As ransomware continues to plague organizations, the groups behind the malicious software are demanding larger payment amounts to provide the necessary decryption keys to unlock customers’ data.

In 2021, Governments worldwide saw a 1,885% increase in ransomware attacks, with health care facing a 755% increase from prior years. According to Sonicwall’s 2022 Cyber Threat Report, Ransomware in 2021 rose 104% in North America, just under the 105% average increase worldwide.

If your organization has been affected by Ransomware, you will inevitably be forced into a position that requires you to negotiate the ransom payment down to something more reasonable.

A problem exacerbated by Cyber Insurance

For a while, insurance carriers were simply paying out large sums of money with no real care for reducing their costs. Over time the practice of paying any (and all) ransomware claims has become very costly for Insurance carriers, especially as the sheer number of ransomware cases increases. Within the insurance industry, this was referred to as “death by a thousand cuts”.

Over the past several years, practices by insurance carriers have changed so not all ransomware claims are paid. Organizations are required to pay higher insurance premiums because of these losses, and more recently, insurance carriers are now considering not even allowing cyber insurance to be used for ransomware payments.

These changes have not slowed down the spread of ransomware or the overall increase in ransom demands. That being said, ransomware groups are not unsympathetic to the top payment amounts of an organization’s cyber insurance policy.

In the following conversation snippet taken from a recent leak of the Conti ransomware group’s private chats, one of the group’s leaders asks a lower-level negotiator to find out how much money is available in the organization’s cyber policy.

“If you have information about their cyber insurance and maybe they have a lot of money in the account, they need a bank payout, then I can bargain”


Starting the Negotiation Process

Step 1: Recovery Key Validation

During the first part of your communication with the criminal organization, it is customary to ask for a sample of the decryption keys to ensure that decryption and recovery can be successful. Important to note: The ransomware group will have already mapped your entire network and have a much better inventory of your assets than you do! They know every IP, hostname and machine type.

Assuming that to be true, don’t get cute and ask for a recovery key to a major machine like a domain controller. You won’t get it, and it will make you look foolish and inexperienced. An experienced negotiator won’t ask for a “sample recovery key” to the most important device on the network. They will know better, and you should, too.

After the sample keys are validated and decryption is successful, now starts the actual negotiation.

Step 2: Starting the Negotiation

I have read articles claiming that ransomware representatives will get upset if you take too long to come to an agreement and may call the whole deal off. I have never seen this, nor do I believe it. The group is there to make money, and they have much more experience dealing with these situations than you do.

Organizations infected with Ransomware will be left with a ransom note. This note will contain a custom portal URL necessary for initiating communication.

Can you negotiate down to $0?

No. Why would you be able to? I recently read a blog published at Cybersecurity Dive where the writer claimed that a client was able to negotiate a ransom payment down to $0 because the ransomware operator “felt bad” about hitting a healthcare organization. I can find absolutely no reason why this would be true. They don’t care about you and have no reason to help from the kindness of their heart. If they really cared, they wouldn’t be infecting people.

Even in instances of global catastrophes, such as the Colonial Pipeline attack, the ransomware group held firm despite the global attention they were receiving.  They understood how critical the pipeline was to global operations and infrastructure, and held firm knowing they would receive a very large payment.

They are a business with one purpose: to make money.

Step 3: Communicating with the Ransomware Group

When dealing with ransomware groups, you will undoubtedly be communicating with a customer service rep that has been hired to negotiate the crypto payments in exchange for providing companies with decryption keys to their data.

The reps on the front lines of these organizations probably don’t see themselves as criminals. I had one group actually recite this exact line during our conversations:

“We are a cybersecurity company. We help companies find vulnerabilities in their systems and help fix them. This is our fee.”


What to Expect in Ransom Negotiations

Organizations Should Not Negotiate directly with the ransomware group

If your organization falls victim to ransomware, it is not advisable to directly try and negotiate down the ransom amount because you don’t want emotions coming through in the process.

If the ransomware group detects you being emotional, they may perceive you as desperate and will know to hold out because you will eventually pay the full demand.  In other words, don’t get mad with the operator; don’t try to threaten them. Just keep a cool even tone, and if possible, act disinterested and aloof.

Ransomware Groups Expect to Negotiate

The following conversation is from the recent leak of the Conti ransomware group’s chat logs, which shows internal conversations between the group members openly discussing active negotiations between their members.

Member 1: “they offered 500k”..
Member 2: “I think you can push it up to 800-1kk”
Member 1: I think we’ll hit 1.5kk
Member 1: but if you have information about their cyber insurance and maybe they have a lot of money in the account, they need a bank payout, then I can bargain
Member 2: I think this negotiator has already negotiated with us

The groups are used to experienced negotiators and have already done their research on how much they can reasonably get based on factors like: company revenue, employees count, and overall criticality to the people. They are not only negotiating with the victims, but they also have an approval structure they need to follow before accepting an offer.

As seen in the conversation snipped above, member 1 (the front-end operator) asked his boss (member 2) if he had any additional information on the organization that could be used to bargain further. Ultimately, member 2 would have to sign off on the final negotiated amount.

Extortion Scare Tactic: Ransom Time Limits

Once you start communicating the ransomware group will add a time limit to negotiations. In our experience, these are not real deadlines. The deadlines are nothing more than a negotiation tactic designed to create urgency and get the victims to pay faster.

Some articles claim the ransomware groups might get upset if you take too long and will call the whole deal off. I have never seen this, nor do I believe it.

The ransomware group knows that reaching a settlement will require approval from executive teams on both sides of the fence. Not only that, purchasing Crypto is still not a straightforward process. It typically involves wire transfers which can take days to clear, especially with larger amounts. And if the attack occurs on a weekend, you could be looking at 4-5 days before the crypto is ready.

Look at it this way: if a ransomware group is asking for $500,000 within 2 days, but it takes you 10 days to get the funds together, do you really think they aren’t going to sell you the decryption keys?

Extortion Scare Tactic: Having your Data Leaked.

This one is my favorite because it is so easy to defuse. “If you don’t pay us what we asked for, we are going to leak all of your critical files online”. My response to this is always the same: “Fine. Go ahead”.

Leaking the data is a completely empty threat and I will explain why. Let’s say a law firm is hacked and the Ransomware group leaks 100GB of confidential attorney data on their darkweb portal.

First, trying to download anything over the dark web is painfully slow. The network is designed to maintain anonymity by bouncing your IP address all over the world. Next, the servers hosting usually aren’t state of the art with fast gigabit connections. Add to that the fact that there are multiple people trying to download from the same slow connection, and you have a situation where no one is going to get very far in acquiring the data. Once I explain all of this to the ransomware negotiator, they usually move on and never come back to this subject.


Coming Up Next…

That’s it for this episode of Ransomware Negotiations. In the next part of this series, we will discuss whether or not you should pay the ransom, the validity of recovery keys, and the strain caused by the recovery process.