Former Military Negotiators Reveal Critical Steps for Ransomware Response
Michael Sjøberg and Peter Skovbo of Delta Crisis outline decisive ransomware response tactics, early mistakes to avoid, and steps for regaining control.
A rising number of corporate incidents has put ransomware response at the center of boardroom priorities, and two veteran crisis negotiators are urging firms to change how they react in the first hours. Michael Sjøberg, a former Danish military hostage negotiator, and Peter Skovbo, who leads Sjøberg’s Delta Crisis consultancy in Switzerland, say that decisive, structured action can sharply reduce damage. Their joint guidance blends negotiation tradecraft with practical technical and communications measures aimed at restoring control.
Experts stress the first-hour doctrine
Sjøberg and Skovbo emphasize that the initial hour after discovery defines much of the incident’s trajectory. They advise organizations to treat ransomware like an ongoing crisis rather than an isolated IT failure, mobilizing a cross-disciplinary incident team immediately. A coordinated command structure, clear decision authority, and predefined escalation paths are critical to avoid fragmented responses.
Rapid decisions made without evidence or centralized control frequently amplify harm, the negotiators warn. When technical staff, legal counsel, and executives act independently, containment lapses and contradictory public messages follow, complicating recovery and regulatory reporting.
Negotiation techniques applied to cyber extortion
Both experts say traditional hostage-negotiation principles transfer to ransomware incidents, particularly around communication and de-escalation. Sjøberg highlights listening and controlled messaging as tools to reduce the attacker’s incentives to act unpredictably. Skovbo adds that establishing predictable communication channels with attackers—when engagement is necessary—can buy time to mobilize defenders and forensic teams.
They caution that negotiation is a specialist capability and not a substitute for technical remediation. Any contact strategy must be coordinated with legal counsel and forensic investigators to preserve evidence and avoid creating legal or operational exposures.
Immediate technical containment and evidence preservation
Delta Crisis recommends a triage sequence for the IT response: isolate infected segments, preserve volatile evidence, and secure backups. Disconnecting affected systems from networks should be done carefully to prevent data loss while maintaining forensic integrity. Maintaining an image of compromised systems enables later analysis without destroying the traces investigators need.
Engaging external digital forensics early is a recurring point from both negotiators. Independent investigators can validate the scope of the intrusion, identify persistence mechanisms, and offer guidance on whether to negotiate, restore from backups, or pursue other remedies.
Communication with stakeholders and regulators
Sjøberg and Skovbo stress clarity in external and internal messaging during a ransomware response. Employees, customers, partners, and regulators must receive consistent, factual updates on what is known and what steps are being taken. Reactive, speculative, or overly technical statements risk eroding trust and can trigger regulatory scrutiny.
They also recommend a single, trained spokesperson and a brief, regular cadence of updates. This approach reduces misinformation and protects the organization’s legal position while enabling the incident team to focus on containment and recovery.
Frequent costly mistakes in the early phase
According to the negotiators, several recurring missteps compound the damage from ransomware. The most damaging are premature system restores that reintroduce the threat, unauthorized attempts to pay or negotiate without legal and forensic oversight, and public statements that reveal investigation details. These errors can lead to repeat compromises, evidence contamination, and increased liability.
Another common mistake is ignoring cyber insurance and contractual obligations until late in the process. Skovbo notes that insurers, legal teams, and key vendors should be looped in early to coordinate coverage, reporting, and remediation responsibilities.
Criteria for involving crisis negotiation specialists
Sjøberg and Skovbo outline circumstances that warrant bringing in professional negotiators: when attackers make direct contact, when extortion involves release of stolen data, or when multiple hostile demands appear. They argue that negotiators provide discipline to communications and can slow adversary behavior while technical teams work. Their role is to manage dialogue, reduce escalation risk, and preserve options rather than to promise a guaranteed outcome.
Contracting negotiators pre-incident is recommended so that teams can be activated without delay. The negotiators advise embedding realistic engagement protocols in incident response plans and running tabletop exercises that include communication simulations.
Restoring control and strengthening resilience
After containment and forensic analysis, the focus must shift to recovery and prevention. Firms should prioritize clean restores from validated backups, patching identified vulnerabilities, and rotating credentials to remove attacker footholds. Post-incident reviews must produce specific remediation plans with assigned owners and deadlines to prevent recurrence.
Longer-term resilience requires investment in detection, segmentation, and staff training, the experts add. Regularly tested backups, network segmentation to limit lateral movement, and clear escalation pathways for suspected incidents reduce both likelihood and impact. Continuous tabletop exercises that involve IT, legal, communications, and executive teams help embed the discipline needed for effective ransomware response.
Ransomware response is not just a technical challenge but a governance one, and Sjøberg and Skovbo say preparedness separates organizations that recover quickly from those that suffer protracted disruption. The combination of disciplined negotiation, rapid forensic action, and clear communications gives companies the best chance to regain control and limit damage.
