EN
DE
It’s Monday morning, 7:12 AM. Your IT manager calls: “The servers are encrypted. Every screen shows a ransom demand.” Or: It’s Wednesday afternoon — your CEO receives an email: “We have copied 380 GB of your company data. Customer records, contracts, payroll files. Pay up or we publish everything.” Your servers are running perfectly fine.
We see both scenarios at BeforeCrypt every week — often combined. Since 2019, we have guided over 2,000 organisations through cyber attacks — from 12-person trades businesses to publicly listed corporations. What has changed: Attackers no longer just encrypt — they steal data and extort, frequently both at once (Double Extortion). What we have learned: The first 48 hours determine everything. The extent of the damage, the duration of the business interruption, and often whether a company survives the attack at all.
This guide is not a theoretical manual. It is based on what we have seen, learned, and — sometimes painfully — experienced in over 2,000 real cases. We share the mistakes nearly every company makes, the steps that truly matter, and the truths that most guides leave out. Whether your servers are encrypted, your data has been stolen, or both.
The Reality of a Cyber Attack in Numbers (2025/2026)
Before we get into the emergency plan, the current landscape — because it has changed dramatically:
- Ransomware was involved in 44% of all data breaches worldwide in 2025 — a 37% increase over the previous year (Verizon DBIR 2025).
- For small and medium-sized enterprises (SMEs), ransomware was involved in 88% of all security incidents — SMEs have long been the primary target.
- 60–70% of attacks now involve data theft — often without encryption. Attackers steal data and threaten publication while systems continue running. Many companies realise too late that an attack without operational disruption is still a serious crisis.
- The average downtime following an encryption attack is 24 days. For many mid-sized businesses, that means nearly a month of limited or no operations.
- The average total cost of a cyber attack (including downtime, recovery, reputational damage) was between USD 1.8 and 5 million in 2025.
- Globally, documented ransomware incidents continue to rise year on year — and the true number of attacks is significantly higher than what is reported.
- 80% of attacks in 2025 used AI-powered tools — from deepfake phone fraud to AI-generated phishing campaigns (MIT Study 2025).
The average ransom demand for our mid-market clients in 2025 was $254,210. Through professional negotiation, we reduced actual payments by an average of 47%.
How Do You Know Your Company Has Been Hacked?
The most obvious case: A ransom note appears on every screen, files suddenly have extensions like .locked, .encrypted, or .blackcat, and nothing works. This is the moment most companies call us.
But in many cases there are warning signs beforehand:
• Unexpectedly slow systems, especially servers and network drives
• Files with changed names or unknown extensions
• Unexplained network activity outside business hours
• Antivirus software is disabled or cannot be updated
• Unknown admin accounts or permission changes in Active Directory
• Emails you did not send are leaving your system
Increasingly common — signs of data theft without encryption: You receive an email from unknown parties containing excerpts of your internal data (contracts, payroll records, customer lists) as proof. Or an IT security provider or authority informs you that your data has appeared on the dark web. Your systems are working perfectly fine — which makes it tempting to underestimate the problem. Don’t. The GDPR reporting obligations, extortion potential, and reputational damage are at least as serious as encrypted servers.
What many don’t know: Attackers are typically active in your network for days or weeks before they strike. They take their time to identify and compromise backups, exfiltrate sensitive data, and consolidate their position. Whether they ultimately encrypt, extort, or both is often decided just before the attack — based on what creates the most pressure.
Emergency Plan: The First 48 Hours — Step by Step
What follows is not a theoretical procedure. It is the process we have refined over 2,000+ cases. Every step is based on experience of what works — and what doesn’t.
Hour 0–1: Contain the Damage
1. Stay calm. We know this is easier said than done when your entire operation has shut down — or when you have received an extortion email containing your company data. But panic-driven decisions in the first 60 minutes are the most common cause of avoidable additional damage. Every minute you invest in deliberation saves hours later.
