
13 May 2026

If your company were hit by a ransomware attack and held hostage tomorrow morning, would you pay the ransom?
350,000 companies. One IT service provider. One click. And then a number appears on your screen: $5,000,000. What do you do? The answers you give now will determine your chances of survival later.
It’s a Thursday morning in December. At hundreds of accounting firms, medical laboratories, and law firms across France, employees arrive at the office – and nothing works. Servers are locked. Files are inaccessible. Salaries cannot be processed.
The cause does not lie with them. Their IT service provider, Coaxis, was completely shut down during the night of December 7, 2023, by a ransomware attack. And because Coaxis manages the entire IT infrastructure of its clients, 350,000 organizations were brought to a standstill at once.
The attack on Coaxis is central to the documentary Don’t Go to the Police, where you follow the story from the inside.
That is the rarely stated downside of outsourcing: if your provider falls, you fall with it. The attacker was LockBit, at the time the most prolific ransomware group in the world. Their demand: five million dollars.
This is not a hypothetical scenario. This is the reality of 2024 and 2025. And the question every executive must ask is not whether this could happen to you – but what you will do when it does.
of all global ransomware attacks were attributed to LockBit.
customers of a single IT service provider simultaneously taken offline.
ransom demanded, paid by no one – but the damage was enormous.
After a ransomware attack, organizations almost always ask the same question: do we pay, or not? That is understandable – but it is the wrong question at the wrong time.
The right questions should have been asked months earlier. How long can you survive without access to your systems? Who makes which decisions, and based on what information? Do you have offline backups that the attacker could not reach? And what do you communicate to your customers in the first 24 hours?
Coaxis ultimately chose not to pay – not for ideological reasons but based on a rational assessment: paying increases the likelihood of becoming a repeat target, finances criminal infrastructure, and offers no guarantee of full recovery of business processes. Instead, Coaxis rebuilt its entire IT environment within one month, largely thanks to offline backups that had remained out of the attackers’ reach.
Absolute prevention does not exist. What matters is how much damage you can absorb – and how quickly you can recover.
Those who pay buy time – nothing more. Payment to sanctioned groups increasingly creates legal exposure in many jurisdictions. LockBit also used a tactic known as double extortion: in addition to encrypting data, they threatened to publish stolen information.
In the case of Coaxis, that threat turned out to be a bluff. No data had been exfiltrated. But that only became clear weeks later, after investigators had infiltrated LockBit’s systems.
Meanwhile, Coaxis’s customers had little use for that nuance. Salaries went unpaid. Patient records were inaccessible. Employees who had done nothing wrong called their employers in desperation – who themselves were powerless because their IT provider was offline. Some were even threatened.
The human cost of an attack on a single link in the chain cascaded down to hundreds of thousands of people.
Risks of paying | Conditions for rebuilding |
|---|---|
|
|
For IT service providers and organizations with broad customer portfolios, this is often the hardest part. Coaxis was not only a victim – it was also responsible for the continuity of thousands of other businesses. When Coaxis was hit, the entire chain came under pressure.
This case shows that open communication is not a PR choice – it is an operational necessity. Customers who understand what is happening can take additional measures. Customers who hear nothing fill the vacuum with rumors and panic – and leave as soon as they can.
The message does not have to be complete on day one – but it must be honest:
We’ve been affected.
This is what we know.
This is what we are doing.
This is when you will hear from us again.
Four sentences that preserve trust – even under pressure.
The Coaxis attack did not start with an advanced zero-day exploit. It started with a phishing email. An employee of one of the clients clicked a link, entered credentials on a fake website, and gave attackers the keys to the entire network. Password: likely the name of a child, plus a number and an exclamation mark. LockBit was inside.
This is the paradox of modern cybersecurity: the most advanced attack groups exploit human habits. Urgency. Trust. Predictability. No firewall protects against that without the right awareness culture. And no IT provider can fully protect its customers if those customers themselves open the door.
Coaxis is not the only organization to face this. And those that emerge strongest all reach the same conclusion: preparation begins before anything goes wrong.
Take the ransomware attack on Q-Park in 2017. The WannaCry ransomware hit the company across seven countries simultaneously. Payment systems failed, barriers stopped working, and operations were severely disrupted. The damage was significant—but it could have been far worse.
What followed was not just recovery—it was a fundamental shift in direction. Q-Park decided that cybersecurity would no longer be negotiable. Not by country, not by department. Everyone follows the same approach—non-negotiable. And the CISO became a permanent strategic partner to senior management, not a siloed function.
The lesson drawn by CEO Frank De Moor and interim CISO Tom van Vooren is one every organization should ask itself:
Which risks are you willing to accept – and how much are you willing to invest to reduce them?
Read how Q-Park fundamentally transformed its security strategy