Behind the Scenes of Ransomware: What Really Happens When Criminals Strike
In this RiskTalk episode, Northwave’s Pim Takkenberg takes us behind the scenes of real-life ransomware incidents. Drawing on hundreds of investigations, he reveals how professional and organised the ransomware industry has become – from rival criminal groups striking deals to complex negotiations with victims. Pim shares what really happens when companies are hit, the emotions in the first chaotic hours, and the common mistakes that make organisations vulnerable. He also explains why even small systems, like label printers, can cripple entire operations, and why preparation through basic measures such as multi-factor authentication, patch management, and monitoring remains the most effective defence.
"What on earth have I walked into?" That was the thought running through Pim Takkenberg’s mind when he discovered that two different ransomware groups had attacked the same company – and then struck a deal to settle the matter “neatly”.
As Director of Northwave Investigation & Innovation, Pim Takkenberg has witnessed hundreds of ransomware incidents first-hand – from the initial, disbelieving phone call to complex negotiations with cybercriminals. In the latest episode of RiskTalk, he takes us behind the scenes to reveal what really happens when cybercriminals hit.
The Netflix Moment: When Reality Outdoes Fiction
The most remarkable case of Pim’s career took place at a large German company. “When we arrived, it quickly became clear that two different groups had attacked the company – both leaving messages with contact details.”
What happened next could have come straight out of a Netflix series. Pim reached out to both groups to ask how they intended to resolve it. “To my utter surprise, within 24 hours I received messages from both parties saying one group had taken over, and the stolen data had been transferred to them.”
This incident illustrates an important trend: ransomware has evolved into a professional industry. “They simply made a deal between the two parties. It shows that for them, the business model matters more than the individual case.”
The Emotional Rollercoaster of a Ransomware Attack
When companies realise they have been hacked, there is a predictable pattern of emotions. “In those first conversations, disbelief is overwhelming,” Pim says. “Alongside that, there’s panic – or at least deep concern about the extent of the impact.”
The hardest part, he adds, is when he must deliver the bad news. “They often hope to be operational again within hours or a day. Telling them it will take days, sometimes weeks, is genuinely painful.”
One of Pim’s key lessons is how seemingly small components can bring entire operations to a halt. “For example, label printers. They’re often forgotten, but absolutely essential to start a process.”
In the pharmaceutical sector, for instance: “Without that little sticker, the medicine simply cannot leave the factory. It’s tied to strict protocols.” These “forgotten” systems can delay recovery by days.
The Basics Still Go Wrong
Despite years of awareness campaigns, cybersecurity experts still encounter the most basic security mistakes. “Seriously01, Seriously02, Seriously03… variations on obvious passwords – not very wise,” Pim says.
The simplest password his colleague Jelle ever found? Welkom123. These examples highlight a key point: successful attacks are rarely the result of sophisticated techniques, but of exploiting basic errors.
The Payment Dilemma: A New Reality
One of the toughest decisions during a ransomware incident is whether or not to pay. Pim advises always starting a dialogue:
“We always recommend at least engaging in conversation. It has major benefits – you gather more information and can make a better decision. And as long as you’re talking, they won’t leak your data. In short, you buy time.”
How do criminals decide on a ransom amount? “The rule of thumb is usually 2 to 3 percent of a company’s annual turnover. They look it up online and calculate from there.”
The reasons for paying have changed. “Fewer companies need to pay for recovery since most have proper backups in place. Today, it’s mainly about preventing data leaks – protecting employee passports or customer data that the organisation is responsible for.”
Ransomware Goes Mainstream
Pim sees two major developments. First, ransomware is becoming mainstream: “More novice hackers are using it, as encryption tools are freely available online.”
Second, the line between state actors and criminals is blurring: “In countries like Russia, criminals operate with the state’s tacit approval.”
An interesting paradox: “Professional criminals tend to keep their word. Amateur hackers, on the other hand, are less organised – which brings more risk.”
Practical Lessons for Organisations
Despite the complexity, the most effective solutions are surprisingly simple. “You can set up multi-factor authentication, make sure patch management is watertight, and implement some monitoring,” Pim says.
“These three measures alone keep ransomware criminals out in 98 percent of cases.”
Many organisations focus on the security of the software they buy, but forget to assess the security of the supplier itself. “What I notice is that companies think less about how their vendors manage information security,” Pim explains.
The difference between a bicycle manufacturer with three brake disc suppliers and an IT service provider is huge: “If one brake supplier fails, you have two others. No problem. But if your IT provider goes down, you’ve got a real problem.”
What do smart organisations do differently? “They take the threat seriously and translate it into what it means for their own risk profile. It’s not about fearmongering – it’s about realistic risk assessment.”
Looking Ahead: Risk Management as a Mindset
Pim’s advice for organisations that don’t want to be caught off guard in five years? “Recognise the value of the issue and take it seriously. Start with risk management.”
That means more than an annual review. “Trump may be re-elected, there’s growing debate about dependence on Big Tech – why wait until next year? Think now about what that means for your organisation.”
Ultimately, cybersecurity is a human story. Having started his career in the police, Pim values helping organisations directly. “Those worlds don’t have to be separate,” he says. Through projects such as Melissa, Northwave collaborates with law enforcement to track down ransomware criminals.
The Takeaway: Preparation Is Power
Pim’s stories show that ransomware incidents are complex – but not insurmountable. The key lies in preparation, realistic risk assessment and concrete action.
As Johan Cruyff famously said, “You only see it when you get it.” Cybersecurity is not just about technology – it’s about understanding risks and acting on them effectively.
For organisations aiming to strengthen their cyber resilience, the message is clear: Start with the basics (multi-factor authentication, patch management, monitoring), ensure reliable backups, and adopt a proactive approach to risk management.
Because as Pim puts it: “You create overview, insight, control. And that’s exactly what you want.”
Want to learn more about how to protect your organisation against ransomware?
Listen to the full RiskTalk episode with Pim Takkenberg – packed with insights and practical advice.
Looking for an easy way to manage third-party risks?
Get a quick introduction to our third-party risk platform and make informed decisions today.
Want to read more?
Read more helpful content on third-party risk management and compliance.
