Confusion.

That’s the first feeling washing over employees as they arrive at work to find blacked-out screens and cryptic messages – when the company has been hit by a malicious cyberattack.

What follows is a whirlwind of emotions and a really bad gut feeling.

So says former intelligence officer and one of Denmark’s most experienced ransomware negotiators, Michael Sjøberg from Delta Crisis Management, in a webinar on hacking and crisis planning.

The threat is growing

The threats from hackers are becoming increasingly aggressive, and the chance of getting attacked is only growing. For compliance professionals and companies, this means that GRC is no longer just a theoretical paper exercise – it’s becoming real and alive.

But what is it like to be in the eye of the storm? And what should you do? That's what we discussed with Michael Sjøberg.

The hacker playbook

“The first 72 hours are usually extremely tough. It's about stopping the damage and not sending the wrong message to the media,” Michael explains, and says that the attackers usually have a three-step agenda:

• Destroy the company’s backups
  
  
• Extract gigabytes, sometimes terabytes of data, as blackmail leverage
  
  
• Deploy malware to encrypt systems so no one can work
  

Enter your customer number

Michael shares examples of ransom notes he has seen, including one from the group Akira, a Russian ransomware gang of 40–50 people, likely based in Moscow.

They left a note much like old-school kidnapping letters, with magazine-clipped letters, where victims were instructed to access the dark web via a Tor browser, where a link would lead them to a chatroom. There, they'd enter a customer number to begin negotiations. If they refused to cooperate, the stolen data would be leaked.

When the situation gets to this point, there is one thing you must never do, Michael explains: Start negotiating with the hackers yourself.

Do’s and dont’s

Michael cannot emphasise it enough. You should always get help from professionals to deal with a hacker attack, especially in a ransomware situation.

“With ransomware, it's about communicating with the perpetrators to buy time and gain knowledge. Sometimes we've seen that companies move too fast and start doing something themselves. Then they're exposed to what's called a double whammy, where the perpetrators say, 'You were quick to deliver one and a half bitcoins. We need one and a half more', he explains, emphasising that the hackers are just waiting for you to have an extreme reaction. 

What you can and must do is have a practical, rehearsed response plan, and leadership with enough cyber knowledge to take the lead when crisis strikes.

Careful with communication

During an attack, the instinct is often to call customers and disclose the breach. But premature communication can cause unnecessary panic, says Michael.

He highlights cases where police cooperation quickly led to data being removed from criminal servers. A few days of silence could’ve prevented massive stress for customers.

“It’s not about withholding the truth,” he says, “but about knowing when it’s truly urgent to share it. That takes cold-headed decision-making.”

‍