Engaging in ransomware negotiations is a challenging but common practice within cybersecurity. While often conducted discreetly, many consider it essential. Security professionals involved in these discussions face a dilemma: they must assist clients whose data and operations are held hostage, yet avoid inadvertently supporting the growth of cybercrime.
Ransomware negotiations present numerous difficulties, often pitting the objectives of cybercriminals against victims and incident response teams with limited viable choices. Negotiators are responsible for ensuring clients comply with laws regarding payments to sanctioned entities, while also adhering to their own ethical boundaries.
These private negotiations can become complicated. Many participants in ransomware discussions choose to keep details confidential, which means the terms of ransom payments often go unexamined.
Despite the secrecy, several security firms and experts discussed the complexities and advantages of ransomware negotiation following an incident where two former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were found to be operating as ransomware attackers and pleaded guilty to attacks in 2023.
Jon DiMaggio, principal at XFIL Cyber, noted the absence of a structured community, peer review, or certifying body for ransomware negotiators. He described it as an unregulated area of cybersecurity, lacking established standards and operating much like the ‘Wild West.’
This inconsistent approach is evident among leading incident response firms, which have differing stances on ransomware negotiations. Companies like CrowdStrike and Mandiant, for instance, do not offer negotiation services to their clients.
Should a client consider paying a ransom, Mandiant provides information on available options and allows the client to make the final decision. The company also shares intelligence on the ransomware group’s reliability in upholding agreements and offers a list of specialized third-party negotiation vendors.
Adam Meyers, head of counter adversary operations at CrowdStrike, generally advises against paying ransoms, but acknowledges that the situation is often complex.
Meyers stated that while paying ransoms yields no positive outcomes, victims sometimes have no alternative in extreme situations where the choice is between business collapse or significant harm to those served.
Palo Alto Networks Unit 42 assists with negotiations but stops short of making payments. Steve Elovitz, vice president of consulting at Unit 42, explained that this is a deliberate decision to separate their involvement from the actual transaction.
Elovitz clarified that while they conduct negotiations for clients, they do not handle payments, citing both the complexity and the moral aspect of not wanting to be directly involved in the financial transaction.
Sean Nikkel, lead cyber intelligence analyst at Bitdefender, noted that various aspects of ransomware response, such as accessing stolen data on dark web forums, interacting with cybercriminals, negotiating, and making payments, can challenge the comfort levels of those involved.
Lack of Transparency Fosters Isolation
DiMaggio observed that these self-imposed restrictions underscore the secretive nature of ransomware negotiations, creating an environment where criminals can flourish.
He added that this lack of transparency isolates all parties: victims are unaware of typical or fair terms, law enforcement often operates with limited information, and criminals exploit this secrecy to dictate terms and inflate demands.
Nikkel acknowledged the necessity of some secrecy but expressed concern that ransomware negotiators operate without formal licensing or certification.
He pointed out that while many intelligence fields have professional certifications, none exist for ransomware negotiation.
DiMaggio, who has investigated ransomware groups by infiltrating their operations and documenting their activities, noted that victim organizations frequently repeat errors due to the infrequent sharing of lessons learned from these attacks.
He emphasized that without a method for the industry to responsibly collect and analyze anonymized negotiation data, each case will continue to be handled without full insight. DiMaggio clarified that transparency aims to strip criminals of their advantage, not to shame victims.
Experts explained that openly sharing details of ransomware negotiations is often unfeasible due to critical reasons. Such communications contain sensitive information that could reveal counterstrategies to attackers or provide them with leverage to further compromise victims.
Kurtis Minder, co-founder and former CEO of GroupSense and author of a book on his negotiation experiences, stated that open sharing would be challenging without compromising the negotiation process itself.
Cynthia Kaiser, Senior Vice President at Halcyon’s ransomware research center and a former FBI agent, echoed this sentiment.
Kaiser stressed the importance of avoiding any action that could re-victimize the victim, asserting that any information disclosure should be at their discretion.
Kaiser suggested that the secrecy surrounding negotiations is less critical than gaining a deeper understanding of the pervasive nature of ransomware attacks and their targets.
She concluded that this understanding is essential for comprehending the true scope of the threat, an area where current information sharing is insufficient.
Essential Negotiation Skills and Considerations
Minder became involved in his first ransomware negotiation in 2019 unintentionally. He described his initial reluctance, stating that the work ‘snowballed’ and was not something he initially sought out.
Since that time, Minder has participated in hundreds of ransomware negotiations, assisting both large corporations and small businesses on a voluntary basis.
He noted that while there’s no definitive test for a good negotiator, soft skills and emotional intelligence are crucial.
Minder emphasized the importance of empathy, defining it as the ability to effectively understand the attackers’ perspective, which he considers a powerful skill.
With the rise in ransomware attacks, the motivations of attackers seeking payment have also become more varied.
Lizzie Cookson, senior director of incident response at Coveware by Veeam, stated that attacker behavior has become more unpredictable over the last four years, adding complexity to negotiation strategies.
Cookson, a ransomware negotiator for over a decade, explained that some attackers seek not only payment but also notoriety and media attention. This can lead to more aggressive tactics, including hostility, threats of violence, and threats against family members.
She noted that such cases are increasingly common and often result in attackers failing to uphold their promises, leading to data leaks even after payment, or subsequent extortion demands.
Josh Lefkowitz, CEO of Flashpoint, highlighted that cybercriminals continuously devise new ways to pressure victims, including physical extortion. This involves ransomware groups contacting executives and threatening their families by revealing knowledge of their children’s schools, homes, and commutes.
Lefkowitz added that these threats place business leaders in vulnerable and unforeseen situations, forcing them to reconsider their initial responses to cyberattacks.
