Managing Ransomware Negotiations

Written by Omar Sheppard

“Hello, my friend! Your system was vulnerable and I’m here to teach you a lesson, a security lesson!”

To discover a message like the one above is the worst nightmare for any business or person to find on their network. It generally means all of your company’s files have been encrypted, and the cyber criminal is demanding payment to give you the chance of decrypting and recovering your data. In a worst-case scenario, the ransom note also states that sensitive files have been taken and will be published or sold if no payment is made for the data; welcome to the modern world of ransomware!

Ransomware attacks, regardless of whether they are opportunistic or targeted, are generally extremely disruptive and can threaten the continued existence of an organization. As with any ransomware attack, assessing the damage and the state of the network can often reveal an ugly truth regarding the cyber security posture of the victim, and fully test the victim’s capabilities to recover and return to operational efficiency quickly or at all.

Governmental advice and regulation

Many companies often find themselves going down the necessary route of engaging with the ransomware group directly or through a dedicated Negotiator such as a cybersecurity expert. US and Canadian authorities officially discourage ransomware victims from engaging with threat actors because any payment of ransom encourages and finances further criminal attacks and money laundering. FinCEN has systematically ramped up its notifications on ransom payments and increased compliance obligations regarding sanction checks, money laundering regulations as indeed have other governmental organisations around the world.

Such discouragement is often ignored when the continued operation and survival of the company is completely dependent on recovering critical company data which has been encrypted in the attack. From the standpoint of the victim, paying a ransom is often seen as the best solution in preference to being provided with a decryptor or indeed rebuilding the data from the ground-up which could prove to be more time consuming and costly, if such an option is even possible.

The importance of using an experienced and professional ransomware negotiator

The primary objectives for ransomware negotiators is to learn, through experience, who the criminal organisation is,  gather information and intelligence on their modus operandi and probe for further into the likelihood of data exfiltration, and deal with the de-escalate of threats or further damaging action being taken against the victim and; more importantly; lower the demand as far as possible without derailing the negotiation.

How these objectives are achieved can vary from engagement to engagement, but it is imperative that the negotiator should gather and establish as much information as possible, such as:

  1. Establish secure lines of communications to avoid exposure or disclosure by unauthorized parties or the criminal.  Be aware that the criminal may be monitoring a victim’s email and communications to understand how they are responding to the ransomware attack and ascertain if they are seeking outside help. Therefore, it is important to establish completely separate lines of communication outside of the compromised environment.
  2. Identify variant, or the group, responsible to understand the group’s motives, ransoms, dispositions, techniques, negotiation style etc. Each ransom group will have a unique disposition and response to negotiation. Experienced negotiators build a catalogue of negotiation styles based on the groups they have dealt with in order to maximize the best possible outcome by reducing the ransom demand. Establishing the criminal’s history with re-extortion, exfiltration and their process in decryption and data deletion is also important.
  3. Ascertain the extent of the need to pay the ransom. This is dependent on whether the victim is fortunate enough to be able to continue their operations and recover data via good backups. The risk of data exfiltration must always be considered because one could be dealing with a ransomware group known to exfiltrate data as part of its double extortion strategy.
  4. Establish what deliverables are required based on impact and variant or group. It is important to understand exactly what the end goal is when deciding to engage with a cyber criminal, and in turn what the end deliverables should be if a payment is made. Deliverables can include a decryptor for Windows and Linux systems, deletion of all stolen data, proof of deletion, information on how the attack occurred etc.
  5. If engagement with the threat actor is required, discuss contextual background information. Every incident is unique. It’s important to understand the victim’s trading status, industry, finances, insurance programme, the data sets impacted or stolen as examples. The list goes on, but all of these points can have an impact on the negotiations and could potentially be used against the victim in the negotiations.

Negotiation strategy

Once all of these issues are considered and facts established, negotiations can begin.

  1. Monetary demands. Experienced negotiators will quickly ascertain exactly how much the threat actor or group is really asking for rather than what they have initially demanded.
  2. Proof of exfiltration. Experienced negotiators will quickly ascertain whether the criminal group has a history of stealing data.
  3. Confirm proof of decryption. Otherwise known as ‘proof of life’. Experienced negotiators will quickly ascertain whether the criminal group can actually decrypt data files and just how serious the threat in question really is.
  4. Threat escalation tactics. Experienced negotiators will quickly ascertain whether threats of escalations in the demand, data leaks or imposition of stringent deadlines are likely.
  5. Government and regulatory sanctions checks. It is imperative that sanction checks are completed thoroughly and properly documented before any ransom payments are made otherwise official action against the payee can be costly.  A professional and competent breach response firm like CyberClan includes this as part of its ransom negotiation service.

The payoff of using a skilled negotiator

The main objective of a negotiator is to lower the ransom demand as far as possible and as quickly as possible but without derailing the negotiation. There are many methods that can lead to a successful outcome, negotiation tone, tactics, timing, messaging is all important. Good negotiators are highly skilled and experienced in what they do. Ransom claims must be expertly handled in order to reduce the level of the demand, minimise the risk of a ransom increase, data exfiltration, poor decryption outcome, follow on demands and exposure, sanction coverage and protection.

CyberClan does not encourage or recommend victim’s directly engage with cyber criminals or offer to pay a ransom demand. We provide victims with a complete negotiation and resolution service which includes the facilitation of crypto for settlement of ransom demands.

CyberClan provides a realistic assessment of any given situation, options and risks. We guide our clients through the negotiation and educate them on what to expect during negotiation so that our clients can make the best and most informed decision to enable a good outcome.

If you have experienced a ransom attack or would like advice regarding how we can help in the event of an attack on your organization, please contact us by filling in the form below: 

Under Attack? Guaranteed 15 minute response time.

Please call our emergency hotline below or fill out the form with your name, email, and phone number.


1 800 762 3290


0800 368 8731


The information you provide in this form is only used exclusively to assist you. We do not share your data.