At 2:13 am on a Saturday morning, the first alert appears inside a security operations centre. An analyst notices a spike in failed authentication attempts across the corporate network, the sort of anomaly that could easily disappear into the background noise of automated overnight activity.
Neal in the warehouse is doing inventory, and suddenly he can’t access the database. The phones start ringing, and employees begin reporting frozen systems, inaccessible files and entire servers shutting down in sequence. By 3 am, backups are failing, and employees don’t even have a means to escalate, as internal communications are slowing to a crawl.
Somewhere inside the company, an executive is staring at a black screen carrying a ransom demand and a countdown timer.
By dawn, the leadership team has assembled on an emergency call – a virtual war room. They’re joining from spare bedrooms, airport lounges and kitchen tables, while nobody yet knows the extent of the damage, whether sensitive data has been stolen or how long the business can continue operating if critical systems remain offline.
Legal teams are arguing over regulatory obligations, comms advisers are drafting statements in anticipation of the breach going public, and the CFO is already trying to calculate the financial losses of every passing hour.
Meanwhile, someone calling themselves Viktor informs the overnight crew that they have 24 hours to respond to “the note” or all of them will lose the ability to decrypt their systems. They add that the company’s sensitive data will be made public.
The attackers keep sending messages, escalating pressure. They email senior executives and the board. They email the company’s largest customer, and the potential customer that sales have been courting for over a year. They threaten to email local media and regulators, using increasingly sophisticated attempts to create panic before the organisation has had time to assess the damage.
At the centre of it all sits the CISO, attempting to manage two crises simultaneously: the technical reality of containing the attack while also guiding an exhausted leadership team through decisions carrying enormous financial, legal and reputational consequences. In the space of a few hours, they move from coordinating forensic investigations and assessing whether backups remain viable to briefing the board.
The scenario is intensified by the knowledge that every decision made in those first hours could later be scrutinised.
This is the moment ransomware stops being a technical problem and becomes a psychological one. Modern ransomware groups understand that urgency is one of their most effective weapons, which is why the first few hours of an attack are designed to collapse decision-making inside the victim organisation. Exhausted executives feel pressure from every direction and discussions quickly spiral towards the most emotionally charged question in any ransomware incident: do we pay?
Inside firms like ours, cyber-extortion experts, aka “negotiators”, are often brought in, not to strike a deal with criminals, but to slow the situation down long enough for decision-makers to understand what’s at risk and for cooler heads to prevail and rational decision-making to return. They help remind teams that attackers themselves are usually also operating under pressure.
They are financially motivated, and the longer an incident drags on, the greater the operational cost to the criminal group. And once stolen data is leaked publicly, they often lose much of their leverage altogether. Experienced responders use that to their advantage.
By slowing the pace of events, a space is created to understand the situation, assess the risks, and make informed decisions. The companies capable of accessing behavioural intelligence can help maintain a level of control while everything around them feels as though it is accelerating out of reach.
Five decisions to avoid catastrophe
There are five decisions organisations make that will determine whether a ransomware attack becomes a catastrophe
1. Resist the instinct to act before understanding the breach
The first hours after a ransomware attack are usually defined by incomplete information and extreme pressure from both attackers and internal stakeholders, which is precisely why rushed decisions become so dangerous.
Organisations that immediately jump towards payment discussions, public statements or aggressive recovery efforts before understanding what systems have been affected often make the crisis worse. The priority should be stabilisation: isolate impacted systems, preserve forensic evidence and establish the true scale of the compromise before committing to irreversible decisions.
2. Create a tightly controlled leadership structure immediately
One of the fastest ways for a ransomware incident to spiral is when legal teams, IT, communications advisers, insurers and executives begin making parallel decisions without coordination. Successful organisations establish a small crisis leadership group with clear authority and disciplined communication channels from the outset, ensuring information is verified before being shared and preventing panic from spreading internally.
3. Manage psychology as carefully as technology
Attackers rely heavily on emotional pressure because panic creates mistakes. Countdown timers, repeated threats, aggressive messaging and direct contact with executives are all designed to collapse decision-making under stress.
Experienced negotiators maintain a calm, controlled tone, deliberately slowing the pace of communication and avoiding unnecessary disclosures about operational impact, backups or internal discussions. In ransomware incidents, revealing desperation can dramatically increase both financial and reputational damage
4. Understand that paying rarely ends the crisis cleanly
For organisations facing mounting downtime, lost revenue and the threat of leaked data, payment can appear to be the quickest route back to normality. In reality, there are no guarantees. While many threat actors rely on their reputation within the cyber-criminal ecosystem and therefore have a vested interest in honouring agreements, outcomes can vary significantly.
Experienced negotiators can provide valuable insight into the reputation, behaviours and historical patterns of specific threat groups, helping organisations better understand the risks and uncertainties associated with any potential agreement. Some groups provide functioning decryptors and suppress stolen data, while others fail to honour agreements.
Threat actors may promise they’ve deleted data, but there is no way to know if it’s been copied, backed up, sold, or otherwise shared. This creates potential for a second extortion. The decision must account for regulatory exposure, operational continuity, reputational fallout, and the possibility that the organisation may still face public disclosure even after paying.
5. Focus on keeping the business operational
Business continuity plans and backups only address part of the problem. Many ransomware groups now steal data before encrypting systems, creating a second layer of risk that cannot be restored from backup.
Even if systems are recovered quickly, organisations may still face regulatory obligations, reputational damage, legal exposure, and the threat of sensitive information being published or sold. As a result, incident response teams must manage both operational recovery and the potential consequences of data exposure at the same time.
The companies that emerge strongest from ransomware attacks are often those able to continue functioning while recovery takes place. That means having tested backups, rehearsed continuity plans and manual workarounds for critical operations long before an attack occurs.
In the middle of a live incident, the objective is both to remove attackers from the network as quickly as possible and ensure the organisation itself remains stable enough to survive the disruption without descending into operational paralysis.
Federico Charosky is the Founder of Quorum Cyber, a proactive, threat-led cyber-security company helping organisations defend against an increasingly hostile digital landscape
Main image courtesy of iStockPhoto.com and busracavus