2. Disconnect infected systems from the network IMMEDIATELY. But do NOT switch them off! Unplug network cables, disable WiFi and Bluetooth. However, do not power devices down — the RAM may contain encryption keys that are invaluable for later analysis. For pure data theft without encryption: Do NOT panic-shutdown your network. The data has already been copied. Instead, check whether the attackers still have active access and close those specific entry points.
3. Assess the scope. Before you do anything else: Which systems are affected? Just one workstation? The entire server? Are backups accessible? Is the cloud affected? For data theft: What data was mentioned in the extortion message or provided as proof? Is personal data involved? This assessment takes 15–30 minutes and forms the basis for every subsequent decision.
4. Warn remote employees. Immediately inform all employees working remotely or connected via VPN. Instruction: Disconnect immediately, do not log in, do not “just quickly check whether it’s affected on my end too.”
Hour 1–4: Analysis and Communication
5. Contact your IT provider and/or internal IT. If you have an IT provider, call them now. If your provider has no experience with cyber attacks, say so openly and bring in a specialised incident response provider. Seeking help is not a weakness — it is professional.
6. Document the attack. Take screenshots or photos of the ransom note and encrypted files. Record: When was the attack discovered? Which systems are affected? What file extension do the encrypted files have? Is there a contact address or payment instruction from the attackers? For data theft additionally: Save the extortion email or dark web link (screenshot, do not delete). Examine the data samples provided: Are they genuine? What data categories are affected — personal data, financial records, intellectual property? Record the deadline and the amount demanded. This documentation is essential for three things: Identifying the attacker group, the insurance claim (if applicable), and the subsequent criminal complaint.
7. Identify the attacker group. Every group operates differently. The file extension of encrypted files and the text of the ransom note reveal which group you are dealing with. Tools like ID Ransomware (id-ransomware.malwarehunterteam.com) can help with identification. For pure data theft, the style of the extortion email, the named leak site, and the payment method provide clues about the group.
Why this matters: Some groups negotiate, others don’t. Some reliably delete data after payment, others don’t. With most current strains (LockBit, BlackCat/ALPHV, Akira, Play, Qilin), there is no free solution — the right negotiation strategy depends critically on the group.
Hour 4–12: Evaluate Your Options
8. Check backups — but properly. The most important question: Do you have a clean, current backup that has not been compromised? Three critical points we see repeatedly:
• Cloud backups may also be encrypted — check whether synchronisation has overwritten files with the encrypted versions.
• Offline backups (tapes, disconnected external drives) are your best chance — but only if they are recent enough.
• Before restoring a backup: Ensure the vulnerability through which the attack occurred has been closed. Otherwise, the same thing will happen again within days.
Important for data theft: Backups do NOT help here. The data is already in the attacker’s hands. Even if you wipe everything and start fresh — the stolen copy still exists. The focus here is not recovery but damage containment: negotiation, GDPR compliance, and preparation for possible publication.
9. Find the root cause. How did the attackers get in? The most common entry points:
• Phishing emails (46%) — an employee clicks on an attachment or link
• Compromised credentials (25%) — stolen or weak passwords, missing multi-factor authentication
• Insecure remote access (26%) — poorly configured VPN connections or publicly accessible RDP services
• Software vulnerabilities — unpatched systems, outdated firewalls, or VPN appliances
10. Understand your options. At this point, you realistically have the following options:
- Restore from backup — the best option if a clean, current backup exists.
- Decryption tool — only available in rare cases for older ransomware strains (check nomoreransom.org).
- Negotiation and payment — when no other option exists. Only with professional support.
- Accept data loss — when the cost of payment exceeds the value of the data.
If data has also or exclusively been stolen, additional options apply:
- Do not pay, manage damage proactively — File GDPR notifications, inform affected individuals, set up dark web monitoring. Often the right decision, especially if the data is not highly sensitive.
- Negotiate and buy time — Professional negotiation can extend deadlines, reduce demands, and create time for compliance. Even if you don’t intend to pay, negotiation can be strategically valuable.
