Our next speaker's work focuses on the psychological impact of cyber crisis and emphasizing very much the mental well-being, health and well-being in cyber security. So to tell us more about this very interesting work, please welcome the Director of Innovation at Northwave, Inge van der Beijl. Thank you so much for the introduction. I want to take you along with the story.
I'm Inge, working at Northwave. Northwave is an international cybersecurity company with the headquarters in Utrecht. Does it work? Does it click further? There we go. We have 250 professionals working from different perspectives. So we have the techies, we have the business people and we have psychologists. And we work in a risk-based, intel-driven way. And I want to take you a little bit along with our story, why intel-driven? And that also ends up in why mental well-being is an important aspect when you're talking about incidents.
We believe that if you truly understand the environment, the threat landscape, you can have a good idea about your risk and you can take the proper measures. And to bring you along with the story, I want to tell you about Wegner. That's a fictive company, but I will use examples we see in our daily life. I want to introduce Michael Medvev. Who knows him? No? Nobody? He is one of the key players in Lockbit. Lockbit was one of the largest ransomware groups we have seen in the last couple of years.
They're still one of the largest, but I do think that it's going to change because this guy is arrested last week in Russia. Then we have Dmitri Korochev. He is the most important man of Lockbit. He's the software developer. He's not arrested yet, but he's wanted. And I want to introduce you to somebody else.
Oh, sorry, now I'm going really fast. Ricky Smith. Ricky Smith is the IT manager of Wegner, working there for 20 years. Wegner is a production company, manufacturer. They have multiple locations. They have a few hundred employees. And Ricky is working there for almost 20 years. It's a family-owned company. He's not part of the family, but he feels part of the family. And on a certain moment, he gets a call. Because some strange things are happening in the network. Place yourself for a moment in Ricky's shoes, because he's driving towards the office. And in the office, he founds this.
Maybe you have seen one before. A ransom note. The whole system is encrypted. Nothing is working anymore. So you can already feel the amount of stress he must feel at that moment. Before I dive into that, I want to take you along what happened before. Has anybody of you experienced ransomware incidents? No? That's good to know. Because before you have the situation of a black screen, lots of things already happened in your network. You have the situation that the criminal wants to get in the organization. They do that via vulnerable passwords, phishing, or vulnerabilities.
And when they're in the company, they move themselves through the systems to get to the situation or to the point that they have the admin rights. That they can fully shut your company down.
And then, at that moment in time, they try to get all the data they need to get pressure on the organization. They try to destroy your backups, and they will get the data out of your organization. And then you're in a situation where Ricky is. And this is called ransomware as a service. It's a really, really professional business. And what we know is that in these, you can call that organizations, they are really well professionally organized. You can define seven different roles. You have the one that buys or creates access towards your company. And those are the initial access brokers.
You can buy access on the dark web for a few hundred dollars. Then you have the ransomware affiliate. That is really the spider in the web. He buys the access. He has the software or buys the software from the ransomware developer. And that is the one that's creating the attack on your company. And if you remember the different names, this is Michael Matveev. He is the ransomware affiliate. He gets around 70, 60, 70 percent of the ransom if paid. Then you have the data manager.
You can imagine that when a lot of information is stolen, that they need to find a kind of structure to get you some proof that your data is stolen and what kind of data is stolen. Then you have the ransomware developer. That is the one that's above in the food chain. That is that Dmitri Korochev. They get 20, 30 percent of the amount of ransom if paid. And you must imagine that from Lockbit in good times, you had Dmitri with 200 affiliates underneath them.
So you can imagine how much money is involved in these kinds of attacks because they ask for hundreds of thousands or even millions of dollars during attacks. And how do we know all of this? You have known Conti. That was a really large group till the war of Ukraine or when Russia came into Ukraine. On that moment in 2022, Conti spoke out positively regarding Russia. They supported Russia. And on that moment in time, Conti is hacked. And we have seen leaks of the chats that were used or were sent in their own group. Sixty-eight thousands of lines of information.
So that gives us a pretty good impression about how this group worked. They had holidays. They had two-week statements. They had an HR department, a development department. So they're quite professional. And this is really good to understand that this is the threat we're fighting against. And this is the threat putting pressure on all the individuals that have to react on the ransomware incident, as well with Ricky. This is not the real picture. I have the real picture as well, but it is quite the same. This is a really nice colleague who represents Ricky.
What happened with Rekner, they were in that incident. They had that black screen. And Ricky was really doubting what to do. So he had a conversation with one of his IT colleagues. And what he did not know is that the threat actor was still in the network. And he took this picture on that moment and used it in the negotiations a few days later to put pressure on that organization. What did Ricky in the end do? He called a computer emergency response team, our company. And when we help, we start several things. We start with recovery.
It can take up to 23 days before you're back in business again as a company. So you must imagine that you're at a standstill for at least a couple of days, up to a couple of weeks.
