Ransomware? Back online in no time

When ransomware strikes, crippling your systems, it's time to call in the experts. Rickey Gevers and Joeri Blokhuis, Secura's incident response partners, usually get businesses back online quickly.

... > Incident Response PRO > Ransomware? Back online in no time

Ransomware? Back online in no time

Your business has been hacked, ransomware criminals are demanding thousands of dollars and important systems are down. What to do? You call an incident response expert like Rickey Gevers and Joeri Blokhuis. They are Secura’s partners incident response partners. ‘Negotiating with ransomware groups is something we've become very good at.’

‘99% of the calls we get are about ransomware,’ Gevers says. ‘All kinds of companies call us: from the barbershop on the corner to the largest companies in the Netherlands. We are known in the market for our quick response and trustworthiness. Sometimes we really can solve a ransomware case within two hours.'

Over the past 13 years Rickey Gevers and his associate Joeri Blokhuis have helped dozens of companies affected by ransomware, with their company Responders.NU. Since the summer of 2023, Responders.NU is Secura's incident response partner.

Time is money

Gevers and Blokhuis have set up their infrastructure to handle a ransomware attack as quickly as possible. Because, says Gevers, ‘Time is money. Suppose your company grows cauliflower. You're ransomed and you can't get the cauliflower to the store. You suffer a loss, it's as simple as that. We can quickly estimate whether you’ll be back in business.’

Image in image block

Joeri Blokhuis (l) en Rickey Gevers of Responders.NU

Hugely stressed

Every ransomware attack is different, because no company is the same. But Gevers sees similar situations in every attack. 'When somebody calls us, first we listen. Usually people need to get rid of this load; they are really stressed. We try to exude a certain calmness.'

'For example, I was called once by a man with a very large company in the manufacturing industry. He told me: 'They want 20,000 euros.' So I said, 'Oh, that's not so bad.' That was the trigger for him to think, yes, it's actually not that bad. After that, he relaxed. Incidents tend to go more smoothly when people are calm.'

Are there any backups?

After that first phone call, Gevers and Blokhuis strengthen their intelligence position. 'We check: which ransomware group is behind this? How is the affected party doing? For example, which systems are inaccessible? What does that mean for the company?' But the most important question is: are there any backups? And how long will it take before they can be restored?

'About three years ago we still met a lot of companies who didn’t have backups,' says Blokhuis. 'That meant you had to pay up; you had no other option. But we’re happy to see that less often nowadays; backups are getting better.'

Responders Blokhuis 1

Joeri Blokhuis

Incident Response specialist

Responders.NU

About three years ago we still saw a lot of companies without backups. We're pleased to see that less often nowadays; backups are getting better.

Negotiating with ransomware groups

When, and only when, Gevers and Blokhuis have fully strengthened their information position they open a chat with the ransomware group behind the attack. Their goal is to reduce the amount of money the group is demanding. ‘Negotiating with ransomware groups is something we have become very good at,’ Gevers says.

To be clear: Blokhuis prefers not to pay criminals a ransom. 'But we find in practice that paying the ransom is often the fastest route to recovery. For us, it's about weighing the costs against the benefits.' He always consults with an organization's management about this trade-off during an attack.

It goes something like this: 'Suppose you're down for a day because you need a day for recovery, to restore the backups. That means losing 2 million euros – these are random numbers, by the way. But: if we pay the ransom it costs 200k. With a few clicks we can transfer that money, get the decryptor and be back online in 4 hours. Then we pay. These are the kinds of calculations that are made.'

Image in image block

Joeri Blokhuis (l) and Rickey Gevers

To pay or not to pay

To pay or not to pay in case of ransomware is a sensitive issue. The Dutch government never pays. 'Sometimes that really hurts,' says Gevers. A ransomware group might ask for 10,000 euros. The government party then decides, 'We won't pay.' And the damage could be in the millions.'

Gevers sees that the willingness to pay a ransom varies by country: 'In the UK, paying a ransom is not done. Almost nobody pays. Willingness to pay is also limited in the Netherlands, although the threshold for paying ransom is lower there now than it was a few years ago. In Germany, on the other hand, companies often do pay. I think that's because Germany is more privacy-minded.'

Very occasionally a payment turns out unexpectedly well. In 2022, Gevers and Blokhuis managed to withdraw payment of the ransom after receiving the decryptor: 'A trick. So in that particular case we never paid at all.' They shared this info with law enforcement, allowing police to extract over 155 keys from that specific ransomware group.

Satisfaction

When is an assignment successful? 'When the customer is satisfied. I also get a kick when things go really fast. When we solve the problems within a few hours and the customer says, ‘Wait, is it over already?'

The work also gives him a certain satisfaction. 'A while back we got a call from a party that worked with a lot of vulnerable people. They let us know: if the data of these people gets online, it will cause a lot of serious problems. Very sensitive data, in other words. We ended up working on it for a long time, but it turned out all right.'

Why choose Secura | Bureau Veritas

At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.

Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.