What I learned from million-dollar ransomware negotiations?

I’ve done a lot of ransomware negotiations in the last 3 years, some of them around $100k–$500k and some of them in the multi-million dollar range. My highest ransomware deal was $12.000.000 and I was able to close the deal for $450.000. In this article, I would like to briefly share what I have learned from the ransomware deals I have done.

Ransomware attacks are becoming increasingly common in today’s digital landscape. In the last few years, the threat has evolved from simply encrypting files to also stealing data, causing businesses to lose sensitive information and pay a hefty price to recover their data.

As a result, the need for negotiation with threat actors has become more prevalent, and it is imperative for organizations to understand the best way to handle these negotiations.

1. Don’t introduce yourself as a manager or an authority.

When negotiating with a ransomware group, it is essential not to introduce yourself as a manager or an authority figure. Instead, it is best to introduce yourself as an IT employee who is responsible for resolving the issue at hand. This approach will allow you to negotiate with the group without drawing attention to your position in the organization. By presenting yourself as a regular employee, you can approach negotiations from the perspective of getting the job done and returning to normal work.

2. Extend the negotiation process in a controlled way.

One of the primary tactics in ransomware negotiations is to extend the process in a controlled way. Instead of playing the bad guy and saying that you need to meet with management for every request, you should aim to take your time and stretch the negotiation process. The longer the negotiation process, the less patience the ransomware group will have, and the more they will be willing to offer a discount to resolve the issue quickly.

3. Ask for a list of the files that were extracted from the system.

When negotiating with a ransomware group, it is crucial to ask for a list of the files that they extracted from the system. From the list, randomly select three to five files, and ensure that the data is fully decrypted. This approach will allow you to determine the authenticity of the group’s claims and ensure that they have the necessary information to decrypt the files. Furthermore, for large files, it is essential to ensure that they can be decrypted correctly.

4. Report to the local authorities.

One of the common tactics used by ransomware groups is to threaten to report the stolen data to public authorities. However, it is crucial to report the issue to the local authorities before the ransomware group has a chance to do so. Even if you decide not to report the issue, make sure that you convey the importance of reporting it in all correspondence and that you have already reported the matter.

5. Always ask for a reason for the price charged.

When negotiating with a ransomware group, it is essential to ask for the reason for the price charged. Typically, ransomware groups demand between 1–4% of the annual revenue obtained from publicly available data. From here, you can counter-offer a percentage rate on annual profit, not revenue.

6. Do not make accusations that will anger the other party.

When negotiating with a ransomware group, it is essential to remember that it is a commercial business for them. Therefore, it is best to act in accordance with your commercial interests and avoid making accusations that will anger the other party.

7. Don’t give the classic excuses like my mom is sick and my dad is over there.

They have heard it all dozens of times.

It’s important to be honest and straightforward during ransomware negotiations. Making up excuses will not help and could even damage the negotiation process. The threat actors have probably heard every excuse in the book and are not likely to be sympathetic to your personal problems.

8. Make sure that they do not have active access to the systems. If you are not sure, try to find out by asking questions.

During negotiations, it’s important to determine whether the threat actors still have active access to your systems. If they do, they could cause further damage or re-infect your network. Be sure to ask questions to determine if they still have access and take steps to secure your systems if necessary.

9. Determine in advance how many interruptions you can withstand or how much you will pay and determine your strategy accordingly.

It’s important to have a plan in place before ransomware negotiations begin. Determine in advance how many interruptions your business can withstand and how much you are willing to pay. This will help you stay focused during negotiations and make informed decisions.

10. Make sure they delete the data. Ask for a sample video for this.

Once the ransom has been paid and the data has been decrypted, it’s important to ensure that the threat actors delete the data they extracted from your system. Ask for a sample video to confirm that they have deleted the data and take steps to monitor your systems for any signs of further intrusions.

Conclusion

Ransomware attacks are becoming increasingly common, and it’s important to be prepared for the possibility of a ransomware attack. While prevention is always the best approach, sometimes negotiations are necessary to get your data back. By following these lessons learned from million-dollar ransomware negotiations, you can increase your chances of successful negotiation and minimize the impact of a ransomware attack on your business. Remember to stay calm, be honest, and have a plan in place before negotiations begin.

Best,