Select your country

Belgium

China

Denmark

France

Germany

Maghreb & West Africa

Netherlands

Norway

South Africa

Spain

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. United Kingdom
  2. Insights
  3. Blog
  4. Ransomware
  5. If your company is held hostage tomorrow morning, will you pay?
| Blog

If your company is held hostage tomorrow morning, will you pay?

Ransomware

350,000 companies. One IT service provider. One click. And then a number appears on your screen: $5,000,000. What do you do? The answers you give now will determine your chances of survival later.

It is a Thursday morning in December. At hundreds of accounting firms, medical laboratories, and law firms throughout France, employees enter the office and nothing works. Servers are locked. Files are inaccessible. Salaries cannot be processed.

The cause does not lie with them. Their IT service provider, Coaxis, was completely shut down by a ransomware attack on the night of December 7, 2023. And because Coaxis manages its customers' entire IT infrastructure, 350,000 organizations were also at a standstill at that moment.

 

The attack on Coaxis is central to the documentary Don't Go to the Police , in which you follow the story from the inside.

 

That is the downside of outsourcing that is rarely stated in a contract: if your service provider goes down, you go down with them. The attacker was Lockbit, at that time the most prolific ransomware group in the world. The demand: five million dollars.

This is not a hypothetical scenario. This is the reality of 2024 and 2025. And the question you must ask yourself as a manager is not whether this could happen to you, but what you do the moment it does happen.

44%

Lockbit claimed responsibility for all global ransomware attacks.

350K

Customers of one IT service provider simultaneously out of service.

$5M

Ransom demanded, paid by no one. But the damage was enormous.

The wrong question

After a ransomware attack, organizations almost always ask themselves the same question: do we pay, or not? That is understandable. But it is the wrong question at the wrong time.

You should have asked the right questions months earlier. How long can you survive without access to your systems? Who makes which decision, and based on what information? Do you have offline backups that the attacker could not reach? And what do you communicate to your customers in the first 24 hours?

Coaxis ultimately chose not to pay. Not out of ideological conviction, but based on a sober judgment: paying increases the chance of becoming a target again, funds criminal infrastructure, and offers no guarantee of full recovery of business processes. Instead, Coaxis rebuilt its entire IT environment within one month, thanks in part to offline backups that had remained out of reach of the attackers.

Absolute prevention does not exist. What counts is how much damage you can absorb and how quickly you get back on your feet afterwards.

Pay up or rebuild: what the numbers don't tell you

Paying buys time. Nothing more than that. Payment to sanctioned groups makes you legally vulnerable in an increasing number of jurisdictions. Moreover, Lockbit employed a tactic known as double extortion: in addition to encryption, they also threatened to make stolen data public.

In the case of Coaxis, that threat ultimately turned out to be a bluff. No data had been stolen at all. But you only knew that in hindsight, weeks later, after detectives had infiltrated Lockbit's systems.

Meanwhile, Coaxis’s customers paid no heed to that nuance. Salaries were not paid. Patient records were inaccessible. Employees who had done nothing wrong themselves called their employer in desperation, who in turn could do nothing because the IT partner was down. Some were threatened.

The human toll of a single attack on one link in the chain thus trickled down to hundreds of thousands of people.

Assessment in the event of a ransomware incident

Risks of payment
Conditions for rebuilding
  • You confirm that you are willing to pay and become a repeat target.

  • Potential legal exposure when paying sanctioned parties

  • Financing further attacks on others

  • Threats (double extortion) can continue even after payment

  • Reputational damage if payment becomes known

  • Offline backups out of reach of the attacker

  • A documented incident response plan

  • A clear communication protocol towards customers

  • A financial buffer or involvement of a cyber insurer

  • The willingness to temporarily endure operational pain

The conversation you need to have with your customers

For IT service providers and other organizations with a broad client portfolio, this is often the most difficult part. Coaxis was not only a victim itself, but also bore the responsibility for the continuity of thousands of other companies. The moment Coaxis was hit, the entire chain came under pressure.

The case shows that open communication is not a PR choice, but an operational necessity. Customers who understand what is going on can take additional measures themselves. Customers who hear nothing fill the resulting vacuum with rumors and panic and disengage as soon as they are given the opportunity.

The message doesn't have to be complete on day one. But it does have to be honest. We have been affected. This is what we know. This is what we are doing. This is when we will update you again. Four sentences that maintain trust while everything is under pressure.

The human factor and why technology alone is not enough

The attack on Coaxis did not start with an advanced zero-day. It started with a phishing email. An employee of one of the clients clicked on a link, entered his login credentials on a fake website, and thereby gave the attackers the key to the entire network. Password: likely a child's name, with a number and an exclamation mark. Lockbit was in.

This is the paradox of modern cybersecurity: the world's most sophisticated attack groups primarily exploit human habits. Haste. Trust. Predictability. No firewall protects against this without the right culture of awareness. And no IT service provider can fully protect its customers if those customers themselves leave the door open.

Learning from an attack you do not experience yourself

Coaxis is not the only organisation that has experienced this. And the organizations that emerge strongest all draw the same conclusion: preparation begins before things go wrong.

In this way, we can also learn from the ransomware attack that Q-Park experienced in 2017. In 2017, the WannaCry ransomware struck the company in seven countries simultaneously. Payment systems failed, barriers could no longer be operated, and the company was turned upside down. The damage was extensive, but the consequences could have been much worse.

What followed was not a recovery operation. It was a fundamental change of course. Q-Park decided that cybersecurity is no longer up for debate. Not by country, not by department. Everyone follows the same approach, non-negotiable. And the CISO is no longer a silo, but a permanent sparring partner for senior management.

The lesson drawn by CEO Frank De Moor and interim CISO Tom van Vooren is one that every organisation can ask itself: which risks do you accept, and how much are you willing to invest to mitigate them?

Share

What are you already prepared for?

13 May 2026

Documentary: Don't Go to the Police

Read more

18 May 2026 | Blog

How strong is your security if one link in your chain fails?

Read more

19 May 2026 | Blog

How do you prevent one wrong click from becoming decisive?

Read more

15 April 2026 | Blog

This is how you lay the foundation for your Incident Response Plan in four weeks.

Read more
24/7 incident hotline