Attackers are offering discounts when negotiations go well.

Edward Gately, Senior News Editor

November 16, 2021

6 Min Read
Paying ransomware

By the time an organization is hit with ransomware, the attacker has already thoroughly researched it and knows how much it will pay in ransom before the negotiation even starts.

That’s according to new research by NCC Group. It collected and analyzed more than 700 attacker-victim negotiations between 2019 and 2021. It investigated ransomware groups that are among the most notorious.

Ransom Negotiation, Discounts, Payments

Among the findings:

  • Each ransomware gang has created their own negotiation and pricing strategies meant to maximize their profit. There are clear signs adversaries have adopted price discrimination techniques based on the yearly revenue of their victims.

  • After negotiating, victims can get a “discount” of 10%-90%. In two-thirds of the cases examined, this discount was more than 50%.

  • With good negotiation tactics, in most cases 50% or more of the ransom can be recovered.

  • A metric, ransom per annual revenue, or RoR, was created. It’s to calculate how much victims paid in ransoms per every million dollars in the company’s revenue. Small companies generally pay more in RoR, less in absolute amount but higher in percentage of revenue.

  • The largest ransom paid was $14 million by a Fortune 500 company. But this was only $822 per every million in revenue, or less than .01% of the annual revenue. By contrast, the medium ransom of small enterprises within the first data set was .22%.

  • Once payments were made, ransomware groups in all cases adhered to the agreements. But in one of every two cases, the decryptor was not very efficient. That led to calling on an external specialist to build a better one.

  • The same criminals have not come back to attack the same victim again. However, researchers did find a rare case where two separate criminal groups gained entry into the same victim at the same time, and agreed to divide the loot.

Well-Developed Business Side

Pepijn Hack is cybersecurity analyst at Fox-IT, part of NCC Group.


NCC’s Pepijn Hack

“We were surprised that not only the technical side of ransomware has developed in recent years, but also that the business side has been developed as well,” he said. “The business model of attackers has evolved in a way in which they use business strategies to increase profit. Furthermore, they have a system in place in which they use different people for different parts of their business. The people who hack a victim’s network are not the same as the people who run negotiations. This means that they can also specialize in their craft and this makes it more difficult for victims to get the upper hand.”

It’s difficult to prevent attackers from conducting their financial research prior to an attack, Hack said.

“First of all, we have seen multiple attackers making use of open-source databases regarding revenue of their victims such as ZoomInfo,” he said. “The main problem is that the figures the attackers base their ransom on do not have to be correct. As long as they are a rough estimate of the actual revenue, it’s good enough for them. We also did not often see attackers actually refer back to details they got from financial statements. This might be because …

… the ability to hack a company, and the ability to read and dissect complex financial statements might not have much overlap. This does not mean, however, that it’s not advisable to keep a strict network separation in place. This way key financial documents can be kept away from the rest of the network, which could decrease the possibility of attackers getting their hands on them.”

Ransom Negotiation Dos and Don’ts

There are dos and don’ts for organizations during the ransom negotiation process, Hack said. It’s important to prepare employees, think about your goals and set up communication lines.

“Lastly, get informed about your attacker,” Hack said. “Do some research yourself about their capabilities or hire a specialized company with a threat intelligence department. They can tell you more about the peculiarities of the adversary you are dealing with. Perhaps they have a decryptor which is not available online or know of another company who might be of help. They can also tell you more about the reliability of the adversary you are dealing with. Furthermore, knowing if you should expect a DDoS attack, calls to your customers, or the leakage of information to the press will be useful information to incorporate into your crisis management strategy.”

Also, during the negotiation process, it’s important to be respectful and don’t be afraid to ask for more time, he said. In addition, promise to pay a smaller amount now or a larger amount later.

“One of the most effective strategies is to convince the adversary your financial position does not allow you to pay the ransom amount initially asked,” Hack said. “In one example, a company was asked to pay $2 million and got a $50,000 discount. Although this seems like a good deal, there are cases in which much less has been paid after a more drawn-out negotiation. Two examples of this are two companies who were both asked to pay $1 million. One ended up paying $350,000 and the other, only $150,000. There was also one victim who talked down the price from $12 million to $1.5 million. These companies achieved this by constantly stressing they could not pay the amount asked.”

Stay Silent About Cyber Insurance

In addition, it’s important to not tell anyone you have cyber insurance, Hack said.

“You must not mention to the adversary you have cyber insurance and preferably also do not save any documents related to it on any reachable servers,” he said. “If criminals find out that a company has insurance, the victim could still tell the adversary the insurance company is not willing to pay, but this severely limits the options for any negotiation.”

When it has come to a negotiation, you “basically already lost as the victim,” Hack said.

“There are still strategies you can use to lessen the damage, but the real fight has already been won by the attackers,” he said. “That one can only be won before you get hacked. Therefore, companies should invest in better cybersecurity measures and increase their cybersecurity hygiene to prevent getting hacked in the first place. This will raise the costs for the attacker, and combined with paying them less when a company gets ransomed, will slowly decrease the overall profit for ransomware groups. Lastly, we always advise victims to inform the authorities. There have been some really great examples of recent successes from international cooperation between police agencies in Europe and the United States which show that these criminals are not invincible.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPsChannel Research

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like