Dominic and Asim’s article was published in Fraud Intelligence, 21 May 2025, and can be found here.

Discovering that you have been the victim of a ransomware attack can be reputationally and financially devastating to an organisation. However, when responding to an attack, the first 72-hours are critical. Quick and decisive action can help preserve evidence, while protecting assets and systems.

Cyber attacks vary in their potency and impact. A ransomware attack which locks down a company’s entire IT system is, of course, different from a more limited attack on a single device – an organisation’s response will therefore vary. However, notifying your insurers and the police, getting internal and external IT support on task immediately, while also notifying company staff should all be considered.

Where data is at risk, notifying the Information Commissioner and other regulators within 72 hours – as well as your customers – can also be necessary.

Should you pay the ransom?

Current guidance from the National Crime Agency is that they do not “encourage endorse nor condone the payment of ransom demands”. This is because there is no guarantee that you will get access to your data or computer, your computer may still be infected, you will be paying a criminal group, and you increase the likelihood that you (and others) may be targeted in the future.

However, in many cases, commercial victims of a ransomware attack can find themselves unable to continue their business operations whilst key systems remain compromised. This is the hacker’s leverage, that, there may come a point where continued business losses are unsustainable and paying a ransom to unlock their systems becomes an expense in mitigation.

Such ransom payments are often demanded in cryptocurrency and their payment can be covered by insurance. It is important that businesses check their policies to see whether this forms part of their cover.

How to prepare?

Given the number of moving parts involved in managing the aftermath after a ransomware event, it can quickly become overwhelming, unless robust and specific plans are already in place. Such ‘incident response plans’ should already be agreed and understood by the company’s leadership and those staff who will need to take action. Running simulations of how a business will cope during a ransomware attack is advisable (e.g. turning to paper processes in the short term and ensuring that all know what their roles are during an attack).

Backing up your systems on a regular basis and training staff  to recognise unusual behaviour or unexpected activity on their devices is critical – for example, phishing emails, unprompted windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much. This can suggest that scammers have taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

How to react?

While you are reacting to the consequences of the breach, you may simultaneously have to identify and fix the vulnerability, comply with legal and regulatory requirements, notify your insurers and provide comfort to your staff, customers and suppliers that matters are in hand. During this period, chaos can ensue, and mistakes can be made that could severely hamper any subsequent investigation.

Below are some key points to bear in mind during this initial period:

Preserve the evidence

The preservation of evidence is a key initial task, and leadership should strive to work with professionals to ensure that all system logs are retained. It is advisable to hire in digital forensics or organisations that specialise in dealing with cyberattacks –if you have good cyber insurance, this is something your insurer may provide.

Avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets.

If possible, take a full forensic image of the affected devices and work from backups (provided these have not also been compromised by the attack). You may need to buy fresh devices so that those affected can be preserved as evidence.

Your internal communications team may want to take on PR consultants to assist with crisis comms as the news breaks, if it is an attack with significant reputational implications.

Secure Your Communications

It may be wise to set up new, secure email addresses immediately and avoid logging into any accounts you suspect may have been compromised. You should consider how best to continue internal communications with secure channels being set up to action any critical messaging

It may be necessary to notify your bank and or other service providers of any new email address, or communication preferences, to ensure that no instructions are to be taken from the old email addresses.

In attacks where the victims have been socially engineered, one or more company email addresses or social media accounts may have been compromised. You should access the log-in history which details the IP address and location of all log-in attempts.

If there are any suspicious logins, it is likely that email addresses have been compromised, and your communications may be monitored or used by the scammers to gain further access. This could also impact other accounts, bank accounts and social media profiles.

It is vital that passwords are immediately changed and strengthened across the organisation.

Communicating with the Hackers

When the hackers reach out to demand a ransom payment from you ensure that they are unaware of the steps you are taking internally.

Ransom payment negotiators are available to assist with these negotiations to drive the ransom demanded down. This can also buy an organisation time if the hacker is threatening to publish the compromised data on the internet.

Make sure to collate a detailed record of all communications with the hackers, including requests for payments, emails, phone calls, text messages, social media interactions. If the ransom is paid in crypto, take a note of the transaction details, wallet addresses and transaction hashes etc.

If you have been directed to a webpage during your interactions with the hackers, you should ensure to take screenshots of these pages in case they disappear. Any evidence of what jurisdiction they may be in is also vital.

Accurate records are crucial for any subsequent legal action and investigations.

Recovering the ransom payment

If the ransom is paid in crypto, this could give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action. It may also allow time for the necessary court orders to freeze assets to be granted and implemented. These steps, if taken quickly, can result in an organisation (or their insurer) recovering the ransom after it has been paid.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets, as well as relevant transaction hashes or addresses as these will form the basis of asserting your proprietary claim to those assets, which is essential in recovering them.

Hackers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. Exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Your legal team can place exchanges on notice that they have received the proceeds of crime and request they freeze the relevant accounts while also requesting disclosure of any onward transfers and withdrawals from that account to trace the stolen assets.

Report to Law Enforcement

The attack should be reported to the police and Action Fraud. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible and obtain a direct liaison and contact details. Try not to be discouraged or frustrated if the police cannot offer much help.

Police resources, expertise, and capacity to deal with cyber crime can vary considerably, and officers may lack immediate familiarity with the complexities involved.

Even if the police can’t provide much assistance, a formal report is important, as it creates an official record that supports other legal and recovery actions you may take and can also assist law enforcement in identifying patterns in criminal gangs to help others avoid falling victim.

Engage with Experts

Engaging promptly with specialist IT and legal advisors experienced in breach response is crucial to mitigate the fallout from the attack and limit business interruption.

Cyber experts should be able to quickly identify the areas of your system that have been affected, the extent of the breach and the data under threat, as well as devise a plan for bringing your systems back into operation. It may be possible to decrypt some of the compromised data without paying the ransom, or to restore your systems from backups.

Your legal team should work closely with these experts to ensure that your regulators are notified of the attack and kept abreast of developments. Your legal team may also need to review your company’s commercial agreements, to see if any termination or notification events are triggered as well as deal with any claims that might arise from your suppliers or customers as a result of the attack.

Conclusion

Careful advanced planning and swift and methodical action when an attack occurs can reduce stress, while also significantly limiting the damage a ransomware attack can cause to an organisation in the first 72 hours.