CEOs' ransom-first response worsens ransomware attacks on mid-sized firms

Ransomware attacks paralyse entire production lines and are increasingly targeting mid-sized firms, yet many chief executives still ask the wrong first question when hit, two cyber-security experts warned on Sunday.

“Nothing is more damaging than a CEO who starts by asking, ‘How do I pay?’” said Dr. Lena Bauer, head of cyber resilience at Munich-based consultancy RisikoProtect, in an interview with the *Handelsblatt* published today. Her colleague, IT-forensics director Tom Weber, added that ransom demands now routinely exceed €5 million for mid-market manufacturers whose just-in-time supply chains can be halted within hours. “The moment the production floor goes dark, every minute costs six figures,” Weber said.

The warning comes as fresh data from Germany’s Federal Office for Information Security (BSI) shows ransomware incidents in manufacturing rose 42 % in the first five months of 2026 compared with the same period last year. Firms with fewer than 500 employees accounted for 63 % of reported cases, reversing a trend in which only large corporations were targeted.

Experts stress that negotiation is a tactical step, not a strategy. Bauer and Weber recommend activating a pre-written “cyber playbook” within 15 minutes of detection, isolating infected systems, and engaging law enforcement before any contact with attackers. “Paying once does not guarantee decryption keys,” Bauer noted. “In 34 % of cases studied by RisikoProtect, organisations that paid were hit again within 90 days.”

The *Handelsblatt* report also highlights a growing secondary market for stolen industrial data. Attackers increasingly exfiltrate proprietary designs and customer lists, then threaten to auction them publicly unless a ransom is paid. “This is no longer an IT problem—it is a boardroom crisis,” Weber said.

Meanwhile, the BSI has urged companies to adopt a “zero-trust” architecture, multi-factor authentication, and immutable backups tested at least quarterly. Bauer added that insurers now routinely require these measures before issuing cyber policies, with premiums rising 200 % for firms lacking documented incident-response plans.

For mid-sized manufacturers already operating on thin margins, the financial shock can be existential. One unnamed automotive supplier in Baden-Württemberg told the *Handelsblatt* it had to halt three assembly lines for 48 hours in May after a Conti-style ransomware variant encrypted its ERP system. “We lost €12 million in orders and face potential lawsuits from clients,” the finance director, who asked not to be named, said. The company is still negotiating with its insurer over coverage.

With no signs of the attacks abating, Bauer and Weber counsel immediate action. “The worst mistake is paralysis,” Bauer said. “Have the playbook, test it, and rehearse it—before the screen goes red.”