惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
Latest news
Latest news
P
Palo Alto Networks Blog
T
The Exploit Database - CXSecurity.com
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
AI
AI
阮一峰的网络日志
阮一峰的网络日志
量子位
Project Zero
Project Zero
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Schneier on Security
大猫的无限游戏
大猫的无限游戏
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
K
Kaspersky official blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V
Visual Studio Blog
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 聂微东
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
IT之家
IT之家
I
Intezer
The Cloudflare Blog
月光博客
月光博客
N
News | PayPal Newsroom
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
V2EX
博客园_首页
罗磊的独立博客
NISL@THU
NISL@THU
爱范儿
爱范儿
Jina AI
Jina AI
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
A
Arctic Wolf
Scott Helme
Scott Helme
Engineering at Meta
Engineering at Meta
P
Proofpoint News Feed

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Ransomware just wrecked your network – now what?
Iain Thomson Iain Thomson · 2025-06-06 · via The Register - Security: CSO

FEATURE So, the worst has happened. Computer screens all over your org are flashing up a warning that you've been infected by ransomware, or you've got a message that someone's been stealing information from your server.

There's a growing market of firms that advise extortion victims on how to handle the situation, but that just adds another invoice to the injury, and some still prefer to go it alone. In the end, while a few companies do ignore ransom demands outright, all at least assess their options before deciding whether to negotiate, restore from backups, or pay up.

"I believe less than a quarter of the organizations last year that we assisted ended up going on their own and settling with the threat actor," explained Andrew Carr, senior director of commercial incident response at Booz Allen.

So how should you proceed?

First, take a look at the infected machines to see what exactly is going on and if there's information on how the infection occurred so security holes can be patched up.

For companies that have cyber insurance, the insurer will often appoint someone to do just that, according to an independent ransomware negotiator who asked to remain anonymous to avoid being targeted by criminals. Insurance companies are spending a lot of time and effort examining the ransomware ecosystems because they are having to pay out increasingly large sums as the ransomware plague spreads.

Next up, companies usually wipe their systems clean and restore them from backups. The wiping is particularly important, since once someone has gained access to your network, they could well have left other malware behind to get a second bite of the cherry.

This holds true even if victims decide to pay up – once a system has been penetrated, it must be thoroughly checked for remaining threats. Getting the ransomware key is one thing, but the system should still be regarded as at risk, even after decryption.

When you have to pay

Although the majority of ransomware victims don't pay up, some feel they have to. Maybe it would take too long to wipe and restore all affected systems, or maybe the backups are insufficient, given the scope of the infection.

As we've seen in the Colonial Pipeline and UnitedHealth attacks, the CEOs were quite blunt about their reasons for paying – service had to be restored, fast.

In the case of Colonial, it was an emergency. Panic buying was leading to shortages and fistfights were breaking out at gas stations across the US East Coast. The decision was made to suffer the pain and pay up.

With the Change Healthcare cyberattack, parent company UnitedHealth forked over $22 million in bitcoin to the ALPHV/BlackCat gang, since pharmacies were in chaos and prescriptions desperately needed to be filled. Incidentally, this was one of the relatively rare cases where the gang did rip off its affiliates, the ransomware negotiator told The Register.

Most ransomware infections contain contact information for the attackers. If you feel you have to negotiate, it's important to know who you're dealing with. Typically, ransomware-as-a-service operators let affiliates make the actual intrusion, then take over negotiations and kick back a percentage to the initial attacker.

The reason for this central control is that it allows the malware developer to ensure their brand - such as it is - remains untarnished. While there have been cases of people infecting victims or stealing data, taking the payoff, and then double-crossing the payer, that's bad for business.

"Trust is a massive part of this," the ransomware negotiator said. If the gang has a reputation for delivering a solution once victims have coughed up the fee, then it's easier to extort money.

The major gangs have full-time staff who manage negotiations, ensure delivery, develop better malware, and so on, the ransomware negotiator explained. Typically, they'll pitch the first demand at around 5 percent of annual revenue. The trick to reducing the sums is playing the long game.

The longer the negotiation goes on, the more the price is likely to drop, he opined. The extortionists just want the money and "it will tie up with the negotiator so they just kind of go, 'Well, you know, screw this. Let's just give them a nice, generous discount'," he added.

There are exceptions. After going through chat logs related to LockBit, the ransomware negotiator told us, he noticed a lot of amateur teens seem to be using rent-a-ransomware kits. These folks are more likely to negotiate themselves, then take the money and run, as they have no reputation to preserve.

But they're also more likely to cave, as we saw in the recent ransomware infection at PowerSchool - the original infection actually happened upstream at an unnamed telco, but they refused to pay, so the attackers used info gained in that first attack to target the education software provider instead, according to legal documents connected to a guilty plea from a 19-year-old attacker. PowerSchool paid up, but the data was still apparently out in the wild and remained undeleted, leading to further extortion attempts against PowerSchool customers.

As far as payment goes, everyone we spoke to agreed that bitcoin was the preferred payment method. It's convenient and, importantly, usually untraceable. While coin mixing technology – which seeks to launder the digicash using a mass of transactions – is improving, it's still possible to beat. In the case of Colonial, most of the ransom was recovered, and one Dutch university not only recovered the ransom but made a profit because the price of bitcoin had risen while they were doing so.

If you seek help, mum's the word

If you do hire a professional to help, don't let the criminals know what's going on, Carr advised.

"We don't go in and say I'm from X company, here on behalf of this victim organization. You pretend, typically, that you are a member of that organization. That way it just seems more natural. And some of the groups actually have animosity towards professional organizations that assist in these cases."

Similarly, if you have insurance, it's vital not to let on when negotiating with the extortionists. At the recent RSA security conference, Dutch police explained that in addition to encrypting some systems, the crooks also look for documents related to cyber insurance. If the victim has coverage, the amount they demand goes way up.

But it shouldn't come to that. The vast majority of ransomware operators just want low-hanging fruit – people without even basic endpoint protection who can just be spammed with malware, Carr said. Larger companies should be able to fight off all but the most determined, well-resourced attackers.

And that's the root of the issue. Payment is likely to fund further criminal activity, so caving to the demands is making attacks more likely in the future. Carr said that if it came to a decision to pay, then his job was over – "we're hands off in that," he concluded. ®