One of the first bits of advice that I always give to ransomware victims is to avoid paying the ransom. There are several reasons for this.
For starters, paying the ransom may be illegal. Legality aside, however, quite a few other issues come into play. Among them is the disturbing idea that paying the ransom will embolden your attackers. Moreover, some of that ransom money will inevitably go to the development of future ransomware. In other words, when an organization pays the ransom, it essentially makes the global ransomware problem worse.
I have also discouraged people from paying ransom because doing so doesn’t guarantee you will get your data back. We have numerous stories of organizations that pay a ransom and never receive a decryption key. In addition, organizations have paid a ransom only to receive a second ransom demand from their attackers.Recommended: Check out our new 2022 Ransomware Security Report
Unfortunately, paying the ransom is sometimes the only option. For example, what if an attacker has managed to impair an organization to the point they can either pay the ransom or go bankrupt? In this case, it may be prudent to pay. Even so, this does not mean that any organization should rashly give in to their attackers’ demands.
If you are dealing with human-operated ransomware (as opposed to automated ransomware that is purely opportunistic), then you can and should negotiate the terms of the ransom payment. Here’s how to negotiate with ransomware hackers.
Ransomware Negotiations: What Should You Ask For?
Human-operated ransomware attacks against large organizations typically demand ransoms in the millions of dollars. Given the large sums of money involved, the primary goal of any ransomware negotiation should be to settle on a more reasonable payment.
The ransom amount is usually the least important factor in a ransom negotiation, however. You must also try to negotiate what attackers will do for you if the ransom is paid.
When engaged in a ransomware negotiation, these are the most important terms and conditions to seek:
- Paying the ransom must ensure that all your data will be decrypted and all systems will be returned to their pre-attack state.
- The attackers must agree to delete any copies of your data once everything has been restored to your satisfaction. They must also agree to not leak any of your organization’s data.
- The attackers must guarantee that they will not attack your organization again in the future.
- The attacker must agree not to make any subsequent demands (such as asking for more money) once the ransom has been paid.
It is extremely important for the attacker to understand that these are unnegotiable requirements. You should only begin to negotiate on the ransom amount once your terms are guaranteed.
Is There Honor Among Thieves?
Once you negotiate the terms of ransom payments, it obviously raises the question about whether you can trust the attacker to honor the agreement. After all, you are doing business with criminals, which, by their very nature, cannot be trusted.
It may be a ransomware gang’s best interests to honor the terms of a ransom payment, however. Check Point Research, in a report on the Conti ransomware gang’s inner workings, found that the gang was concerned about its reputation. If word got around that the Conti gang double-crosses victims who pay the ransom, then it would discourage future victims from making payments. When you consider that these payments often land in the multimillion-dollar range, it is clearly favorable for Conti to honor its agreements with victims.
Before an organization even considers paying a ransom (especially a large amount), you should do some research to find out about the experiences of the attackers’ other victims. This research can help you to figure out if it is worthwhile to engage in the ransomware negotiation.
Once an organization makes it clear to ransomware attackers that the four requirements listed above are set in stone, the next step is to negotiate the payment. I will discuss negotiations on ransom amounts in separate article.