They call it “stopping the bleeding”: the vital window to prevent an entire database from being ransacked by criminals or a production line grinding to a halt.
When a call comes into the cybersecurity firm S-RM, headquartered on Whitechapel High Street in east London, a hacked business or institution may have just minutes to protect themselves.
S-RM, which helped a high-profile retail client recover from a Scattered Spider cyber-attack has become a quiet, often word-of-mouth, success.
Many of the company’s senior workers are multilingual and have a minimal online footprint, which reveals scant but impressive CVs suggestive of corporate or government intelligence-based careers.
S-RM now claims the UK’s largest cyber-incident response team. Its first-responder service is comprised of about 150 experts worldwide. It has clients who keep it on retainer, victims referred by insurers, and “walk-ins”: people who suddenly realise their business is under attack and call the first few results on their search engines.
In the case of the Scattered Spider victim, which the Guardian understands was not Marks & Spencer or the Co-op – two retailers that were attacked in 2025 – a 30-minute Teams call with a retailer became “a 24-hour call with a rotating cast of experts”, says Ted Cowell, the director of S-RM’s cyber business arm.
“On average we’re getting back to clients within six minutes. Which is critical because often the first hours of a cyber incident can be the biggest chance window to determine the outcome of a case and its impact,” he says. “What can start as a network intrusion can then metastasise into a full-blown malware or ransomware scenario.”
Cowell, a Cambridge-educated Russian speaker, says that getting a handle on the attack during a “reconnaissance” period can result in a radically different outcome, compared with a slow response. Criminals often need time after their first penetration of a businesses’ systems to work out what is of most value. This short spell of time can therefore allow experts to prevent the most operationally painful of attacks. “Exfiltration” – the theft of critical data – and encryption, whereby businesses can be locked out of their own systems, can be the most damaging.
“Sometimes we can stop it from going boom,” Cowell says. Teams focus on “stopping the bleeding” by limiting or cutting the attacker’s access to systems. This is what S-RM’s team was able to do with the Scattered Spider victim: stopping the detonation of malware across systems.
Business is good as the cybercrime industry grows, but that comes with ethical challenges. S-RM and its industry peers have faced criticism for helping to facilitate the payment of ransoms to criminals who hijack businesses for money.
“Extortion support” is an important part of S-RM’s work. This means its specialists are in the room when ransoms are negotiated, sometimes doing the negotiation itself on behalf of a client. Cowell appears keen to avoid criticisms of feeding organised crime by helping businesses to pay ransoms, or by acting for insurers that sell policies covering ransom payments.
“We’re instructed by the policyholder, by the insured,” he says.
“Our ambition is to guide ‘no payment’ decisions wherever and whenever possible,” he continues, adding that businesses are increasingly taking that approach and not paying ransoms.
“Our role is to facilitate strategic thinking,” he says. “Give clients some structure to order their thoughts. They’ve probably not been in a situation like this before.
“The businesses’ decision as to what they do is their own. We just offer the template of a crisis, how things play out based on our experience.
“Why should we pay these criminals?” is a challenge Cowell says his team puts to top staff at affected businesses. “One of the things that we often educate boards on is that ransomware is an organised criminal enterprise.”
These nefarious groups have, he explains, “brands to uphold”. Established ransomware groups, typically speaking, will honour a settlement. S-RM also has an increasingly detailed picture of how these groups have behaved in previous negotiations.
The more established the group, the more likely they are to honour whatever settlement is agreed either by deleting stolen data or providing keys to decrypt critical files. S-RM offers a rundown of who’s who in terms of reliability, negotiating patterns, behaviours, even extending to sanctions concerns.
The latter rarely applies, however. Trying to impose sanctions on state-linked groups is a game of “whack-a-mole”, Cowell says. If so-called “threat actors” do appear on sanctions lists they tend to disband and reform in a new guise. The risk of putting money, albeit indirectly, into state-enemy hands is therefore another consideration for firms facing a cyber-attack.
Still, businesses do sometimes decide to pay up. It can be rational for their company’s circumstances, and ultimately “it’s always their decision”, Cowell says.
As the corporate moral code of paying ransoms matures, and decisions not to fund organised crime become more common, restoration and recovery services have become a bigger part of the cybersecurity response market. Increasingly it is a priority to just get systems back up and running as soon as possible with the forensic analysis of how someone got into a system becoming secondary.
In recent years, the UK government’s cyber-intelligence role has also shifted significantly. The National Cyber Security Centre “over the last four or five years has hugely transformed”, Cowell says. The NCSC has caught up with its Nordic equivalents and now proactively reaches out to victims, telling them they may be targeted based on intelligence.
“It was more of an information taker,” asking the likes of S-RM for information, which they would willingly provide with client consent, Cowell says.
“[Now] they are playing a more robust role, getting on the front foot and getting people together to facilitate information sharing. We saw the impact of that with the Scattered Spider attacks.,” he adds.
