Ransomware victims face the difficult decision of paying the ransom or taking their chances with the fallout. The FBI, Department of the Treasury, CISA, the Multi-State Information Sharing and Analysis Center and experts all recommend against paying the ransom -- but, realistically, that's not always feasible.
For organizations that have decided to pay the ransom, ransomware negotiation services are an option.
What are ransomware negotiation services?
Ransomware negotiation services are third-party brokers contracted to act as intermediaries between a victim organization and a ransomware group. These services are often part of the incident response supply chain.
The primary focus of ransomware negotiation services is working with threat actors to determine if they are responsible for an attack and then trying to lower the ransom payment. Many ransomware negotiation service providers also offer ransomware remediation, PR assistance and post-attack monitoring services. Others provide detection and response services or products to prevent future attacks.
Why consider ransomware negotiation services
As specialists in the area, ransomware negotiation services have a better understanding of how to work with threat actors and a better chance of getting the desired results.
Ransomware negotiation specialists have the upper hand and often know the credibility of the bad actors involved -- for example, if they are known to conduct double extortion schemes even after a ransom is paid.
"Do [ransomware groups] do what they say they're going to do, or are there examples of victims paying up and their data got released anyway?" said Paul Furtado, analyst at Gartner.
In addition, by handling communications with the bad actors, negotiation services can delay how quickly the organization needs to respond to the ransom demand and any eventual payment, said Daniel Kennedy, an analyst at 451 Research. "At least one ransomware group warned victims about engaging a third-party provider, which is a form of endorsement at some level that such negotiators are having success with their methods," he said.
Drew Schmitt, managing security consultant at Virginia-based cybersecurity consultancy GuidePoint Security, said negotiation services act as though they are part of the victim organization to counter any such issue. "As soon as [bad actors] hear of you using a third party, they will either sever the communication or jack up the ransom," he said.
Some organizations work with a federal agency and still pay the ransom.CNA Financial, for example, paid a $40 million ransom while working with the U.S. Secret Service because it was the best option to protect its business and stolen data, Furtado said.
Overall, complexities occur in ransomware scenarios that organizations and their incident response teams might not be aware of. This includes knowing how to communicate on a specific platform, using cryptocurrency for payments and more, Kennedy said.
Avoid handling ransomware negotiation on your own
Organizations that choose to pay the ransom are advised not to conduct negotiations themselves.
"I strongly recommend you do not do the negotiations yourself," Furtado said. "You don't know what 'good' negotiation looks like. If you don't deal with ransomware groups and bad actors on a regular basis, then you don't know if you should take their offer of a 30% discount or a 5% discount. Or if you should hold out for a 90% discount."
Additionally, when conducting the negotiation themselves, organizations could inadvertently or otherwise act hostile toward the ransomware group because they are the one affected. This could lead threat actors to refuse to negotiate further or to release exfiltrated data.
If a DIY negotiation goes poorly, the group of bad actors could also just walk away. "You run the risk of angering them," Furtado added. "They could walk away from the table and say, 'I'm done talking to you; you have to pay full price.'"
Beware of communicating directly with threat actors without intermediaries. Threat actors are known to publicly release emails and chats to make their victims look bad.
What to know before ransomware negotiations
Before taking the ransomware negotiation road, victim organizations should be aware of three major points.
First, it might not be possible to recover all the stolen or encrypted data. According to a Sophos report, only 8% of organizations that paid the ransom recovered all their data, while 97% got most of their data back. Ransomware negotiation services will research the ransomware group involved to determine how "trustworthy" they are in providing a decryption key upon payment and inform the victim organization of how likely they are to get back their data, as well as how much.
Organizations should also understand that more and more ransomware groups are demanding additional payments via double and triple extortion ransomware attacks. For example, threat actors could demand a second payment in exchange for not exposing exfiltrated data or extorting individuals or businesses whose data was involved in the initial attack.
Lastly, paying the ransom can open organizations to future ransomware attacks. If other malicious actors learn a specific organization paid a ransom, it could be perceived as a weak defender -- and an attractive target. A report found nearly 80% of victims that paid the ransom experienced additional attacks, often from the same threat actors they just paid.
The ransomware negotiation process
At GuidePoint Security, Schmitt said, ransomware negotiation services are called after an organization discovers ransomware on its system and the readme file containing the ransomware group's demands.
Consultants from the negotiation company provide digital forensics and incident response assistance to start determining the best negotiation process based on the ransomware group and its history.
"A lot of times, we have a good idea whether they're going to be open to negotiations and reduction in price and what that might even be," said Mark Lance, vice president of digital forensics and incident response and threat intelligence at GuidePoint Security. "These threat actors engage because, while they're not trying to take as little money as possible, they don't want to walk away from the money either, in most circumstances."
Once initial research is complete, the communication and negotiation processes begin to determine if the ransomware group can be trusted to provide a legitimate decryption program. Once a price is agreed upon, the ransomware negotiation service handles the brokerage process and obtains the relevant cryptocurrency to pay the ransom.
Finally, the consultants help with the ransomware recovery process and can monitor to ensure the threat actor doesn't upload the company's data online in a double extortion attack.
Ransomware negotiation services vs. cyber insurance
Negotiation services have existed for a while, with some available before cyber insurance was introduced. That said, the two aren't completely separate, said Dave Gruber, analyst at TechTarget's Enterprise Strategy Group. "Some cyber insurance providers work with negotiation experts to help reduce claim payouts."
Organizations with cyber insurance should keep their contracts secure, Schmitt noted. Threat actors are wise to cyber insurance and, if they find a contract on their victim's systems, will use that information during negotiations. "They'll say, 'We know your policy covers $250,000, so that's the amount we want,'" Schmitt said.
No ransomware negotiation process is perfect
While there is no guarantee ransomware negotiation processes will work, organizations do have a better chance at an optimal outcome if services are enlisted. This is especially true because of the attack and attacker details consultants know, which victim organizations might not.
"Dealing with small nuances in communication and ransoms may not be something companies want their internal incident response teams doing when there is an active deadline for when ransomware operators will take some negative action," Kennedy said.
If an organization does decide to pay a ransom to protect its customers and business-critical data, it's worth considering ransomware negotiation services to prevent the process from traveling down a bumpy road.