In this article
- Although ransomware negotiations are an under-addressed topic, digital extortion is classified as the most prominent form of cybercrime.
- When ransomware adversaries target a business, how do they set the ransom? How is the victim positioned in the negotiation phase, and how can they lessen the damage?
- Keep reading for a summary of NCC Group experts’ research into the economics of ransomware negotiations. You can also find the original research here.
Ransomware: you’ve heard the story. Ransomware attacks famously cause their targets stress, and potential loss of business. Cyber security experts continue to pay close attention to ransomware groups and their MOs, like our report on the Lazarus group, to continuously advise companies on how to avoid attacks and to be able to help those already caught in the snare.
But have you heard about best practices around negotiating with the attackers?
Digital extortion is now the most prominent form of cybercrime, meriting attention to the whole process that companies may go through, including the decision and possible negotiation behind paying ransomware.
Recent research by NCC Group experts dives into ransomware negotiations addressing how adversaries use economic models to maximize their profits, the position of the victim during the negotiation phase, and which strategies ransomware victims can leverage to offset the disproportionate starting points.
Read the full research paper on our Research Blog.
How and why do adversaries set a price for their ransom demand?
Bluntly put, ransomware is about big business; maximizing profits is the primary motivation.
In order to do this, our research indicates that the total profit is influenced by whether the victim pays and the attacker’s operating costs.
There are two possible strategies: in one, attackers target large corporations and demand millions of dollars, but only expect around 5% of corporations to fold. Another strategy is to target smaller companies, only ask for ten thousand dollars, and expect that around 20% of the victims will pay. The two different strategies lead to two different profit gains.
There has also been an evolution of adversaries' pricing strategies. In the early days of ransomware attacks, they often used a uniform pricing strategy, asking for a fixed price after each infection.
Today, what is commonly known as second-and third-degree price discrimination seems to be the preferred choice
In a second-degree price discrimination structure, adversaries either start with a high initial price only to offer a discount for buying in bulk (e.g., the higher the number of locked computers you pay to have decrypted, the lower the price). And in third-degree price discrimination, the adversaries set the price based on the victim’s unique profile, such as the their size or yearly revenue.
The information gap of the negotiation process
In a typical negotiation, each party holds its own set of cards that it can use as leverage. In a ransomware negotiation, however, the situation is different. The victim is asked to play the game for the first time, whereas the adversary has played it many times before.
On top of this comes the fact that the adversary can choose to investigate the opponent's cards beforehand. Does the victim have insurance? How much revenue did the victim make last year? Ultimately, the victim is caught in a rigged game with a preset but reasonable ransom range, and the victim doesn't know it.
If the adversary plays well, they will most likely win every time.
All hope isn't lost for the ransomware negotiation
Despite the seemingly bleak picture of a ransomware negotiation, not all hope is lost. Just like the victims, the adversaries are only human, and humans can be influenced — or make mistakes.
Based on our research, we have the following pieces of advice to those who chose to negotiate with ransomware adversaries:
Be respectful.
Our research indicates a negative relationship between being kind and polite and the amount of ransom paid in the end. Try to think of the ransomware crisis as a business transaction and stay professional.
Don't be afraid to ask for more time.
We saw many cases in our data where the adversary was willing to extend the timer. Giving yourself as much time as possible to assess the situation and reduce stress may benefit your decision-making.
Promise to pay a small amount now or a larger amount later.
Adversaries also have an incentive to close a deal quickly so that they can move on to their next target. Offering a small amount now rather than a larger amount later leads to significant discounts in several cases from our data set.
Convince the adversary that you can't pay the full price.
One of the most effective strategies is to convince the adversary that your financial position does not let you pay the ransom amount initially asked.
If possible, don't tell anyone you have cyber insurance.
Our last piece of advice is not to mention that you have cyber insurance, and if possible, don't save any documents related to it on reachable servers. If the adversary knows, it significantly limits your options in the negotiation.
When a ransomware attack strikes, speed is of the essence.
Read about how our incident responders can help you or reach out to talk to an expert.