© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Ransomware economics: if you decide to pay, here's how to negotiate a discount

Financially motivated adversaries cherry-pick their victims and go after large and profitable companies. However, if you are a small enterprise hit by ransomware, it may cost you more to get out of the situation.

Ransomware victims are in the firm grip of the attacker. A new report suggests that smaller companies pay less in absolute amount but higher in the percentage of their revenues. Luckily for small businesses, ransomware operators turned to big and profitable enterprises.

Even though paying a ransom is not recommended, a significant percentage of ransomware-affected businesses see no other option than to negotiate and, in the end, pay a ransom.

NCC group collected more than 700 attacker-victim negotiations between 2019 and 2021. NCC Group, which presented its findings during the Black Hat Europe conference, said that victims could get a ‘discount’ of 10% - 90% after negotiating. In two-thirds of the cases examined, this discount was more than 50%.

Researchers concluded that threat attackers had a pretty good idea of what amount would ultimately be paid (if paid) in most cases. The threat actor knows a lot more about the victim, while the victim knows almost nothing about the attacker. They also said that a financially motivated actor could cherry-pick targets and attack a few big companies rather than going after a bunch of small ones.

The cost of ransomware

There are three types of classic price discriminations – based on a victim’s willingness and ability to pay; “discounts” offered for bulk purchases; and prices based on personal traits of a victim, such as the size of the company or the number of servers encrypted.

Experts made their conclusions based on two datasets. The first dataset was collected in 2019 when targeted ransomware attacks were upcoming, and only a handful of groups were engaged in this business model. The ransom demands were lower compared to today’s amounts.

The second dataset was collected in the late 2020s and through the first couple of months in 2021. At this time, threat actors shifted to targeting big and profitable enterprises. The first dataset consists of 681 negotiations, and the second dataset consists of 30 negotiations between a victim and a ransomware group.

In the first data set, 17% (116) of the 681 victims proceeded to pay a ransom, with an average amount of $401,000 per victim. In the second dataset, around 14% (15) of 105 victims paid, with an average of $ 2,4 million per victim.

The highest ransom paid was $14,4 million by a Fortune 500 company. Compared to its annual revenues, the ransom was relatively small and constituted $822 per million in revenue or 0.00822% of the annual revenue. By contrast, the medium ransom of small enterprises within the first dataset was 0.22%.

The art of negotiation

Researchers concluded that after negotiating, victims can get a ‘discount’ of 10% - 90%. In two thirds of the cases examined, this discount was more than 50%. With good negotiation tactics, in most cases, 50% or more of a ransom can be recovered.

And here’s what NCC Group considers to be good negotiation tactics:

1. Be respectful. NCC group insists you look at the ransomware crisis as a business transaction. Researchers saw multiple examples of companies getting frustrated and angry in conversations with threat actors resulting in chats being closed. The example below shows that it’s best to leave your emotions outside.

“Thanks Sir. We can pay 750,000 USD in XMR, provided that you will share with me the exact scope, volume, and significance of data that is in your possession. (…) I do stress the data, rather than the decryption key, since I learned about your very positive reputation in providing decryption keys. Looking forward to hearing your thoughts. Respectfully, {victim’s name}.”

2. Do not be afraid to ask for more time. Adversaries will usually try to pressure you into making quick decisions. The more stress the adversary can impose on you, the worse your decision-making will be. However, in almost all cases within the second data set, the adversary was willing to extend the timer when negotiations were still ongoing.

3. Promise to pay a small amount now or a larger amount later. In multiple cases, the adversary within the second database gave large discounts when presented with the option of getting a small amount of money now instead of a large amount of money later.

4. Convince the adversary you cannot pay a high ransom amount. Here’s an example:

“We have discussed this with our management team. We do want the decryptor for our network and for our data to be deleted, but you have asked for a lot of money especially at the end of a difficult year. Can you offer us a lower price?"

5. You must not mention to the adversary you have cyber insurance and preferably also do not save any documents related to it on any reachable servers. If threat actors know about it, it limits the options for any negotiation severely. Here’s a message from an adversary:

“Look, we know about your cyber insurance. Let’s save a lot of time together? You will now offer 3M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance.”

Experts do not recommend paying a ransom because this incentivizes the criminal industry. They, however, can imagine that an organization may have to make a different assessment, and in that case, suggest following negotiation tips, as well as looking into some examples of how good negotiations go.

More from CyberNews:

Social engineering is an emotional game: here's what you need to know

'Call me back': manipulative attackers leverage Windows 10 to push malware

Europol's 2021 cybercrime report: the pandemic accelerated the evolution of cyber threats

The tiny PCs of the ‘90s: seven iconic devices

Don’t fall for it: new scam tries to convince your Microsoft password is about to expire

Unregulated cryptocurrencies fuel ransomware and malicious crypto mining

Subscribe to our newsletter


prefix 1 year ago
is this advice for CEOs to negotiate by themselves? this is not kindergarten... these are criminals you are talking to
Leave a Reply

Your email address will not be published. Required fields are marked