Cyber Crisis: pay ransom or not?

Did you know? The communication between companies and hacker groups can be viewed publicly. Although the name of the company is anonymised, the dialogue is completely visible – including its result. Was payment made or not? Five or six-figure sums? Some sums are dizzying high.

Frank Schroedter

19. May 2025

Crisis communication

,,If you don’t pay us 1,5 Million Dollars immediately, all your confidential data will be published.” What sounds like a classic thriller scene is, in today’s digital age, one of the most common phrases announcing the start of a cyber extortion. Corresponding chat histories can be viewed on the website www.ransomware.live, in which the hackers make their demands in perfect English – thanks to ChatGPT or DeepL. Curiously, some of the groups thank their recipient for the transaction in a very polite manner.

Cyber Crisis: Numerous German companies affected

The operator of ransomware.live, Julien Mousqueton, has made it his mission to shed some light on the dark world of cyberattacks and continuously updates the page with new ransomware attacks by hacker groups. For instance, anyone interested in finding out, which german companies have been the target of a cyberattack, simply enters ‘Germany in the search mask. The list is already extensive. Unfortunately, Cyber crises have become a regular occurrence. The SAFEPAY group, for instance, targeted 155 companies, including many located in Germany and demanded a high ransom. And this number will increase, as AI-powered attacks are now cheaper for hackers to execute, making even small businesses attractive targets.

Cyberattack: How Does It Unfold?

How does a typical cyberattack unfold? As an agency that has dealt with many cyber crises before, we often recognize the same patterns. Suddenly, employees lose access to company data and emails. Communication has come to a near halt. Only a few individuals in the company receive a message from the hackers, informing them that data has been stolen and will be published after a certain period.

Depending on their strategy, communication with the hacker group may or may not follow. Typically, these dialogues unfold in a manner similar to the example below:

The cybercriminals apply significant time pressure on companies to stress them out. Their goal is to reach a quick resolution, or rather, a conclusion. The longer the negotiations take, the worse the achieved outcome typically becomes.

The hackers are fully aware that the publication of sensitive data causes a severe loss of trust among employees, business partners, and customers, potentially leading to lasting reputational damage for the company. For this reason, cyber crises present major challenges for corporate communications, as they affect not only employees but also customers (such as those of an online store), newsletter subscribers, suppliers, investors, and other third parties.

What Can the Agency Engel & Zimmermann offer During a Cyber Crisis?

A cyber crisis is an emergency. The crisis management team is absolutely essential. Based on our experience as crisis communication consultants, the most important questions at the beginning of a cyber incident include:

Which parts of the company are affected?
Are production areas also impacted?
Have any sensitive customer or employee data potentially been leaked?
Which parts of the company are affected?
Does the cyberattack affect all company locations?
Who is currently able to work?
Has the insurance provider been informed?
Are IT forensic specialists already involved?
When are payroll payments due?
Is the company able to make payments?
Are individuals with signing authority available?
If email accounts are affected: which platform does the crisis management use to communicate?

Communication-wise, the company must be able to speak and respond extremely quickly. In such cases, an agency can be very helpful because it’s able to operate independently from the affected organization.

Step one: Draft a clear written briefing for company leaders, which they can then pass on to their teams in person. Why: In the early stages of a crisis, administrative staff are often among the first to be impacted — typically losing access to emails, the intranet, and to company data.

Step two: Prepare a media statement that avoids being overly alarming. Keep in mind that cyberattacks often become public knowledge. Hacker groups frequently leak parts of the stolen data on the dark web as a form of bragging, and tech news outlets are quick to report on such incidents.

Step three: Prepare a Q&A document tailored to the affected stakeholders who are indirectly impacted by the attack — from suppliers to customers to employees. Their most common questions might include:

Why am I unable to work?
Are we the target of a cyberattack?
Are we being extorted?
How long will I be offline?
Will my salary be transferred on time?
What happens if we can’t deliver goods?
What should I say to customers who try to contact me?
How severe could the cyber crisis become?

Engel & Zimmermann assists you in preparing for the worst-case cyber crisis and simulates this situation. This way, corporate communication won’t be caught off guard when email communication is down and operational capability is severely limited.