Ransomware attacks are no longer a question of “if” but “when” or even “how often”. In this candid interview, Nigel Sampson, a cybersecurity professional, chatted to Joe Pettit, Director at Bora, to share his experience dealing with a LockBit ransomware incident—shedding light on the immense financial burden, the strategic playbook used by ransomware gangs, and the critical lessons learned.
From mounting legal costs to negotiations with threat actors who, while they operate like legitimate businesses, can’t be trusted to hand over the keys even if the company does pony up the ransom, this firsthand account is a harsh reminder of the risks modern entities face every day.
Here’s what he had to say.
A Significant System Outage
A business with many subsidiaries, including one particularly large one, contacted me around midday Eastern time to discuss connectivity problems they were having. They weren’t sure of the cause but wanted to keep me up to speed. Initially, it appeared to be a system issue rather than a security incident—but no such luck. An hour later, they called back with a more pressing concern—they weren’t able to access additional systems.
At this point, I involved my security operations manager and began looking into it. It quickly became clear that this was a major system outage, as the company said it was unable to access consoles, web servers, and data centers globally. Upon closer scrutiny, we discovered that the VMDKs—critical files supporting the VMware environment—had been encrypted with a five-layer extension, a major red flag of ransomware.
Patient Zero
Understanding the severity of the situation, we moved as quickly as possible. We identified “patient zero”, shut down the network, disconnected all remote users, and kicked our incident response plan into gear. This meant isolating affected systems, closing off VPN access, and pretty much halting business operations. Concurrently, we started briefing executives—the CIO, board members, and senior stakeholders—while assessing the attackers’ tactics, techniques, and procedures to determine the scope of the breach and what our remediation options were.
Once the network was isolated, our next priority was business continuity planning. We evaluated backup availability—determining whether we could restore data from existing backups and whether those backups were immutable. However, the timing was unfortunate, as we were in the early stages of deploying a new security technology stack across the global organization. Only ten to 20 workstations had been fully protected, limiting our visibility into the attack’s origins.
Our deductions helped us identify two or three devices as potential entry points, but we couldn’t pinpoint the exact vulnerability due to incomplete security tool implementation. Given the complexity of the situation, we brought in a project manager to help coordinate the investigation and remediation efforts. We consulted the IT director regarding backups, only to discover a major flaw in the company’s infrastructure: their data center had a mirrored backup system on the west side, but because the network was not segmented, the ransomware had also encrypted those backups. This lack of immutability meant that even their disaster recovery strategy was a failure.
The Worst-case Scenario
At this stage, we faced the worst-case scenario. The company’s entire SaaS-based business was at risk, and restoring operations seemed highly unlikely unless we could negotiate with the threat actors for a decryption key—an uncertain and too often fruitless exercise. We broadened our approach by searching for any unencrypted databases or files. Luckily, we found an untouched terabyte-sized database, which became the foundation for recovery, leading us to establish a ‘green zone’—a sanitized network where we could transfer and restore clean systems.
A week into the incident, daily briefings with executives, and board members were in place. External legal counsel, PR specialists, and regulatory compliance teams were also engaged. The situation was rapidly evolving, requiring meticulous coordination and transparency with customers and regulatory bodies.
Interestingly, our newly developed incident response plan (IRP) was being tested in real-time. My SecOps lead had recently completed an IRP course and had just finalized our response framework. Despite being in its early stages, the plan worked effectively, guiding our containment and recovery efforts. By the second or third week, we had started rebuilding products using the recovered database.
Identifying the Culprit
As we gained more insight into the attack, we identified the ransomware strain as LockBit 3.0. Researching on the dark web, we discovered that LockBit operates a dashboard displaying compromised companies and countdown timers for data exposure—a tactic known as double extortion ransomware. In addition to encrypting data, attackers threaten to leak stolen information publicly, increasing pressure on victims to pay.
Surprisingly, our company never appeared on the LockBit dashboard. Nevertheless, we engaged specialized external counsel who had experience negotiating with ransomware groups. Three to four weeks into the incident, we had progressed significantly in restoring systems through other means.
Negotiating With Ransomware Operators
Negotiating with ransomware operators is a complex process. Threat actors communicate through dedicated chatrooms, managing multiple victims simultaneously. We determined that the attackers were likely based in Eastern Russia, having acquired initial network access through an access broker months before the actual attack. This indicates that our environment had been compromised for two to three months before LockBit exploited the vulnerability.
