Ransomware? Back online in no time
When ransomware strikes, crippling your systems, it's time to call in the experts. Rickey Gevers and Joeri Blokhuis, Secura's incident response partners, usually get businesses back online quickly.
... > Incident Response PRO > Ransomware? Back online in no time
Ransomware? Back online in no time
Your business has been hacked, ransomware criminals are demanding thousands of dollars and important systems are down. What to do? You call an incident response expert like Rickey Gevers and Joeri Blokhuis. They are Secura’s partners incident response partners. ‘Negotiating with ransomware groups is something we've become very good at.’
‘99% of the calls we get are about ransomware,’ Gevers says. ‘All kinds of companies call us: from the barbershop on the corner to the largest companies in the Netherlands. We are known in the market for our quick response and trustworthiness. Sometimes we really can solve a ransomware case within two hours.'
Over the past 13 years Rickey Gevers and his associate Joeri Blokhuis have helped dozens of companies affected by ransomware, with their company Responders.NU. Since the summer of 2023, Responders.NU is Secura's incident response partner.
Time is money
Gevers and Blokhuis have set up their infrastructure to handle a ransomware attack as quickly as possible. Because, says Gevers, ‘Time is money. Suppose your company grows cauliflower. You're ransomed and you can't get the cauliflower to the store. You suffer a loss, it's as simple as that. We can quickly estimate whether you’ll be back in business.’
Joeri Blokhuis (l) en Rickey Gevers of Responders.NU
Every ransomware attack is different, because no company is the same. But Gevers sees similar situations in every attack. 'When somebody calls us, first we listen. Usually people need to get rid of this load; they are really stressed. We try to exude a certain calmness.'
'For example, I was called once by a man with a very large company in the manufacturing industry. He told me: 'They want 20,000 euros.' So I said, 'Oh, that's not so bad.' That was the trigger for him to think, yes, it's actually not that bad. After that, he relaxed. Incidents tend to go more smoothly when people are calm.'
Are there any backups?
After that first phone call, Gevers and Blokhuis strengthen their intelligence position. 'We check: which ransomware group is behind this? How is the affected party doing? For example, which systems are inaccessible? What does that mean for the company?' But the most important question is: are there any backups? And how long will it take before they can be restored?
'About three years ago we still met a lot of companies who didn’t have backups,' says Blokhuis. 'That meant you had to pay up; you had no other option. But we’re happy to see that less often nowadays; backups are getting better.'
Incident Response specialist
About three years ago we still saw a lot of companies without backups. We're pleased to see that less often nowadays; backups are getting better.
Negotiating with ransomware groups
When, and only when, Gevers and Blokhuis have fully strengthened their information position they open a chat with the ransomware group behind the attack. Their goal is to reduce the amount of money the group is demanding. ‘Negotiating with ransomware groups is something we have become very good at,’ Gevers says.
To be clear: Blokhuis prefers not to pay criminals a ransom. 'But we find in practice that paying the ransom is often the fastest route to recovery. For us, it's about weighing the costs against the benefits.' He always consults with an organization's management about this trade-off during an attack.
It goes something like this: 'Suppose you're down for a day because you need a day for recovery, to restore the backups. That means losing 2 million euros – these are random numbers, by the way. But: if we pay the ransom it costs 200k. With a few clicks we can transfer that money, get the decryptor and be back online in 4 hours. Then we pay. These are the kinds of calculations that are made.'
Joeri Blokhuis (l) and Rickey Gevers
To pay or not to pay
To pay or not to pay in case of ransomware is a sensitive issue. The Dutch government never pays. 'Sometimes that really hurts,' says Gevers. A ransomware group might ask for 10,000 euros. The government party then decides, 'We won't pay.' And the damage could be in the millions.'
Gevers sees that the willingness to pay a ransom varies by country: 'In the UK, paying a ransom is not done. Almost nobody pays. Willingness to pay is also limited in the Netherlands, although the threshold for paying ransom is lower there now than it was a few years ago. In Germany, on the other hand, companies often do pay. I think that's because Germany is more privacy-minded.'
Very occasionally a payment turns out unexpectedly well. In 2022, Gevers and Blokhuis managed to withdraw payment of the ransom after receiving the decryptor: 'A trick. So in that particular case we never paid at all.' They shared this info with law enforcement, allowing police to extract over 155 keys from that specific ransomware group.
When is an assignment successful? 'When the customer is satisfied. I also get a kick when things go really fast. When we solve the problems within a few hours and the customer says, ‘Wait, is it over already?'
The work also gives him a certain satisfaction. 'A while back we got a call from a party that worked with a lot of vulnerable people. They let us know: if the data of these people gets online, it will cause a lot of serious problems. Very sensitive data, in other words. We ended up working on it for a long time, but it turned out all right.'
Incident Response 24/7
You've been hacked - your systems are down. It is important to limit the damage and get back to business as soon as possible.. Secura can help you.
Incident Response PRO
Secura’s Incident Response PRO helps you prepare for cyber incidents and guarantees expert help during a potential incident.
Tabletop Crisis Management
Who are the first points of contact in case of a cyber incident? What are everyone's responsibilities? Practice Cyber Crisis Management in this Workshop.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.