14 tactics to use during a ransomware negotiation

Security researchers analyzed 700 incidents to understand the economics of these threats as well as what bargaining tactics work.

Ransomware concept

Image: Rzt_Moster/Shutterstock

Be polite during negotiations, ask for more time and always request a test file for decryption. Those are a few of the best practices for dealing with a ransomware attack, according to a new analysis of 700 incidents. 

More about cybersecurity

Pepijn Hack, cybersecurity analyst, Fox-IT, NCC Group and Zong-Yu Wu, threat analyst, Fox-IT,  NCC Group wrote the research paper, “‘We wait, because we know you.’ Inside the ransomware negotiation economics.” The researchers explain how adversaries use economic models to maximize profits and what strategies ransomware victims can use to win more time and reduce the final payment as much as possible. The report is based on two datasets. The first consists of 681 negotiations and was collected in 2019. The second dataset consists of 30 negotiations between the victim and the ransomware group and was collected from the end of 2020 and the first few months of 2021.

Here’s a look at what tactics work as well as how thieves set the ransom figure. 

Negotiation strategies for ransomware attacks

In addition to analyzing the financial component of ransomware attacks, the researchers reviewed conversations between the attacker and the victim. The full report includes quotes from actual conversations between ransomware gangs and their victims. 

SEE: Fear and shame make it harder to fight ransomware and accidental data loss, report finds

The researchers developed these strategies based on failures and successes in negotiations from ransomware cases they analyzed. They have advice about which negotiation tactics to use and smart steps to incorporate into the response.

The research team has this advice for companies to implement before starting the negotiation process:

  1. Don’t open the ransom email or click on the link; that’s when the clock starts ticking.
  2. Think about best and worst case scenarios and how to respond to both.
  3. Set up internal and external communication lines with senior management, legal counsel and the communications department.
  4. Research your attacker to understand how the group has handled ransoms in the past.

If your company decides to pay the ransom, the researchers suggest using these negotiating tactics:

  1. Be respectful: This is a business transaction, so avoid making threats and leave emotions out of it.
  2. Ask for more time: Adversaries are often willing to extend the timer if negotiations are ongoing.
  3. Offer to pay a small amount now or a larger amount later: Bad actors want to close the deal quickly and move on to the next target and they will sometimes agree to take less if they are paid more quickly.
  4. Convince the attacker you can’t pay the full amount: The research showed that the tactic of constantly stressing the inability to pay the ransom can lower the price.
  5. Don’t reveal whether or not you have cyber insurance and don’t store any documents about the policy on reachable servers.

Finally, the analysts recommend adding these steps to the process of responding to an attack:

  1. Set up a different means of communication with the adversary.
  2. Ask for a test file to be decrypted.
  3. Ask for a proof of deletion of the files. 
  4. Prepare for your files to be leaked or sold.
  5. Ask how the bad actor hacked your network.

How thieves set the ransom

In addition to identifying helpful negotiation tactics, the researchers studied how attackers set the ransom figure. Each ransomware gang has created their own negotiation and pricing strategies meant to maximize their profits, according to the report. Also, many attackers spend weeks collecting data from the target’s network, including sensitive data and  financial statements. Adversaries know how much victims will end up paying, before the negotiations even start.

The researchers created an equation to predict the cost of a particular ransom. Elements of the equation include:

  • The final ransomware demand on case
  • The percentage left after exchanging the cryptocurrency to “clean” currencies 
  • The percentage left after paying the commission fee for the RaaS platform
  • The final decision made by the victim on to pay or not, zero if the victim decided not to pay and one if the victim did pay 
  • The cost of carrying out the attack 

 Also see