Secrets from the Frontline: Navigating Ransomware Extortion

On the Keynote Stage at Infosecurity Europe on 5th June 2025, Dan Saunders, Director of Incident Response in EMEA for Kivu Consulting, part of Quorum Cyber, gave his talk titled Secrets from the Frontline: Navigating Ransomware Extortion. He stressed that identities are now the primary attack vector for cybercriminals today. Once threat actors compromise privileged accounts, they can gain access to exploit hypervisors and move laterally within systems. It’s relatively easy for them to achieve this when organisations lack network segmentation.

He revealed how he’s worked on scores of incident response cases, which often begin around 5pm on a Friday “when threat actors come out to play.” It is, of course, the time when IT teams and most other employees are getting ready to head home for the weekend.

Threat actors do their homework and can spend weeks reconnoitring an organisation’s systems before beginning the process of double extortion. This starts with data exfiltration before an encryption event. Later, the IT team finds the ransom note – often the worst day of their career. This scenario, which has happened at several British retailers over the past few months, keeps Chief Information Security Officers (CISOs) awake at night.

A high-stakes scenario

Dan explained that when businesses find the ransom note, they need to decide whether to keep quiet or engage with the threat actor. “It’s a business decision.”

Few companies have much experience of dealing with a cyber security breach, which is a high-pressure, high-risk event that needs to be handled professionally.

Regardless of which policies businesses have in place beforehand, they “get thrown out the window when the scale of the incident comes to light”, said Dan.

“One common misconception is that engaging with the cybercriminal always leads to a settlement,” Dan said, adding that Bitcoin remains criminals’ preferred method of payment. “However, in the last year only 30% of engagements between the victim organisation and the threat actor results in a pay-out. Engagement has several benefits for the victim, including gaining some level of control over an escalating situation and buying time.”

Whether a ransom is paid depends on a number of criteria:

The perceived value of the data

Whether the data has been encrypted

If the data has been backed up

Business interruption costs

The law in particular sanctions

If the data has implications for national security
The reputation of the threat actor.

Know thy enemy

In Dan’s experience, once a negotiation is underway, the threat actor often reduces its demands, in some cases in hope of reaching a faster resolution. And in some cases, it checks if the victim organisation has cyber insurance, and, if not, might even threaten to publicise the incident to put extra pressure on the organisation to pay up.

He stressed that when navigating a ransomware attack, it’s crucial to understand who the threat actor is, its track record and patterns of behaviour, its tactics, what actions and decisions it’s likely to take, and the likelihood of it leaking data even after it’s been paid a ransom. Even the time that it takes the threat actor to communicate and make decisions is useful information. It’s possible that the negotiating team has encountered the cybercriminals before. Either way, it can use all of this intelligence to achieve a better outcome for the victim organisation.

Over decades, Kivu, part of Quorum Cyber, has built up a deep understanding of the behavioural patterns and decision timelines of a wide range of adversaries around the globe.

Dan’s advice for any organisation that finds itself in an unenviable ransom negotiation is to:

Evaluate, justify and record decision making

Obtain actionable intelligence to make informed decisions

Manage expectations internally and externally

Understand your regulatory obligations.

“Do you really need to reach a financial settlement?”

However, he emphasised that “ransomware is not going away” and advised that all companies prepare for the worst-day by working on incident response preparedness to:

Put incident response plans in place

Set up cyber incident playbooks including for ransomware attacks.

Ensure the board are included in exercises to stress test their critical decision making. Cybercriminals are mostly trying to steal data for financial gain, so “understand your IT environment and know your data!” said Dan. It’s vital to know the impact if data is stolen and published.” Be proactive: prepare and plan for your worst day ever.”