Getty Images

Why using ransomware negotiation services is worth a try

If stakeholders decide to pay ransomware demands, using a ransomware negotiation service could improve the situation's outcome and lower the payout.

Ransomware victims face the difficult decision of paying the ransom or taking their chances with the fallout. The FBI, Department of Treasury and others recommend against paying the ransom, but realistically, that's not always feasible.

For organizations that have decided to pay up, ransomware negotiation services are an option.

What are ransomware negotiation services?

Ransomware negation services are third-party brokers contracted to act as an intermediary between the victim organization and the ransomware group. These services often get involved as part of the incident response supply chain.

"If you're going to go down the road of paying a ransom, I strongly recommend you do not do the negotiations yourself," said Paul Furtado, analyst at Gartner. "You don't know what 'good' negotiation looks like. If you don't deal with this group and these bad actors on a regular basis, then you don't know if you should take their offer of a 30% discount or a 5% discount. Or should you hold out for a 90% discount?"

If a DIY negotiation goes poorly, the group or bad actors may just walk away. "You run the risk of angering them," Furtado added. "They could walk away from the table and say, 'I'm done talking to you; you have to pay full price.'"

Why consider ransomware negotiation services

As specialists in the area, ransomware negotiation services have a better understanding of how to work with threat actors and a better chance of getting intended results.

First, they have the upper hand and often know the credibility of the bad actors involved, for example, if they conduct double extortion schemes even after a ransom is paid.

"Do [ransomware groups] do what they say they're going to do, or are there examples of victims paying up and their data got released anyway?" Furtado said.

In addition, by handling communications with the bad actors, negotiation services can delay how quickly the company needs to respond to the ransom demand and any eventual payment, said Daniel Kennedy, analyst at 451 Research. "At least one ransomware group warned victims about engaging a third-party provider, which is a form of endorsement at some level that such negotiators are having success with their methods."

Drew Schmitt, analyst at Virginia-based cybersecurity consultancy GuidePoint Security, said negotiation services act as though they are part of the victim organization. "As soon as [bad actors] hear of you using a third party, they will either sever the communication or jack up the ransom."

Some companies work with a federal agency and still pay the ransom. CNA Financial, for example, paid a $40 million ransom while working with the U.S. Secret Service because it was the best option to protect its business and stolen data, Furtado said.

Overall, complexities occur in ransomware scenarios that companies and their incident response teams may not be aware of. This includes knowing how to communicate on a specific platform, using cryptocurrency for payments and more, Kennedy said.

The ransomware negotiation process

At GuidePoint Security, Schmitt explained, ransomware negotiation services are called after an organization discovers ransomware on its system and the readme file containing the ransomware group's demands.

Consultants from the company provide digital forensics and incident response assistance, starting with determining the best negotiation process based on the ransomware group and its history.

"A lot of times, we have a good idea whether they're going to be open to negotiations and reduction in price and what that might even be," said Mark Lance, senior director of cyberdefense at GuidePoint Security. "These threat actors engage because, while they're not trying to take as little money as possible, they don't want to walk away from the money either, in most circumstances."

Once initial research is complete, the communication and negotiation processes begin to determine if the ransomware group can be trusted to provide a legitimate decryption program. Once a price is agreed upon, the ransomware negotiation service handles the brokerage process and obtains the relevant cryptocurrency to pay the ransom with.

Finally, the consultants help with the ransomware recovery process and monitor to ensure the threat actor doesn't upload the company's data online in a double extortion attack.

Ransomware negotiation services vs. cyber insurance

Negotiation services have existed for some time, with some available before cyber insurance for ransomware. That said, the two aren't completely separate, said Dave Gruber, analyst at Enterprise Strategy Group, a division of TechTarget. "Some cyber insurance providers work with negotiation experts to help reduce claim payouts."

Organizations with cyber insurance should keep their contracts secure. Schmitt said many threat actors are wise to cyber insurance and look for contracts to use that information during negotiation. "On their end, they'll say, 'We know your policy covers $250,000, so that's the amount we want,'" Schmitt said.

No ransomware negotiation process is perfect

While there is no guarantee ransomware negotiation processes will work, organizations have a better chance at an optimal outcome if services are enlisted. This is especially true because of the attack and attacker details consultants know, which the victim organizations may not.

"Dealing with small nuances with communication and ransoms may not be something companies want their internal incident response teams doing when there is an active deadline for when ransomware operators will take some negative action," Kennedy said.

If an organization does decide to pay a ransom to protect its customers and business-critical data, it's worth considering ransomware negotiation services to prevent the process from traveling down a bumpy road.

Next Steps

How to stop ransomware: 4 steps to ransomware containment

Dissect open source ransomware code to understand an attack

This was last published in May 2022

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing