Ransomware doesn’t end when the ransom note appears, and it doesn’t end when systems come back online either. That was the throughline of our latest community AMA on r/cybersecurity, which ran in May 2026, where four security leaders who have handled ransomware incidents firsthand took questions on incident response and business continuity — from the first frantic hours to the legal fallout that lingers long after recovery.
Participating were:
- Gary Hayslip, (u/Shaynei), former vp, senior security advisor, Halcyon
- Peter Clay, (u/cpthuah36), CISO, Aireon
- Trey Blalock, (u/Trey-Blalock-AMA), former CISO, researcher & keynote speaker, Verification Labs
- Adam Marre, (u/amarre_sec), CISO, svp, Arctic Wolf
Join the conversation on LinkedIn.
How they actually get in
What was the most common way you noticed that the threat actor got in?
“Almost never something exotic. In my experience and across the industry, it’s valid credentials — phished, bought from an infostealer log, or reused from another breach — walking through the front door. The boring answer is the right one: identity is the perimeter, and the perimeter gets stolen.” — Peter Clay, (u/cpthuah36)
Clay’s top three controls to stop intrusion and exfiltration followed the same logic: security awareness education, phishing-resistant MFA, and EDR/XDR with humans actually watching it. As he put it, notice number one isn’t a tool — your people are the control that scales.
“Criminals aren’t stupid; they will take the front door if you leave it open for them, so you need to be religious about managing all of your identities — human, machine, and agentic.” — Gary Hayslip, (u/Shaynei)
Hayslip added that he’s talked to numerous CISOs who were deeply worried about CVEs and zero-days while staying totally oblivious to identity. The unglamorous attack surface is the one that gets used.
Contain, don’t nuke
What are the steps a CISO (or top cyber professional) should take immediately when they see they have been a victim of ransomware?
“Contain, don’t nuke. Isolate affected systems and disable compromised accounts — but don’t blindly power everything off. You’ll destroy memory-resident forensic evidence.” — Peter Clay, (u/cpthuah36)
That was step one of Clay’s seven-step list for the first hours, which also included declaring the incident, calling your cyber insurer before anyone else, preserving evidence, and refusing to talk to the threat actor yourself — that’s what professional negotiators are for.
“As a leader, you also want to calm people, execute, and watch for people who may be frozen or panicking. If the investigation is going on for a long time, you have to occasionally tell people to take breaks so they can perform better over time.” — Trey Blalock, (u/Trey-Blalock-AMA)
Blalock’s point is easy to skip in a runbook: incident response is a human endurance event. The plan fails if the people executing it do.
Paying doesn’t make it stop
How often have you seen victims of a ransomware attack get retargeted after paying the ransom?
“I’ve seen a company get ransomed twice within 2 weeks, and another one where the CEO made the situation much worse by yelling at the ransomware group in chat, then got ransomed multiple times and eventually didn’t get the keys in exchange for payment.” — Trey Blalock, (u/Trey-Blalock-AMA)
Blalock noted that Ransomware-as-a-Service has made repeat attacks more common, and that a lot of money is lost due to poor negotiation. Paying is a transaction with a counterparty that has no incentive to honor it.
“Direct re-engagement from the same threat actor is not very common, but data reuse absolutely is. Threat actors often share or sell stolen data, and it can resurface months or years later under different groups.” — Adam Marre, (u/amarre_sec)
In other words, the data you “bought back” is still out there. Marre and his IR teams have seen client data appear across multiple leak sites firsthand.
Recovery isn’t the end of the incident
One commenter, a consultant, described a client that suffered a double-extortion attack, declined to pay, and then went quiet — skipping follow-up meetings while the threat actor’s deadline ticked closer.
“What I see is that if you can’t definitively prove that client data left the building, then Legal defaults to ‘we don’t need to notify anyone.’ This, to me, is extremely dangerous.” — Gary Hayslip, (u/Shaynei)
Hayslip has watched this movie before: in a double-extortion case, the absence of proof becomes a justification for silence. He warned it’s the kind of reasoning that leads to class-action lawsuits and regulatory fines for failure to disclose.
“Getting back online is recovery. The fallout is the rest of the incident, and in these cases, that part isn’t over yet.” — Adam Marre, (u/amarre_sec)
Marre flagged the pattern behind it: once systems are restored, organizations treat the incident as done, even though the highest-risk phase — notifications, regulatory exposure, leaked data — may still be ahead.
Get the experience before the incident
A defender of 18 years asked how to prepare for an attack he’s fortunately never experienced.
“In effect, you can gain a lot of experience on the components of this process even if you don’t have an actual incident.” — Trey Blalock, (u/Trey-Blalock-AMA)
Blalock pointed to CISA’s free tabletop exercise packages, proactive threat hunting, and attack simulation tools as ways to build real muscle memory without real damage. Pick an attack from the news and figure out how you’d detect it in your own environment.
“You don’t want the first time you’re figuring any of this out to be during an incident.” — Adam Marre, (u/amarre_sec)
Marre’s checklist was blunt: make sure people know where the plan lives (including offline copies), test restorations rather than assuming backups work, keep backups immutable, and time how long recovery actually takes.
The takeaway
Across every thread, the panel kept dismantling the same assumption: that ransomware is a discrete event with a beginning, a middle, and an end. The intrusion starts months earlier with a stolen credential. The incident continues long after restoration, in legal reviews, disclosure decisions, and stolen data resurfacing on leak sites.
The organizations that fare best aren’t the ones with the most tools. They’re the ones that rehearsed, knew who to call, and kept their people functional under pressure. So here’s the uncomfortable question to bring to your next leadership meeting: if it happened tomorrow, would your first hour look like a plan or an improvisation?
Join us for our next AMA on r/cybersecurity, starting this Sunday, June 21st, when a new panel of security leaders will answer questions on the topic: “I’ve ripped and replaced a security product. Ask me anything.”
Get more from the CISO Series network: podcasts, blog posts, and our weekly Super Cyber Friday event. Head to ciso-dev.davidspark.dcgws.com/subscribe