DiMaggio stated that ransomware negotiation demands practitioners balance necessity with ethical considerations. He emphasized treating each negotiation as a human crisis, not merely a financial transaction.
Negotiators Share Insights from Past Cases
While ransomware negotiators often rely on established checklists derived from past experiences, each incident is distinct and necessitates improvisation.
Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, noted that ransomware operators are generally more reliable now compared to when he began negotiating in 2019. He attributed improvements in the practice to more effective threat intelligence, enabling data-driven negotiations.
Dowling categorizes ransomware operators into named and unnamed groups. Named groups tend to be more trustworthy due to their reputation, whereas unnamed groups are more prone to re-extortion and may not adhere to negotiation standards, often failing to provide proof of claims.
Despite the risks, he observed that most payments ultimately lead to positive outcomes for victims. Dowling mentioned facilitating payments ranging from approximately $6,000 to $8 million.
Minder noted that some negotiations conclude suddenly without further issues, often involving charities or non-profit organizations.
He recalled a case involving a breast cancer screening charity where he questioned the attackers’ motives, highlighting the victims’ lack of financial resources.
The attackers ultimately withdrew after the organization agreed to pay a $5,000 ransom, which the group claimed covered their attack costs. This was a substantial reduction from their initial $2 million demand.
Upon the conclusion of data extortion cases, negotiators typically request proof of data deletion, though this is inherently unconfirmable. Some attackers, particularly those proud of their exploits, may provide detailed access reports, which assist victims and incident responders in understanding the breach.
Experts indicated that ransomware negotiations can involve many parties, including lawyers, insurance providers, and law enforcement. These complex discussions can span from a few hours to several months.
Negotiation Tactics and Process
Negotiators generally utilize similar strategies to achieve client objectives while securing the lowest possible payment.
Dowling explained that threat intelligence on ransomware groups can inform whether a gentle or aggressive negotiation approach is best, but initially, the threat actor holds all the leverage.
He added that the negotiator’s leverage stems from the attacker’s desire for payment, which can only be achieved through an agreement.
Every ransomware negotiator interviewed emphasized the importance of delay. Cookson noted that ‘time is always our friend,’ as each day after an incident provides an opportunity to gain more insight, enabling more confident, data-driven decisions rather than those based on fear.
Minder advised that initial contact from negotiators representing a victim should be brief and straightforward, encouraging attackers to speak first. He also recommended delaying discussions of financial figures or positional bargaining for as long as possible.
Minder also cautioned against using aggressive language, suggesting that disappointment can be conveyed without resorting to combative words. He reminded that attackers are individuals with egos, which should be considered during communication.
Minder explained that delay tactics aim to make attackers reconsider their demands before any financial figures are formally proposed by the negotiator.
He added that beyond financial gain, ransomware operators often seek validation and a sense of control and victory.
Cookson warned that the worst outcomes often occur when victims hastily make payments, mistakenly believing it will resolve all issues.
Ethical Challenges of Financial Incentives
Ransomware has become a lucrative criminal enterprise, with the Treasury Department’s Financial Crimes Enforcement Network reporting $2.1 billion in payments over three years ending December 2024, and approximately 3,000 attacks in 2023 and 2024.
This criminal activity has created opportunities for businesses, leading to the formation of specialized firms that assist victim organizations by conducting ransomware negotiations after attacks.
This emerging industry introduces further ethical dilemmas, particularly when financial incentives exist for negotiations to take place and, in some instances, lead to ransom payments.
DiMaggio noted that a lack of billing transparency subjects some firms’ practices to increased scrutiny. While some charge flat or hourly fees, others use a contingency model, basing their fees on a percentage of the ransom reduction achieved.
He clarified that while not standard, this contingency model creates a clear conflict of interest, blurring the line between victim representation and profiting from criminal activity when a negotiator’s income is tied to the ransom outcome.
Elovitz advised victim organizations to avoid firms that charge a percentage of the ransom payment, even if it’s a small one.
He explained that such a model creates a financial incentive for negotiators not to reduce the ransom as much as they otherwise could.
DiMaggio called for greater transparency in how service providers price ransomware negotiation. He warned that without it, the industry will remain in a ‘moral gray zone,’ where well-intentioned actions could inadvertently support the criminal ecosystem it aims to disrupt.
Absence of Standardized Rules of Engagement
Ransomware negotiation continues to be an ill-defined and largely unregulated practice, lacking industry-wide agreements on rules of engagement.
Attempts to establish industry-wide rules could create competition, potentially allowing less scrupulous providers to gain business by offering services that bend established norms.
Negotiators largely operate without restrictions, provided they ensure compliance with laws regarding engagement with and payments to sanctioned criminals.
However, there remains a clear need for checks and balances, oversight, transparency, and a standardized framework of rules for negotiators to follow, ensuring they do not overstep professional or personal boundaries.
Elovitz explained that external oversight is complicated by the nature of negotiation itself, which requires intermediaries to establish a degree of trust with attackers through conversations that might not be publicly acceptable.
He suggested that intense scrutiny could hinder legitimate efforts more than criminal ones, though he added that the payments themselves could benefit from greater examination.
Above all, a clear purpose should guide these efforts.
DiMaggio stated that the primary principle of ransomware negotiation is to protect victims without empowering criminals, a balance that cannot be achieved without transparency.
He observed that a lack of oversight enables abuse from both attackers and negotiators.
To prevent manipulation, DiMaggio advocated for a standardized framework, vetted negotiators, auditable communications, and anonymized after-action reviews.
He concluded that without accountability, victims effectively pay twice: once to the criminals and again to those who claim to assist them.
Minder reflected that his experiences as a ransomware negotiator brought him back to his initial intuition. He stated, ‘I don’t believe this should be a business,’ despite having been paid for the work.
He described it as ‘almost like a parasitic industry,’ where professionals profit from victims.