- Pay for data deletion — In our experience, established groups generally honour the agreement: we receive deletion reports and companies are removed from leak blogs. However, there is no technical guarantee as with a decryption key — the decision requires professional advice.
Day 1–2: Authorities, Insurance, Communication
11. Notify authorities — and understand your reporting obligations. Regulatory frameworks increasingly require rapid disclosure of cyber incidents. In the EU, the NIS2 Directive (effective since October 2024) requires:
• Early warning to your national cyber authority (e.g. BSI in Germany, NCSC in the UK, CISA in the US, ACSC in Australia) within 24 hours
• Detailed incident report within 72 hours
• Final report within one month
Additionally: If personal data is affected, data protection laws apply — GDPR in the EU/UK requires notification to the relevant data protection authority within 72 hours. Similar obligations exist under CCPA (California), PIPEDA (Canada), the Privacy Act (Australia), and many other jurisdictions. If there is a high risk to individuals, they must also be informed directly. For data theft, reporting is virtually guaranteed, as personal data is almost always involved — employee records, customer data, email addresses.
Our clear recommendation: Always report. Even if you are unsure about your exact obligations. Failure to report can result in substantial fines. In our experience, reporting has never led to disadvantages — on the contrary, authorities respond more favourably when you self-report.
Criminal complaint: File a report with your national or regional cybercrime law enforcement unit. Law enforcement agencies worldwide are achieving increasing success in pursuing ransomware groups — your report contributes to these efforts.
12. Contact your cyber insurer. If you have a cyber insurance policy: Notify your insurer immediately. Important: Many policies have strict deadlines for claims notification (often 24–48 hours). Documentation is invaluable here — the better you have recorded the incident, the smoother the claims process.
If you don’t have cyber insurance: You are not alone — a significant proportion of businesses worldwide still lack cyber coverage. Use this incident as the catalyst to change that. We work with specialised insurance brokers and can connect you after the crisis.
13. Internal and external communication. Distinguish two communication tracks:
• Internal: Inform your employees openly and honestly. What happened? What is being done? What is expected of them? Uncertainty among employees creates rumours and unnecessary panic.
• External: Customers, partners, and potentially the public. Professional support (IT lawyer, communications adviser) is recommended here. Transparency builds trust — cover-up attempts always cause more damage when they come to light. For data theft, external communication is particularly critical: if your customer data is affected, customers will either hear about it from you — or from the media when the data is published.
Should You Pay the Ransom? The Honest Answer
Most guides say: “Never pay.” We say: It’s more complicated than that.
Paying a ransom is legal in most jurisjunctions and most countries. The FBI and Europol advise against it but acknowledge that companies sometimes have no other choice. The reality: In the Sophos 2025 study, 63% of affected Europe companies paid the ransom.
When payment may be worth considering:
• No usable backup available
• The cost of business interruption clearly exceeds the ransom demand
• Sensitive data has been exfiltrated and threatens to be published (Double Extortion)
For pure data theft, the equation is different: Instead of a decryption key (a technically verifiable product), you are buying the deletion of data and removal from the attackers’ leak blogs. Our experience from over 2,000 cases shows: established groups generally honour this agreement — we receive deletion reports and companies are removed from the blogs. Their business model only works if paying victims are actually “freed.” However, a residual risk remains: you cannot technically verify that every copy has been deleted. Whether payment makes sense depends on the sensitivity of the data, the credibility of the specific group, the size of the demand, and your individual risk profile. Making exactly this assessment is our core business.
IMPORTANT: Never negotiate directly with the attackers. We regularly see direct negotiations go wrong:
• Attackers increase the demand when they sense how dependent the company is on its data
• Accidentally disclosed information (revenue, industry, insurance status) drives the price up
• Attackers’ decryption tools are not properly provided or contain additional malware
• Contact with the attackers breaks down (email addresses are shut down by law enforcement)
Data Recovery and Damage Containment
14. Back up encrypted files – before you attempt any recovery. Create a complete copy of all encrypted data on a separate medium. Why? If decryption fails, if the backup restoration goes wrong, or if a decryption tool is released later – you always need this copy as a fallback.
