NCC Group: Attackers Know How Much Ransom You’ll Pay Before Negotiation

By the time an organization is hit with ransomware, the attacker has already thoroughly researched it and knows how much it will pay in ransom before the negotiation even starts.

That’s according to new research by NCC Group. It collected and analyzed more than 700 attacker-victim negotiations between 2019 and 2021. It investigated ransomware groups that are among the most notorious.

Ransom Negotiation, Discounts, Payments

Among the findings:

• Each ransomware gang has created their own negotiation and pricing strategies meant to maximize their profit. There are clear signs adversaries have adopted price discrimination techniques based on the yearly revenue of their victims.
• After negotiating, victims can get a “discount” of 10%-90%. In two-thirds of the cases examined, this discount was more than 50%.
• With good negotiation tactics, in most cases 50% or more of the ransom can be recovered.
• A metric, ransom per annual revenue, or RoR, was created. It’s to calculate how much victims paid in ransoms per every million dollars in the company’s revenue. Small companies generally pay more in RoR, less in absolute amount but higher in percentage of revenue.
• The largest ransom paid was $14 million by a Fortune 500 company. But this was only $822 per every million in revenue, or less than .01% of the annual revenue. By contrast, the medium ransom of small enterprises within the first data set was .22%.
• Once payments were made, ransomware groups in all cases adhered to the agreements. But in one of every two cases, the decryptor was not very efficient. That led to calling on an external specialist to build a better one.
• The same criminals have not come back to attack the same victim again. However, researchers did find a rare case where two separate criminal groups gained entry into the same victim at the same time, and agreed to divide the loot.

Well-Developed Business Side

Pepijn Hack is cybersecurity analyst at Fox-IT, part of NCC Group.

NCC’s Pepijn Hack

“We were surprised that not only the technical side of ransomware has developed in recent years, but also that the business side has been developed as well,” he said. “The business model of attackers has evolved in a way in which they use business strategies to increase profit. Furthermore, they have a system in place in which they use different people for different parts of their business. The people who hack a victim’s network are not the same as the people who run negotiations. This means that they can also specialize in their craft and this makes it more difficult for victims to get the upper hand.”

It’s difficult to prevent attackers from conducting their financial research prior to an attack, Hack said.

“First of all, we have seen multiple attackers making use of open-source databases regarding revenue of their victims such as ZoomInfo,” he said. “The main problem is that the figures the attackers base their ransom on do not have to be correct. As long as they are a rough estimate of the actual revenue, it’s good enough for them. We also did not often see attackers actually refer back to details they got from financial statements. This might be because …