When a ransomware attack strikes, panic often comes first. Systems freeze, files are encrypted, and business operations stop instantly. For many organizations, that moment of realization is the start of a long and stressful recovery.

For Andrius Liepinaitis, Senior Incident Response Manager at Kudelski Security, it is the moment when his team steps in. In a recent discussion with Valery Rieß-Marchive, Editor-in-Chief of LeMagIT, Andrius shared what really happens during the first few hours of a ransomware incident. His perspective shows both the chaos that organizations face and the calm, structured approach that professional incident responders bring.

‍

“When my team gets a call, I know that a lot has already happened,” Andrius explained. “Some companies have prepared and have an IR retainer in place. Others have not, and when ransomware strikes, the panic begins.”

‍

The Moment of Impact

Most ransomware incidents follow a familiar pattern. Employees arrive one morning to find files locked and systems offline. IT tries to reboot servers or restore data, only to discover that backups are missing or encrypted. A ransom note appears, demanding payment in cryptocurrency, and the organization faces an immediate crisis.

By the time Kudelski Security’s Incident Response Team is called, valuable hours have often passed. “Our first job is to assess impact,” Andrius said. “If backups are gone, we know negotiations may be unavoidable. If backups are intact, there is a path to recovery without engaging with criminals.”

Preparation makes all the difference. The FBI’s Internet Crime Report (2024) notes that ransomware remains one of the costliest cyber threats, yet many businesses still lack tested backup and recovery strategies.

Pre-Ransomware: The Narrow Window of Opportunity

Occasionally, Kudelski Security is called before encryption begins. Andrius calls these cases “pre-ransomware” situations. “It is rare, maybe 10 percent of cases, but when it happens, it can save an entire business,” he said.

In those scenarios, the team may connect remotely, analyze endpoint detection systems, and spot live data exfiltration. If they act quickly, they can literally stop the attack in progress.

Timing is critical. “You may have only two hours between the attacker gaining access and triggering encryption,” Andrius explained. “And most of this happens at night, when no one is watching.”

That two-hour detection window aligns with findings from IBM’s Cost of a Data Breach Report, which shows that companies with continuous monitoring and an incident response retainer identify and contain attacks significantly faster than those without. Speed directly affects whether data can be saved.

How Attackers Get In

Although headlines often describe ransomware as highly sophisticated, many incidents exploit simple security gaps. “The entry point is almost always the same: VPN appliances, remote desktop gateways, or other internet-facing systems without multi-factor authentication,” Andrius said.

In one case, a client believed MFA was enabled. It was not. Attackers performed password spraying for weeks until they succeeded. In another, an outsourced IT provider connected its own VPN device with default credentials. Within days, attackers had full network access.

The Cybersecurity and Infrastructure Security Agency (CISA) reports that credential-based intrusions now account for most ransomware incidents. Attackers steal or guess valid credentials, log in like legitimate users, and move quietly across the network. Because they often use legitimate tools such as TeamViewer, AnyDesk, or Rclone, there is little or no malware footprint to detect.

The Backup Battle

Once inside, attackers target backups and hypervisors. “It is almost a rule,” Andrius said. “They go after virtualized environments like VMware or Hyper-V and destroy backups to maximize damage.”

Even when backups are deleted, recovery may still be possible. Working with forensic partners, Kudelski Security has restored large fragments of data that attackers attempted to erase. “Some groups are not as professional as they think,” Andrius added. “They make mistakes, and we can sometimes recover from those.”

The difference between recovery and disaster often depends on having offline or cloud-isolated backups. As The Hacker News has reported, modern ransomware groups routinely seek out and sabotage backup infrastructure, deleting snapshots or encrypting backup volumes so that victims have no easy path to recovery. The article stresses that without proper isolation and regular testing, backups may fail precisely when they are needed most.

When Negotiation Becomes the Only Option

If backups are destroyed and restoration is impossible, negotiation with threat actors may be the only remaining choice. It's never a decision taken lightly. “Our goal is always to help clients restore safely and quickly,” Andrius said. “But when no data is recoverable, we may have to speak with the attackers.”

Negotiations can be unpredictable. Not all ransomware groups are equally organized or disciplined. Andrius described one case where a ransomware gang apologized after discovering that a rogue affiliate had tried to scam both them and the victim. “They even offered the decryptor tool for free,” he recalled. “They wanted to protect their reputation.”

This reality underscores that ransomware incidents are not purely technical; they are human conflicts requiring composure, discretion, and experience. Managing these interactions safely is one of the reasons professional incident response teams are essential.

The Human Side of Incident Response

The human toll of ransomware is enormous. For smaller or family-owned businesses, an attack can threaten survival. “When you have run your business for twenty years, a ransomware event can mean everyone loses their jobs,” Andrius said. “It's heartbreaking.”

Leadership matters during these crises. “The best outcomes happen when there is a calm leader on the client side,” he added. “Someone who avoids blame and keeps everyone focused.”

Ransomware response is as much about mindset and preparation as it is about technology.

Preparation Beats Panic

Ransomware continues to evolve, becoming faster, stealthier, and more professional. Yet Andrius’s frontline insights point to a consistent truth: the best ransomware response starts long before the attack.

Organizations that invest in incident response retainers, enforce multi-factor authentication, and maintain secure, offline backups recover faster and suffer less damage. Those that do not often find themselves making decisions under extreme pressure.

As Andrius summed it up, “You cannot control when an attack happens, but you can control how ready you are.”

Get Expert Help Before, During, and After an Attack

If you want to strengthen your ransomware readiness, reduce dwell time, and recover with confidence, speak with our specialists. Learn how Kudelski Security’s Incident Response and Digital Forensics team can help you prepare, respond, and restore business operations quickly:
https://kudelskisecurity.com/services/ir-and-digital-forensics

‍