cybercriminals and law enforcement.

Why Do Some Organizations Pay?

There’s no simple answer. Governments and security agencies typically advise against paying ransoms because:

  • It fuels the cycle of cybercrime

  • It financially supports organized crime

  • It may backstate-sponsored cyber operations

However, some believe the top priority is to save the organization and its stakeholders. In the heat of the moment, survival often outweighs ethics.

For many, paying the ransom appears to be the fastest way to restore operations. The longer systems stay offline, the higher the costs. In cases involving hospitals or energy providers, the loss of critical data can endanger lives. But as seen in the Change Healthcare breach, ransom payments don’t guarantee data recovery.

Case in Point: Colonial Pipeline

In May 2021, the Colonial Pipeline—a major fuel supplier—was attacked by the DarkSide group. To avoid disruptions in fuel distribution, the company paid a $5 million ransom. The U.S. Department of Justice later recovered $2.3 million of the ransom.

“If the only factors were ethics and legality, the answer would clearly be not to pay. But sometimes, it’s a business decision, not a moral one. Acting ethically can be far more expensive than paying the ransom.”

Tim Morris, Chief Security Advisor at Tanium

Professional Ransom Negotiation

When an organization chooses to negotiate, incident response teams take over—working closely with legal, IT, and communications units to manage the crisis.

Usually, third-party negotiators are engaged. These professionals know how to communicate with attackers without caving too easily. They aim to:

  • Conduct negotiations professionally

  • Lower the ransom demand

  • Avoid further threats

“A professional incident response team can provide expertise that internal security teams may lack.”
Azim Aleem, UK & Northern Europe Managing Director at Sygnia

Tactics Used by Ransomware Operators

  • Start with aggression, later appear "helpful" during negotiations

  • Leverage fear and pressure for quick payouts

  • Use threats: data leaks, increasing ransom, fake deadlines

Counter-Tactics

  • Prolonging negotiations: Time can work in your favor

  • Offering a lower amount: Their initial demand is rarely final

  • Requesting a sample file decryption: Failure weakens their credibility

The Role of Law Enforcement

Involving law enforcement is critical—but timing matters. The earlier the notification, the better the chances of identifying perpetrators and preventing future attacks. Some cyber insurance policies also require prompt reporting to authorities.

Ransomware Response Plan: Be Prepared

1. Predefined Playbook
Organizations should have a clear action plan that addresses:

  • When to negotiate

  • Who makes the final decisions

2. Simulated Exercises (Tabletop Drills)
Running mock scenarios helps:

  • Identify weak points

  • Improve crisis decision-making

“Incident response plans must account for dual-extortion tactics—threats to both encrypt and leak data.”
Tim West, Threat Intelligence Director at WithSecure

What If Negotiations Fail?

  1. Assess the damage: Identify compromised systems; check for backups

  2. Engage experts: Breach analysis and recovery support

  3. Isolate affected systems: Prevent spread

  4. Notify authorities: Inform police and regulators

  5. Communicate transparently: Update stakeholders

  6. Restore data: Use clean, verified backups

  7. Strengthen defenses: Patch vulnerabilities; train staff

  8. Post-incident review: Learn and enhance strategy

There’s No Perfect Solution

There are no rules in these negotiations—because there’s no honor among thieves. Pay the ransom, and you lose money. Don’t pay, and you risk irreparable reputational damage. Either way, the psychological toll on CISOs and organizations is immense.

Source: MedadPress
www.medadpress.ir