15. Restore from backup – the best path when available. Keep in mind: restoring terabytes of data can take days. Plan realistically. Prioritize business-critical systems: ERP, email, customer management first. Less critical systems after.
16. Decryption after payment – not a simple process. Even after a ransom payment, the work is far from over. The attacker’s decryption tool often malfunctions. In some cases, there are multiple keys for different systems. And: the decryption process itself can take several days.
For data theft: Damage containment instead of recovery. When data has been stolen, there is no “recovery” in the traditional sense. Instead, the focus is on damage containment: Set up dark web monitoring to check whether and where your data is being published. Complete GDPR notifications within 72 hours. Inform affected individuals proactively — before they discover it on the dark web themselves. And: Monitor long-term consequences, as data theft can come back months later — identity theft, fraud attempts, reputational damage. We provide this monitoring as part of our incident response.
The 5 Most Common Mistakes During a Ransomware Attack
We see these mistakes time and again — and they cost companies unnecessary money, time, and data:
Mistake 1: Panic-shutting down all systems. RAM contains valuable forensic information and potentially encryption keys. Disconnect from the network: yes. Switch off: no.
Mistake 2: With data theft, waiting and hoping nothing happens. Many companies hope the attacker is bluffing or that the data will never be published. In our experience, attackers follow through in the majority of cases. Every day without GDPR notifications increases your fine risk.
Mistake 3: Immediately restoring backups without finding the root cause. If the attack vector has not been closed, you will be attacked again within days. We have seen cases where companies were attacked three times in a row because they simply restored the backup each time.
Mistake 4: Negotiating directly with the attackers. Without experience with the specific group, you risk driving the price up, revealing sensitive information, or losing contact.
Mistake 5: Covering up the attack. Legally risky (GDPR, NIS2, and equivalent national regulations), damaging to reputation when it later comes to light, and: you potentially miss help from authorities and insurers. For data theft, cover-ups are particularly dangerous: if data is published and you failed to report, additional substantial regulatory fines are likely.
After the Attack: Restore Security and Emerge Stronger
17. Complete remediation. Ensure all ransomware and backdoors are fully removed. In many cases, attackers leave additional access points to return later. A thorough forensic analysis is not a luxury – it is a necessity.
18. Close vulnerabilities. Based on the root cause analysis: close the entry point. Update all systems. Implement multi-factor authentication for all access points. Segment your network. Protect your backups with an offline copy.
19. Train your employees. Humans are the entry point in 46% of cases. Regular awareness training and simulated phishing tests dramatically reduce this risk.
20. Create or update your incident response plan. Use the experience of this attack to develop a concrete emergency plan. Who gets notified? Which systems are prioritized? Where are the backup media? Which service provider is contacted in a future incident?
Conclusion: Preparation Is Your Best Protection
A cyber attack — whether encryption, data theft, or both — is an extreme situation. But it is manageable — if you know what to do. The vast majority of companies we have supported have emerged from the crisis. Some even stronger, because the attack was the catalyst for finally taking security seriously.
What we have learned from over 2,000 cases can be reduced to three sentences: First — stay calm and act methodically. Second — get professional help before you negotiate or restore systems yourself. And third — use the incident as a catalyst for genuine security improvements.
If you are in an active crisis right now: Call us. Whether your servers are encrypted, you have received an extortion email, or both — we have the experience, the tools, and the negotiation expertise to guide you through the next 48 hours. 24 hours a day, 7 days a week.
About BeforeCrypt
BeforeCrypt is a specialised incident response provider based in Europe. Since 2019, we have guided over 2,000 organisations through cyber attacks — from the first hour of the crisis to full recovery. Our core expertise: ransomware negotiation, data theft extortion response, crisis management under time pressure, and GDPR-compliant incident response.
If your company has just been attacked or you want to prepare for the worst case: Contact us for a free initial assessment.