Navigate the current cyber risk landscape with Coalition’s Cyber Threat Index 2024Get the report
Cyber Incident? Get Help

Everything You Always Wanted to Know About Ransomware Negotiation (But Were Afraid to Ask)

Blog: Everything You Always Wanted to Know About Ransomware Negotiation (But Were Afraid to Ask)

No business ever wants to pay a ransom demand.

Coalition is committed to protecting the unprotected. As a cyber insurance provider, our primary approach is to prioritize good cyber hygiene and proactive risk mitigation. In many instances, we're able to prevent victimization and significantly reduce the likelihood of a cyber event for our policyholders.

Unfortunately, ransomware events persist. And when they do, we step in to support our policyholders and mitigate impacts to the best of our ability. 

Ransomware events are high-stress situations that completely upend a business' ability to operate and expose them to pressure and manipulation from opportunistic cybercriminals. Resuming operations quickly is often the top priority for businesses. If a business is unable to restore data from backups, it may opt to negotiate with the threat actor. 

When reasonable and necessary, Coalition helps guide policyholders through the process of negotiating and paying a ransom. As an Incident Response Lead for Coalition Incident Response, Inc. (CIR), Coalition's affiliate technical digital forensic and incident response firm, I've helped many clients recover after a ransomware event.

While every cyber attack is different, and no two policyholders make the same decision, we believe it's important to shed light on how the ransomware negotiation and payment process works.

What's it like talking to a ransomware gang?

Many ransomware gangs operate like businesses. As an incident responder, my first contact is usually with a "support" person who's very friendly and open to answering questions. If they don't have an answer, they run it up the ladder to a "technical" person or even the "boss." Ultimately, these gang members are getting paid for the services they provide. And when it's out of their scope, they move you to the next person.

How does a negotiation typically begin?

In every case where there's contact, we start with the ransom note. It's usually left behind once the data is encrypted on the business' network. In most cases, there's a URL to a website or forum that has a little chat feature. That’s where the threat actor typically leaves the note with instructions on how to contact them. 

Sometimes, the website is password-protected, so we have to enter a code that’s also provided in the ransom note. Every once in a while, it's emailed directly to the impacted business. Threat actors may also set up an email address specifically for negotiation purposes and provide it in the ransom note. We've even seen them use Skype and other instant messaging platforms.

Can you tell if a threat actor is using artificial intelligence?

We don't have hard proof that they're utilizing AI, but I'd be shocked if they weren't. Since the introduction of ChatGPT and other AI tools, threat actors' communication has greatly improved. It's now much easier to understand what they're trying to say.

More importantly, if a threat actor steals hundreds or thousands of documents, it would have previously taken them days, if not weeks, to go through the data and understand it. We have good reason to believe they're also using AI to quickly digest that information, which helps them make more credible threats. They'll reference things like "duty to notify," cite regulatory bodies, and even name a business' specific clients.

Since the introduction of ChatGPT and other AI tools, threat actors' communication has greatly improved. It's now much easier to understand what they're trying to say.

How does cyber insurance factor into negotiations?

Threat actors often utilize insurance information during a negotiation. They'll say, "We know you're covered by X" or "We know your limit is X." It can make negotiation more difficult because, if they have the insurance document in hand, we can't really deny the business has insurance. And when they have that information, they can demand the full policy limit.

We've even seen threat actors call the insurance carrier directly on the phone, usually in conjunction with some sort of written communication. The purpose is to leverage the business and create a sense of urgency. Calling a CEO or CFO puts pressure on the business to engage in negotiations and expedite a resolution. It’s more of a scare tactic than anything else.

How long does a negotiation typically last?

If a business wants to pay — maybe operations are 100% down, or they don't have backups, or they just want to make it go away —it's usually a quick process. But if a business wants to negotiate a smaller payment or get the threat actor to prove what data they stole, the process can take multiple weeks.

Does the willingness to negotiate vary by threat actors?

Definitely. We've even had cases where one operator has been open to negotiations, and another hasn't for the same type of ransomware. It can be based on a combination of the ransom demand and the data they're able to exfiltrate. Maybe they were hoping to get more data but, for whatever reason, couldn't, so they're open to giving us a lesser amount for the ransom. Sometimes, it's leverage we just gain through negotiations. But every once in a while, we get a threat actor who will not move off the number they ask for, no matter what.

When do data backups enter the equation?