With a clearer understanding of the attack, we began searching for indicators of data exfiltration. LockBit typically bundles stolen data before using specialized tools to extract it from the network. Identifying exfiltrated data is challenging without network performance monitoring tools or data loss prevention (DLP) solutions—without these capabilities, determining the full extent of data exfiltration is extremely difficult.
Ultimately, this experience reinforces the critical importance of a well-tested incident response plan, immutable backups, and full visibility across the IT environment. The lessons learned will help inform stronger security strategies moving forward so that future incidents are detected and contained more quickly and effectively.
The Financial Impact
You can’t put an exact amount on it, but for a medium-sized company, you’re looking at over a million dollars, at least in expenses. Thinking about it now, the costs add up quickly—external legal counsel alone is very expensive, often charging for many hours of work. When you add specialists and your internal team, the total could easily reach seven figures. That’s not even considering if you’re going to pay the threat actor.
This is another key aspect. Most companies have a $5 million cybersecurity insurance policy, and threat actors are well aware of this. They anticipate negotiations and will often start their ransom demands close to that amount because they know insurers are likely to pay. Some might initially ask for three or four million, understanding that the business will negotiate. They also recognize the importance of their own reputation—once payment is made, they will provide the decryption keys. If they didn’t, businesses would stop paying, and they would need to rebrand and start over.
It’s a business for them. Some ransomware groups even have help desks on the dark web with support lines victims can call. They research their targets extensively, analyzing their revenue and operations to determine how much they can extort. They operate with structured playbooks, and for well-known exploits, they know exactly how to execute their attacks.
Smishing Texts, Deepfakes
These scourges are everywhere. I’ve personally received texts that appeared to come from former CEOs or bosses, saying things like, “I’m at a conference, I can’t call—can you handle this for me?” But I knew it was fake. Attackers are using AI for deepfake videos, fake resumes, and even to infiltrate security companies.
The real danger is that many companies don’t fully grasp their vulnerability. Ransomware is a technical problem that can be addressed with strong security solutions and processes. But the human element—social engineering, impersonation, and insider threats—is much harder to mitigate. If a company inadvertently hires a threat actor, without a strong cybersecurity program in place, they may never detect the data exfiltration happening right under their nose. The risk is real, and it’s only going to increase.
Recommended Security Tools
There are a few essential ones. You don’t necessarily need to name vendors, but the core technologies include:
- Endpoint Detection and Response (EDR): This is critical because it provides protection on user machines, where most attacks originate. Ideally, it should include behavioral analytics and be monitored by the vendor. Many teams don’t have the resources to monitor EDR consoles around the clock.
- Data Loss Prevention (DLP): This is a major initiative that requires data categorization, policies, and stakeholder engagement to determine what is confidential and what controls should be in place.
- Secure Email Gateways: Many ransomware and phishing attacks come through email, so having a strong email security solution is crucial.
- Cloud Security Posture Management (CSPM): This helps provide visibility into cloud risks and ensures potential vulnerabilities are identified and remediated.
- Attack Surface Management (ASM): This provides an external view of all publicly facing assets and their vulnerabilities. A view the threat actor sees, and a critical one a business can see in order to remediate the vulnerabilities before a threat actor does.
These solutions work together in a layered approach—stopping threats at the entry point, detecting breaches, and preventing data exfiltration. The Cybersecurity Framework (CSF) is also useful as it breaks security into domains like identify, recover, governance, prevention, protection, and remediation. Organizations should ensure they have tools covering each of these domains to build strong ransomware resilience.
Assume it Will Happen
With ransomware attacks, the safest bet is to assume it will happen and prepare accordingly. Having an incident response plan in place is key. There are plenty of online guides available, but if there’s a dearth of internal security expertise within your firm, consult a vendor. Many security vendors specialize in building incident response plans, and value-added resellers (VARs) can help connect businesses with the right expertise.
Preparation is key. When an attack happens, it happens fast. If you don’t know what to do, by the time you figure it out, your business could be crippled. Having a well-structured plan puts you in a position to respond quickly and effectively, limiting damage and disruption.
Nigel Sampson is a successful innovator and global cybersecurity leader with over 25 years of enterprise experience in the Financial Services and Healthcare technology sectors. He specializes in developing strategies and driving innovative cybersecurity programs that enhance operational resiliency, fuel revenue growth, and improve customer satisfaction both domestically and internationally. He is also deeply committed to building and nurturing high-performance teams.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