Again, a lot of pressure on you when you're the IT manager, but also on the CEO when you're responsible for this company. But also on communications or client services because they get the phone calls. We do forensics. We want to understand how did they come in? What did they do? And we start with threat actor communication. We want to make sure that we have all the information at the table to make difficult decisions. Are you going to pay, yes or no? Is data stolen? What kind of data is stolen? Do we need to decrypt it?
Et cetera, et cetera. And then we want to mitigate the mental impact. We did a research two years ago about the mental impact of ransomware incidents because we have supported many, many, many victims of ransomware incidents. And all the attention goes to getting back in business as soon as possible. Completely logical. But what we also saw is that it can take up to 23 days. You cannot work for 23 days, 24 hours a day. So we saw people crying. We saw mental health problems. We saw health problems. We saw fights. We have seen everything. And based on those experiences, we started our research.
How big is that mental impact? And what should we do? What we know is that we know now, after spoken to many victims, even a year or two years after the incident, one in seven directly and indirectly involved in the incident still have so much problems, mental problems, that they are above the clinical threshold. That they should seek for help to overcome the incident. We also saw that one in five want more professional help during and after the incident. And one in three would love to have more knowledge about what to expect during and after incidents.
So also with Regner, this was a terrible situation. The organization was completely flat. They were part of a huge supply chain. So not only they had a huge burden on the company, but many of their clients were involved as well. And we saw that back. After a month, almost 80% reported physical symptoms like stomach pain, like headaches, like sleeping problems. And this was a huge team working in that company on that incident. 45% of the people involved had a specific score that scores on the clinical range of PTSD, post-traumatic stress disorder. That's a serious disease.
And we saw that 34% was already actively seeking for work. So is this only a story that is like, red flags, be aware. No. There are several things you can do. Before the incident, I will shortly have a look at the time. I'm still going. Okay. Before the incident, you can prepare yourself. Because having already attention for the mental attention for the mental side of these kinds of incidents help. So many organizations have a crisis plan. Many organizations do several things to prepare themselves for a cyber crisis. Think about that mental aspect as well.
Because when you, we see that in many companies, when you have an incident, it's all, in almost every case, one or two people that are crucial, that know the network, that know the systems, make sure that they get enough rest, that they don't have the burden of all the other questions they got, get within IT, make sure that they can work on a specific issue they need to work on. On the other side, in many organizations, you have an HR department or you already have a kind of mental support system in the organization. Use that as well in these kinds of incidents.
What can you do during incidents? We see that when you are in an incident, you have check-in every morning, talking about all the different activities that need to be done that day. And also you have that moment during afternoon at the end of the day. Only asking the question, how are you doing, not from a practical perspective, but from a human perspective, are you green, orange or red, already helps to start that conversation so needed in these kind of situations. What you also can do is make sure that leadership is involved.
CEO, CFO is already involved because you have a ransomware incident and they have to have an idea about the steps we're taking with the threat actor or they have an important role towards stakeholders, but you also have that internal stakeholder. Let them show up, let them talk to the people, involve them also in this part and celebrate. Although it's hard work, you also have small successes and we try to, in many cases, step over them because we're busy. But celebrate, make sure that you have a kind of festive moment in these kind of incidents.
And what I already said, planning and task division, so important. Knowing what to do, knowing when to take rest. We as CERT also send people home because they really need to sleep and every moment in time everybody thinks, okay, let's do a few more hours and then we're ready. But those 23 days, that's not a few more hours, that's a few more days. And then evaluate. Make sure that you have a really good evaluation about that incident and again celebrate that it is over.
What we also advise is to make sure that you put out a questionnaire or a mental scan, so as we have, to get an idea about how everybody's really feeling. Feeling an IT or feeling a security is not the most logical combination and talking about those feelings as well is pretty hard. And with a questionnaire or with a scan, you get a better understanding about how everybody's doing because that's not that in your face as a conversation is. And remember, it's a sprint. It's not a sprint, it's a marathon because it really takes a long breath before you have that incident finished.
Because when the incidence is over, all those weeks, the regular job is not done at that moment. So it's not only the peak of the incident, then you have to recover from all that work that has not been done till then. So understand that you really need to support your people in these kind of situations. And what about Regner? What did they do? What was the end effect? In the end, their data was leaked on the website. This is the Lockbit leak site. You can find it on the dark web.
And what you see is that when your information is leaked, you can click on the company, you can scroll through all the data that has been leaked, and you can imagine that this has an enormous impact on your communication department, legal department, and also involves in many cases customers or personal information of your employees. So you're not ready yet. It's a marathon, not a sprint.
If you want to know more about the company I'm working for or about the report we have written about the mental impact of ransomware or other research we have done in the last couple of months, please feel free to scan the QR code. It's not phishing. So you can find some more information. And if you have any questions now, I'm more than willing to answer them. Thank you. One round of applause for Inge then.
