What Happens in a Ransomware Negotiation?

John Farley


December 1, 2022

what do incident response professionals do during a ransomware attack or negotiation?

Ransomware is one of the most efficient ways to extort massive amounts of money in a short period of time, which has fueled its rise as a preferred mode of cyberattack for many cybercriminals.

No sector is immune from the threat. Global law enforcement authorities have seen a profound increase in sophisticated ransomware incidents targeting critical infrastructure organizations. Meanwhile, ransomware continues to ravage the bottom lines of victim organizations across the private and public sectors, and those of cyber insurance carriers as a result.

By threatening to publicize their victims’ most sensitive data if ransom demands are not met, hackers deploying ransomware attacks have secured six- to seven-figure extortion payments. Ransom payments are only part of the financial losses, however. Downtime costs can pale in comparison to the extortion payments, particularly in the event of lost business.

To mitigate the financial and reputational harm stemming from a ransomware attack, it is critical to have a strategy in place before an attack occurs. The first step is to assemble an internal incident response team composed of stakeholders spanning many departments, including risk management, IT, legal, operations, communications, compliance and the C-suite. This team should also align with the breach response team, an external group of cybersecurity experts.

The decision of whether to pay a ransom is a deeply nuanced and hotly debated topic, and every organization ultimately has to weigh various business, legal and ethical factors for its specific case in order to identify the best course of action in the event of an attack. In the event you decide to negotiate, the following offers insight into what happens during the response process.

What Do Breach Response Teams Do During Negotiations?

The clock starts ticking on a negotiation when an organization receives initial contact from the hackers. Cybercriminals usually state what data they have, then provide assurances they will remain quiet until they have completed negotiations, threats of what will happen if the organization does not comply with their demands, and instructions on how to begin the negotiations. Many ransomware attackers use Tor browsers or encrypted messengers, making it nearly impossible to track down the real address of their server.

When engaging a hacker, the first thing an organization should do is consult with legal counsel, followed by notifying its insurance broker. As a benefit of having a cyber insurance policy, the broker can alert the breach response team to assist with responding to and managing the situation. This pre-approved panel can include breach coaches, IT forensics investigators, credit monitoring firms, call centers and a ransom negotiator.

While a ransomware negotiator may be employed by IT forensics investigation firms, they sometimes operate independently. This cybersecurity expert has a critical role in ransomware response, including:

  • Collecting and analyzing cyberthreat intelligence
  • Examining the blockchain transactions associated with hackers’ digital wallets
  • Reverse engineering and analyzing ransomware strains and exploitation tool kits
  • Documenting for Office of Foreign Assets Control (OFAC) compliance reports
  • Collaborating with law enforcement
  • Opening communication with hackers
  • Negotiating ransom price reductions
  • Providing immediate access to cryptocurrency
  • Facilitating payment to hackers

Cybercriminals often request payment in the form of cryptocurrency like bitcoin. Should an organization choose to pay the ransom, most do not have immediate access to digital currency, but the forensics investigator usually does.

Prior to 2019, if an organization refused to pay a ransom, it would simply be unable to unencrypt the data and would lose those files. More recently, cybercriminals have evolved to practice “double extortion,” demanding payment for the encrypted data and exfiltrating it to their own server, using threats to publish it as leverage. This now occurs in about 70% of ransomware cases, according to IT forensics investigation and ransomware negotiation firm Arete Advisors.

Further escalating the pressure, some hackers have begun contacting an organization’s clients if the negotiations take too long or fail. In what is considered “triple extortion,” hackers raise the stakes by threatening to release files that may break client non-disclosure agreements, which can cause the victim organization to lose client trust and may even result in legal action from them.

During the negotiations, an organization may express concerns about the impact of a payment on the bottom line. Although it is possible that hackers could release more sensitive information to the public if an organization attempts to negotiate a lower payment, hackers will typically reduce their demand by an average of 70% of the initial ask, according to Arete Advisors. Having backups or other contingencies available may give the organization the additional leverage it needs to just negotiate deletion of data or to avoid payment altogether. The organization should consult with the breach coach about its specific situation to help make the best business decision.

Finally, an organization’s legal counsel will need to consider the risk of paying an OFAC-sanctioned entity. In 2021, the U.S. government provided guidance around the OFAC sanctions list and the specific legal considerations regarding ransom payments to international cybercriminal groups. Companies can face severe penalties for noncompliance with OFAC requirements.

To help businesses navigate this risk, breach response teams typically have an OFAC compliance process to check where the criminal group resides. Forensic investigators can run blockchain analysis on hackers’ digital wallets to see how they launder their money and with whom they have transacted. This can help assess if the attackers are tied to restricted geographies or organizations. These checks can take as little as a couple of hours for most cases, or one or two days if something is flagged. Among the incidents Arete Advisors has handled, the firm reported only about 1% of ransomware cases involved an OFAC-sanctioned entity. Following these checks, an organization’s counsel and insurance company will receive a confirmation letter showing they are clear to move forward with the payment.

What are Governments Doing About Ransomware?

Around the world, governments have increased their efforts to work with and provide insight to the private sector regarding the ransomware epidemic. In 2022, this included enhanced threat intelligence-sharing and prioritizing critical infrastructure protection. Going forward, some experts expect law enforcement to become more proficient at helping victim organizations recover ransom payments to threat actors by employing a combination of cryptocurrency experts, computer scientists, blockchain analysts and crypto-tracers. Many also expect law enforcement to adopt a more aggressive offensive strategy in disrupting ransomware-as-a-service (RaaS) affiliates.

How is the Cyber Insurance Market Responding?

Cyber carriers are taking deliberate steps to combat increasing loss ratios attributed to ransomware attacks, and according to a recent Fitch report, cyber loss ratios were beginning to trend down.

Despite these positive signs, the cyber market will likely remain challenging at least for the near term. Cyber underwriters are wary of the heightened risk environment, particularly related to the Russia-Ukraine war. Cyber insurance buyers should be prepared to face four specific challenges for the remainder of 2022:

  • Rate increases: Cyber premiums continue to increase across the board. Industry sectors such as municipalities, higher education, technology and manufacturing face the highest premiums.
  • Coverage limitations: Many carriers have imposed sublimits specific to ransomware claims that can reduce coverage to 50% or less of the policy limit. Coinsurance provisions may also require an insured to pay half of the loss amount up to the sublimit.
  • Capacity constriction: Carriers continue to limit their capacity. Most are offering maximum policy limits of $5 million, both at the primary and excess layer level.
  • Greater underwriting scrutiny: Almost all carriers are requiring more details around the insured’s data security controls. Several now require supplemental applications consisting of dozens of detailed questions to see how well an organization is managing ransomware risk.
John Farley is managing director of Gallagher’s global cyber liability practice