A Brief Guide To Navigating Ransomware Extortion

Uploaded on 2025-08-08 in TECHNOLOGY--Resilience, FREE TO VIEW

In the current cybersecurity landscape, identities have become the primary target for cybercriminals. Once a threat actor gains control of privileged accounts, they can easily proliferate through an IT network and move laterally to compromise critical assets, especially in organizations which don’t practice network segmentation or lack sufficient detection and monitoring controls.

In my experience from handling hundreds of incident response cases for scores of organizations across multiple sectors, attacks often commence around 5 p.m. on a Friday when IT teams and other staff are winding down for the weekend.

Threat actors are strategic, and they do their research thoroughly, in some cases often spending weeks gathering intelligence on a company’s systems before launching a double-extortion campaign. This kind of cyber-attack typically begins with data exfiltration, followed by an encryption event, leading to the unfortunate discovery of a ransom note by the IT team – often the worst and most stressful day in their career. This scenario, which has affected far too many businesses already this year, is a major concern for Chief Information Security Officers (CISOs) and security teams.

Upon discovering a ransom note, businesses face the critical decision of whether to remain silent or engage with the threat actors. This decision is inherently a business one. Most companies lack experience in handling cybersecurity breaches, which are high-stakes, high-pressure situations requiring professional management.

Regardless of pre-existing policies, they often get dropped once the full scope of the incident is revealed.

One common misconception in the current climate where stories of so many cyber-attacks are published by the media is that engaging with cybercriminals always leads to a settlement, with Bitcoin being their preferred currency of payment. However, the truth is that from our frontline exposure only 30% of such engagements over the past year have resulted in a payout.

Engaging with the threat actors can offer several benefits, such as gaining some control over the situation and buying time.

The decision to pay a ransom depends on several factors:

The perceived value of the data.

Whether the data has been encrypted.

Availability of data backups.

Business interruption costs.

Legal implications, including sanctions.

National security concerns.

The reputation of the threat actor.

Threat actors often reduce their demands during negotiations, sometimes hoping for a quicker resolution. They might also check if the victim organization has cyber insurance. And they might threaten to publicize the incident to increase the pressure to pay the ransom.

This is why understanding the threat actor’s identity, history, tactics, and behavior patterns is crucial when dealing with a ransomware attack.

This includes their likelihood of leaking data post-payment and their communication and decision-making speed. If the negotiating team has previously encountered these cybercriminals, this knowledge can be leveraged to benefit the victim organization.

My advice to organizations facing ransom negotiations is to:

Evaluate, justify, and document decision-making processes.

Gather actionable intelligence for informed decisions.

Manage both internal and external expectations.

Understand regulatory obligations.

And always ask the question, “Is a financial settlement necessary?”

Ransomware is here to stay, so it's vital for companies to prepare by developing robust incident response plans and playbooks, including for ransomware scenarios. Conduct exercises with the board to test critical decision-making. As cybercriminals primarily seek financial gain from stealing data, understand your IT environment and know your data, and where it resides and who has access to it. Knowing the impact of data theft and its potential publication is critical. It will pay to be proactive: prepare and plan for the worst-case scenario.

However, if the worst does happen, try to remain calm and avoid the internal blame game. Take a deep breath and contact your cyber security partner.

While this ransom attack is likely to be the first for your organization, a qualified and experienced cyber security team will have the specialist skills and tons of experience to pull you back to business as normal as safely and as quickly as possible.

Dan Saunders is the Director of Incident Response, EMEA for Kivu Consulting, part of Quorum Cyber

Image: Ideogram

You Might Also Read:

Ransom: Prepare For The Worst:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.