I would estimate that 90% of businesses have some form of data backups — the issue is viability. Have they been tested? Do they encompass all of the data needed to restore operations? Can the backups get up and running in a timely manner? If a business has multiple terabytes of data and has never performed a backup, it might take weeks to fully restore.

What motivates a business to start negotiating?

The most common reason is data exfiltration and data posting — when the threat actor actually steals data and posts it to a public website. These days, many businesses know someone who's gone through this experience, or they've experienced it themselves, so they're aware of the legal obligations that come with the public sharing of such data.

Reputational harm is another major consideration. Businesses want to avoid being named on these websites and to safeguard their customer data. Paying the ransom won't absolve a business from their legal duties, but it might lessen the burden of notifying customers. In general, we always try to prevent businesses from paying purely because it's faster. 

Why are ransom demands increasing if fewer businesses are paying?

It's hard to say exactly why this is happening, but it goes back to ransomware gangs operating like any other business. To offset the fact that fewer businesses are paying, they need to up the price to hit their "goals," so to speak. Additionally, if the variant is a ransomware-as-a-service, they might need to hit a specific number to make back enough money to pay the author for continued use of the malware.

These ransomware attacks may also be more targeted rather than opportunistic. If threat actors are targeting businesses with more sensitive data and greater risk, it's harder for the businesses to avoid payment, which can justify a higher price tag. AI might also be a factor here: If they're using AI tools to digest the data they steal, they may have more leverage because they have a better understanding of its value.

What's the process for actually paying a ransom?

Every payment I've ever been a part of has been via cryptocurrency. Bitcoin is still the most popular type, but it can also be easier to trace. Threat actors sometimes request, and offer discounts, on payments made with specific coins that are harder to trace. Part of the process involves an Office of Foreign Assets Control (OFAC) check to ensure the threat actor isn't a restricted entity, and if they are, then no payment is made.

Paying the ransom won't absolve a business from their legal duties, but it might lessen the burden of notifying customers. In general, we always try to prevent businesses from paying purely because it's faster. 

Do businesses get all of their data back when they pay?

Most of the time, but not always. Back in the day, around 2015 or so, roughly 30% of data would be so badly impacted by the encryption that it'd be unrecoverable. But this has gotten a lot better over the years. The only area where we still see some issues every now and then is really large data files. Massive spreadsheets and SQL databases, for example, can corrupt at the time of encryption because a lot of people utilize them and they're on a network. Every once in a while, we'll still see an issue where a file was in use at the time of encryption, and it won't decrypt cleanly.

What's the biggest misconception about ransomware?

A lot of people think that once you pay a threat actor, it's back to business as usual. But there's a lot that follows, including the decryption process, legal proceedings, customer notification, along with some significant reputational harm. Even if a business's name is listed on a leak site and no data is leaked, it still causes reputational harm. News outlets will report that information and associate the ransomware variant with the business — and threat actors commonly use this to pressure businesses into paying.

Even the most straightforward ransomware negotiation — where the threat actor is responsive, negotiations go smoothly, payment is transferred, and decryption is successful — is something that no business should ever want to experience. It can be a really painful process. 

How businesses can defend against ransomware

Threat actors are adaptable and will change tactics to gain the leverage they need to monetize their crimes. But that doesn't mean businesses are powerless. When companies implement security controls, they can reduce the risk of experiencing a ransomware event.

If a business has multiple terabytes of data and has never performed a backup, it might take weeks to fully restore.

  1. Having viable offline backups is vital. While the number of businesses that use backups has increased, it's essential to have two backups of all critical data. Running regular restore drills is equally important to confirm the backups work and provide a baseline for how long restoration takes.

  2. Make good data hygiene decisions. When threat actors gain unauthorized access to a network, they often search for high-value data to encrypt or steal. Providing employees with only access to the data they need to do their jobs makes it harder for information to fall into the wrong hands. 

  3. Monitor endpoints for unauthorized access. Every endpoint that accesses business data — laptops, tablets, phones — is a potential risk. Tools like endpoint detection and response (EDR) monitor all endpoints in a network for signs of anomalous activity.

Businesses can sign up for around-the-clock monitoring with our Managed Detection and Response (MDR) Services. CIR regularly deploys endpoint detection tools during cases to monitor networks during the restoration process. MDR is a preventative and restorative security solution that can help protect businesses from persistent cyber threats.

Learn more about MDR from Coalition Security Services.


This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.  Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.