db
Sign inSign up
← All Cyber Security services
Site auditInternal auditPhishingArchitectureIncident negotiationDarknet monitoring
Home /Cyber Security /Incident negotiation
Incident Negotiation · /cyber-security/incident-negotiation24/7 · −60% ON RANSOM

When the attack is underway — every hour costs money

Crisis response 24/7: negotiations with ransomware groups, containment, legal, PR, forensic. One-hour response after the call.

From 50+ incidents — we cut the ransom by 40–60% on average.

DEMO · #IR-0931
active

Negotiation · LockBit incident

Initial demand$850,000
Verified decryptonly 3 files
Counter-offer$240,000
Final amount$320,000
Reduction−62%
What we do

Four parallel tracks — not sequential

Attacker negotiations

Working with ransomware groups in chat/portals. The goal — buy time, verify "proofs", cut the ransom by 40–60%.

Attack containment

In parallel: isolating infected hosts, stopping lateral movement, protecting backups.

Legal and PR

Notifying regulators (GDPR), communications with customers, press, investors and insurers.

Forensic + report

Preserving artefacts, reconstructing the attack timeline, preparing a report for lawyers and insurance.

Numbers

What experience shows

One-hour response

On-call team 24/7. First reply within an hour after the hotline call.

Average −60% ransom

From the last 50+ incidents: proper negotiation strategy and technical verification cut the amount.

Parallel tracks

Negotiation + containment + legal track run simultaneously — not sequentially.

Resolved in 7–14 days

A typical ransomware case is closed within this window: from first call to restored operations.

When you need us

Any stage of an incident — from panic to post-mortem

/ 01

Being attacked right now

Encryption is already running, ransom demanded, phones blowing up. Call the hotline — we'll take the questions off your plate.

/ 02

Recently attacked

Recovering, preparing reports for regulators, doing incident review. We help with forensic and lessons learned.

/ 03

Afraid of ransomware

Preparing an incident response plan. We set up the processes, contacts, playbooks and team drills.

/ 04

Annual retainer

Want guaranteed response + regular IR drills. We plug in on-call.

How we work

Five steps — from call to post-mortem

1

Hotline call

Call +7 (800) 555-1R24 or message the chat — we answer within an hour, 24/7.

2

Triage

Quick situation assessment: what's encrypted, are there backups, has contact with the attacker started.

3

Track kickoff

In parallel: negotiation, containment, legal, customer & regulator communication.

4

Resolution

Either a deal with the attacker (with decrypt verification) or restore from backups.

5

Post-mortem

Forensic report, hardening recommendations, team drill based on the incident.

Inquiry

24/7 crisis response

Don't waste time — call the hotline or describe the situation below. We answer within an hour.

Hotline 24/7+7 (800) 555-1R24
Call
  • One-hour response, around the clock
  • NDA from the first message
  • Lawyers, PR and negotiators — on one team
  • Forensic report for insurance and regulators

Describe the situation

If the attack is happening right now — call the hotline. The form can be filled in parallel — speeds up preparation.

By submitting the form you agree to our data processing policy and the DevBay terms of service.

What's next: after submission an on-call analyst contacts you within an hour, any time of day. In parallel a dialog opens in DevBay's internal chat.

Time is money. Every hour matters.

If the attack is right now — call the hotline. If you want to prepare in advance — we set up a retainer and run an IR drill for the team.