News + Resources

A client has just been through a ransomware attack. It has been quite a journey these last few weeks. We moved from chaos, irritation, anger, and gloom to the post-breach “never again” moment. We saw the full spectrum of emotions.

It is galling to pay anything to these criminals. Even if you do not need their decryption key, they taunt you with stolen data and the threat of publication. And even if you have insurance, everyone takes a hit.

The three critical workstreams, containment, recovery, and investigation, all run in parallel. They are painstaking, and they never feel fast enough. There are moments of relief, such as discovering that a backup is actually usable. And there are gut punches, like discovering the biggest backup is corrupted beyond repair. The IT team worked 80 hours straight just trying to understand what was happening.

A cyber breach is dreadful, no matter how well prepared you are.

You can have excellent perimeter defences, and still they get in. There is something invasive and abusive about the way attackers operate. Once inside the network, they linger, “living off the land,” sitting quietly at the centre of your business, watching the flow of activity, and searching through your files for anything they think will cause maximum distress to individuals or the organisation. They observe, they wait, and then they strike, encrypting systems, destroying data, and threatening to publish confidential information if their demands are not met.

And once they have inflicted that damage, they present a smug offer to “help”, promising to decrypt your data, to refrain from publishing anything, and even to help prevent a future attack, all for a fee running into hundreds of thousands. They are criminals, nothing more.

The disruption, the lost time, the diversion of management effort, and the sheer emotional weight create a spiral that leadership must be helped out of so they can return to running the business. Then there is the tension between getting operations back online quickly and giving forensics teams enough time to determine what really happened and whether the attackers still have access.

For some IT teams, the arrival of external first responders can feel daunting. But I saw clever, dedicated, expert, and genuinely supportive people who focused on helping our client recover and who worked shoulder-to-shoulder with the internal team. Yes, they hoped to build a continuing relationship, but they were transparent about it, and at that moment the only thing that mattered was stopping the damage.

The costs are enormous, even before you consider whether to pay the criminals. Throughout the ordeal I kept thinking “prevention is cheaper,” but even with decent preparations the client was taken down. A near zero-day exploit here, an exposed credential there, and suddenly everything is compromised. Ransomware is expensive: management time, IT time, overtime, replacement equipment, external specialists, business disruption. And once the attack is over and the final report is written, you cannot simply return to business as usual.

It might be tempting to say “if they got in, the defences were inadequate.” But there is a vast difference between a business doing its best to operate where IT is an enabler, and a criminal gang whose sole purpose is to attack anyone with assets worth stealing. This episode, like so many others, shows we are in a kind of war: one the good guys are struggling to win, partly because too many organisations underestimate the scale of the threat and the constant investment required just to hold the line.

There are many lessons. Some are obvious, some less so. The most important lesson is simple: learn. It can and will happen to you.

In no particular order, the lessons included:

• Reset all passwords
• Manage firewalls and VPNs closely
• Reapply and enforce multi-factor authentication
• Protect the data itself, not just the perimeter
• Keep backups offline and immutable
• Secure cloud usage and patch systems handling sensitive data
• Recognise that tools alone are not enough: expertise matters
• Consider outsourcing some detection and response capabilities

I have long believed that the perimeter alone cannot save you; at best, it slows attackers down. You must protect the data itself. Encryption at rest may be challenging, but zero trust, strong authentication, regular patching, and proper privilege management all help you sleep better at night.

Make yourself a harder target, and the criminals may decide to go elsewhere.