High-Stakes Ransomware Response: Know What Cards You Hold

When ransomware strikes, how much should you gamble on your resources and opponents intentions? Heres how to deal yourself a rational, informed way to weigh your options after an attack.

When it comes to the
ransomware
game, its worth comparing it to another high-stakes activity, poker. Its important for organizations to understand what theyre gambling with when they decide whether or not to
negotiate with terrorists
.
Theres still a certain secrecy or even shame attached if an organization decides to pay the ransom to unlock systems and files — which can cost anywhere from thousands to millions of dollars. However, there shouldnt be, according to
Brandon Clark
, CEO and founder of cybersecurity consulting firm Triton Tech Consulting.
He should know, as his security strategy and compliance practice — with expertise in business continuity and disaster recovery — often deals with clients who have to clean up the mess that ransomware attacks leave behind.
Lets say if you have a hardware failure and a vendor comes in and says, We can get you back up and running for a grand total of a million dollars, he says, referring to
ransomware negotiation services
. It would be unfortunate — and that would be bad press and nobody wants to see that — but there would also be a fair amount of, Yeah, that happens.
Ransomware also happens, to organizations both large and small. Theyre then faced with a complex dilemma encompassing not only practical, logistical, and business consequences, but also emotional ones — especially if reputations (or even lives, in
healthcare settings
) are at stake, when systems go down.
When deciding whether or not to pay a ransom, an organization should take a similar approach to a poker player sitting at a table, Clark says. That is, it should have an idea of with whom it is playing, along with a knowledge of the typical aspects of the game, such as how much money is at stake.
When youre at a poker table, the cards are important, but the person sitting across from you is even more important, he says. We need to be making an informed decision about who we are playing against.
Thus, threat intelligence is a key aspect of this, he says, because you need to know if your opponent could be bluffing. For instance, if the ransomware attacker involved has a reputation for claiming to have exfiltrated data when it hasnt, or if it is known for not unlocking files even after a ransom is paid, those are things to take into consideration.
[Companies ask], if we pay the ransom, how do I know if theyre going to lock us out again? Clark notes. The answer is: You dont. Thats when the threat intelligence piece is super important.
Organizations also need to know whats at stake — such as knowing what your system resiliencies are, what its going to cost if something is not available — as well as what resources they have available to recover systems on their own, such as if they have good backups and segmentation tools, he says: All of that goes in together to help you make an informed business decision.
For example, if a ransomware attacker is asking for $5 million but its going to cost a company $70 million or $100 million to recover its data on its own, the question becomes, Why arent we paying that? Clark says. On the flip side, if its only going to cost us $5,000, why would we pay that $5 million?
Ultimately, its up to the organization involved to decide, based on multiple factors, which route to take to recover from a ransomware attack — just as a poker player can go in several directions once a hand is dealt, Clark says.
You can say, do I raise, that is, are we are going to go this alone — and thats what a lot of companies do, he says. A company can also do the poker equivalent of folding by giving in and deciding that the data kept in some lost systems is not worth the cost to recover them, and thus rebuild them from scratch, Clark says.
In the meantime, there are a number of ways a company can put itself in a more empowering position to negotiate — or not — before a ransomware attack even happens, Clark says. Some of the advice is obvious, such as implementing secure passwords and
multifactor authentication (MFA)
, so systems arent breached in the first place, he says.
And in many instances, phishing remains the primary way that attackers gain access to user credentials and thus enterprise systems, so making sure you have strong controls around that in the form of email filtering and security awareness is incredibly helpful, Clark says.
One recommendation that he says many organizations dont implement very often yet is to have some sort of Dark Web scanning or threat intelligence in place to identify when credentials for an enterprise user have been compromised, he says.
Organizations also should engage in ransomware-impact analysis using a ransomware simulation tool that they can develop alongside security consulting experts, he explains. This can help them understand better how to react if the situation arises, as there is not a lot of time to do a risk assessment in the immediate aftermath of an attack.
Regarding backups, which organizations cite as a surefire way to recover systems on their when they lose data to ransomware, Clark advises that organizations take a cautious approach to betting too much on them, versus paying a ransom or another alternative solution.
According to some of the research weve seen, most of the attackers are in the environment up to 10 months before they detonate, he says. This means thats theres a good chance there is already malware in an organizations backups, Clark adds.
You need to make sure youre working with a forensics team when you restore, he advises, so you dont end up redeploying malware from seven months ago.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
High-Stakes Ransomware Response: Know What Cards You Hold