Paying Ransomware Attackers: How To Reduce the Amount

In a previous article, I explained that if an organization suffers a ransomware attack, it’s best to avoid paying the ransom. However, if paying the ransom is your only option, I outlined four terms and conditions you absolutely must get an attacker to agree to before you pay. Once the attacker agrees to those four terms, the only thing left is to negotiate the ransomware payment itself. Unsurprisingly, this is something of an art form.

Consider the Ransomware Attacker’s Operations and Motivations

When a devastating ransomware incident occurs, it would initially seem that the attacker holds all the cards. After all, the victim would not be paying the attacker if they had any sort of recourse. Even so, it is possible to negotiate a more favorable settlement if you know what you’re doing.

A recent report by Check Point Research detailed the Conti ransomware gang’s inner workings based on leaks from the group. Understanding how Conti operates and what motivates the gang may be the key to a favorable negotiation. Of course, every ransomware gang has its own way of doing things, but what we learned through the Conti leak will inevitably provide insight into similar gangs.

Don’t Claim You Can’t Afford the Ransomware Payment

A common mistake that organizations make during a ransom negotiation is to claim the ransom payment is unaffordable.

Related:FBI Ransomware Crime Unit Seeks Public-Private Partnerships

In the case of a large-scale, human-operated ransomware attack, the ransom demand is rarely arbitrary. Normally, an attacker will have exfiltrated large amounts of data from its victim’s network. The attacker will then use this data, combined with data from public sources and data stolen from other organizations, to figure out the victim’s financial health. That assessment, along with the value of any data insurance policy that the organization might have, is used to formulate the ransom amount.

Based on my own observations and information outlined in the previously mentioned Check Point report, attackers seem to believe they are completely justified in demanding the amounts they do. I have even seen situations in which an attacker claimed they deserve the demanded amount based on all the hard work they put into the attack.

The Bottom Line: Claiming you cannot pay the ransomware demand will not score you any points in a negotiation. The attackers already think they know everything there is to know about your organization (even if their perception is inaccurate). If you tell an attacker that paying the ransomware demand is unfeasible, the attacker will likely feel insulted.

At best, this tactic will get you an explanation about why the amount is justified. At worst, the attacker will become upset and increase the ransom amount (I have seen this happen at least once).

The Ransomware Negotiator Likely Works on Commission

When negotiating a ransom amount, remember that the person you talk to likely works on behalf of the attacker. This person is almost certainly working on commission. In other words, that person only makes money if they can get you to pay the ransom. It is not in their best interest to work with you on the amount.

Your best approach may be to convince the negotiator that it is going to be relatively easy for you to pay a lesser amount but nearly impossible to pay the full amount because of corporate bureaucracy, banking rules, or whatever.

The Bottom Line: The key is to persuade the attacker that if they settle for a lesser amount, they will at least get something -- whereas if they hold out for the full amount, they will likely walk away with nothing.

Ransomware Gangs May Be Stretched Thin

The Check Point report mentions that the Conti gang was short-staffed. The gang’s negotiators may work on hundreds of negotiations at a time and struggle to keep pace. As such, ransomware gangs want to close deals quickly so that they can move on to the next negotiation.

The Bottom Line: Offering an expedited payment in exchange for a lower amount may be key to reducing the ransomware payment.

ransomware_negotiation_tips

Conclusion

If paying the ransomware demand is your only option, you may have an opportunity to reduce the amount. However, you must approach the negotiation process carefully, as some tactics could backfire. For example, telling them the price is too steep may only result in the attacker digging in their heels.

Think about the negotiation from the ransomware attacker's perspective. Would they be willing accept a reduced ransom instead of nothing at all?

Remember that the group behind the attack may be stretched thin trying to get numerous victims to pay up. That being the case, they may be willing to take a lesser amount if you can deliver it quickly.