So, you are in the middle of a ransomware event. It happened. Nearly all of your network is down… 

What’s next? What are we supposed to do? What should we expect? How does this work? 

Upon the discovery of these events, there is usually a small time period where IT departments scramble to figure out what actually happened and what, if anything, they can do to resolve the situation. That period will often last somewhere between 2 and 6 hours, or possibly the first day of noticing the event. At that point, the realization that help is needed will typically happen, and one of the first resources contacted is the insurance company. 

In today’s age, many companies have insurance policies in place to help with cybersecurity, disaster recovery, and ransomware scenarios. These policies help pay for several things during the course of these events and are utilized in nearly all cases. New hardware for the emergency, remediation consulting and additional personnel, forensics teams, lawyers, and even Threat Actor payment are all options that can be drawn from these policies. 

Insurance providers have specialty remediation and forensics companies they work with to lend resources and guidance to companies experiencing events once the policies are activated. A law firm will be engaged for counsel as well. 

At that point, two distinct workstreams begin. One to workstream to remediate as much of the situation and restore infrastructure services to as much as possible, and the other to negotiate with the Threat Actors. 

Negotiations: 

Interestingly, TA negotiations aren’t only for decryption purposes. Often a level of Non-Disclosure Agreement is negotiated. Threat Actors don’t simply cripple a network; they typically exfiltrate certain types of data. Examples include financial information, patent documentation, customer lists, or anything considered in PII. Consequently, in the TA due diligence, which is the period of time they are in your network before executing the actual ransomware event; they usually uncover insurance policy information. They then know how much the policy covers and will set the ransom based on that coverage.  The NDA negotiations take place to secure these types of data and information to the level that is crucial to the affected business.  

Lengthening these negotiations is typically beneficial for the affected company. Remember, the Restoration and Remediation team (R&R) will be working on repairing and restoring services to the company. Rarely is the case that they can perform a full restoration without some sort of decryption being purchased. However, they are constantly restoring different systems and learning more about the situation. This allows the overall value of the decryption tools to change and is often lower based on the importance of the systems that are unable to be restored. 

Restoration & Remediation: 

There are several priorities that the R&R team undertakes during this process. The highest priority is usually the restoration of as many of the affected systems as possible. More often than not, this can be only partially done. The state of backups and Disaster Recovery abilities typically lend to only partial recovery. Even in that case, the value of the decryption tool is lowered with each system restored.  

Preparing the network for decryption or restoration while mitigating risk is also of highest priority. The network is not in an ideal place, and you do not want to worsen the situation. This will include activities around backing up decrypted files and virtual machines to different locations and preparing or repurposing hardware to use as staging or restoration locations. This will set up the environment for the quickest recovery time, especially in the case of decryption. The concept behind this revolves around the need to perform decryption on affected data yet still needing to protect that data. If you have a copy of this data, you can manipulate the copy without risk of losing the original. If available, repurposing hardware will give you the storage and resources to perform these tasks without having to alter production infrastructure until you can verify the restoration. 

Lower the value of the decryption tool: 

It’s important to discuss the relationship between these simultaneous workstreams. The fact of the matter is that everyone involved hopes the R&R team’s restoration efforts will be successful enough or quick enough to negate having to purchase a decryption tool from the TA’s. Again, this is very rarely the case. Purchasing a decryption tool is typically the fastest, and least expensive way to restore full functionality. The amount of time the network is down, or that business is interrupted plays a large factor in the equation. Having a well maintained and tested backup system and Disaster Recovery plan will place you with the best chances of lowering the value of the decryption tool. 

Derivative: 

In the end, a ransomware event is less a single catastrophe than a high-stakes chess match played under extreme pressure. By leaning on insurance resources, stretching negotiations, and empowering the R&R team to chip away at encrypted systems, organizations can steadily erode the attackers’ leverage. The goal is not perfection—full restoration without decryption remains the exception—but disciplined execution that minimizes downtime, protects sensitive data, and exits the crisis with both operations and reputation intact. Preparation, calm coordination, and a refusal to rush the payoff are what ultimately turn a paralyzing incident into a survivable, even instructive, chapter in the company’s story. 

If you are reading this article and you are currently experiencing a ransomware attack, I want you to know that you are not alone. This is not your fault, and you will get through it.