Ransomware Response: Crisis Negotiators Outline Costly First-Hour Mistakes and Recovery Steps
Crisis negotiators Michael Sjøberg and Peter Skovbo say companies hit by ransomware must act fast and deliberately to regain control and limit damage.
Crisis negotiators with military and private-sector backgrounds are urging firms struck by ransomware to prioritize specific steps in the first hours after discovery to avoid compounding harm. Michael Sjøberg, a former Danish military hostage negotiator, and Peter Skovbo, head of the Swiss advisory firm Delta Crisis, shared practical guidance on containment, communication and decision-making that can shape the outcome of an attack. Their recommendations focus on clear leadership, measured negotiation, and technical and legal coordination to preserve evidence and operational options. Companies that rush or misstep in the initial response risk longer outages, greater data loss and steeper recovery costs.
Former hostage negotiator highlights the ‘first-hour’ pitfalls
Sjøberg warns that the immediate response mentality often mirrors panic, which can sabotage recovery. He says common errors include disconnecting systems without preserving forensic data and giving inconsistent instructions to staff, both of which can obscure the attack timeline.
According to Sjøberg, appointing a single incident commander within the first hour reduces confusion and prevents conflicting actions that attackers can exploit. That central leadership should coordinate IT, legal, communications and external advisers to maintain a unified response.
Containment and preservation: technical moves that matter
Skovbo stresses that containment must balance stopping spread with preserving logs and evidence for investigation and potential prosecution. He recommends isolating infected segments of the network while documenting every action to support forensic analysis.
Immediate technical steps include taking affected systems offline in a controlled way, capturing memory and disk images where possible, and securing backups to prevent secondary encryption. Delta Crisis advises organizations to avoid blanket wipes or premature system restorations until forensics teams have assessed the data.
Who should negotiate and how to approach extortion demands
Both Sjøberg and Skovbo emphasize that negotiation with attackers is a specialized task that should not be handled ad hoc by middle managers. They recommend bringing in trained crisis negotiators or experienced counsel to communicate with threat actors, when engagement is considered.
Negotiation goals differ from law enforcement objectives, and skilled negotiators can buy time, probe attacker intentions and gather intelligence without making commitments that undermine legal or operational options. The advisors caution that any dialogue must be tightly coordinated with legal counsel and investigators to avoid inadvertent admissions or evidence contamination.
Communications: telling employees, customers and regulators
Clear, accurate and timely internal communication is crucial to maintain trust and operational discipline, Sjøberg says. Employees need precise instructions about device use, passwords and reporting procedures to prevent accidental spread.
External messaging to customers and regulators should be managed by a joint legal and communications team to meet disclosure obligations while avoiding speculative claims. Skovbo recommends preparing concise factual statements that acknowledge the incident, outline immediate mitigations and commit to updates, minimizing speculation that could harm reputation or regulatory standing.
Legal and forensic priorities under time pressure
Preserving chain-of-custody and documenting response activities are legal imperatives that companies often overlook in the rush to restore service. Skovbo highlights the importance of involving legal counsel and a forensics provider early to guide evidence handling and regulatory reporting.
Different jurisdictions have varying breach-notification requirements and potential criminal implications, so multinational firms should map obligations quickly. Failure to meet reporting deadlines or to secure proper forensic records can lead to fines and weaken any future legal action against perpetrators.
Weighing ransom payments and operational trade-offs
Both experts stress there is no one-size-fits-all answer on paying ransoms, and decisions should be made only after assessing restoration prospects, legal risks and insurance coverage. Negotiators can sometimes reduce demands, but payment does not guarantee full data recovery or prevent future targeting.
Organizations should test and verify backups and alternative recovery plans before considering payment, and insurers, counsel and law enforcement should be part of that assessment. Skovbo warns that treating ransom payment as an immediate fix can entrench criminal business models and invite repeat attacks.
Final paragraph
Businesses facing ransomware must fuse disciplined crisis leadership with technical rigor, legal compliance and controlled communications to limit harm and speed recovery.