After UK-based Euler Finance, a crypto lending platform, fell victim to a $197mn cyber theft, lawyers helped it to retrieve all the funds in three weeks.
They succeeded because the criminals made a strategic error in paying 100 ETH, or Ether, into an account reputed to be linked to North Korean hackers. Lawyers used this as a pressure point to warn the perpetrators that they could face reprisals from state actors or organised crime. It was enough to persuade the hackers to return the money.
While recovering funds in this way is extremely rare, victims of ransomware are increasingly turning to negotiators — be they in-house response teams, insurers, security firms, or lawyers — to reduce the cost of their ransom, or even avoid paying one altogether.
But what is the art of ransomware negotiation?
“Negotiators should ask open-ended questions to attempt problem-solving,” says Amanda Weirup, assistant professor of management at Babson College, and an expert in negotiation and conflict management. “For example, ‘What would it take to resolve this situation?’ The strongest negotiators tailor their approach based on the other parties’ interests and priorities,” she says, noting that, on top of financial gain, some cyber criminals seek recognition to further a political or ideological agenda.
Ransomware hacks — in which cyber criminals encrypt data systems and demand a payment to release them — have proliferated since the coronavirus pandemic, as remote working lessened cyber defences.
But data from US tech group IBM shows that organisations that paid a ransom achieved only a small difference in the cost of the attack — $5.06mn compared with $5.17mn — although this does not include the cost of the ransom itself. “Given the high cost of most ransomware demands, organisations that paid the ransom likely ended up spending more overall than those that didn’t,” the report said.
Some — particularly those who object to the idea of negotiating with criminals — argue that paying off hackers only encourages them and continues a cycle of cyber crime. They note that, by paying hackers, victims risk breaching sanctions and other national regulations, and could inadvertently fund a national adversary, corrupt regime, organised crime gang, human trafficker, or terrorist.
Payment does not guarantee hackers will unlock systems, either, or that they will not return to demand more money. Indeed, as the business of ransomware has proven more lucrative, cyber criminals from Russia, Iran and North Korea have evolved their strategies to squeeze as much money from a victim as possible, experts say.
David Higgins, senior director for the field technology office for information security group CyberArk, says his data shows that organisations hit by ransomware in 2023 typically paid up at least twice, meaning they were likely victims of so-called double extortion campaigns. These are attacks where hackers not only block access to a victim’s systems by encrypting data, but also steal data, threatening to release sensitive information only if a ransom is paid.
“Companies should have a contingency plan in place if their payment does not illicit the results they had been promised,” advises Matthew Roach, Head of i-4 cyber security leaders community at KPMG UK.
Some authorities are outlawing the payment of ransoms — for example, the US states of North Carolina and Florida have explicitly banned state and local government agencies from paying hackers.
But businesses may have little choice if they wish to stay afloat. “In reality, negotiations with cyber criminals are often necessary to maximise outcomes,” says Weirup. “Paying the ransom can be the quickest way to recover data and resume operations, especially if the ransom is less than the costs.”
The negotiating team should both “determine the underlying motives of the hackers” and “formulate a cost-benefit analysis by determining their alternatives”, she says. For example, victims should check whether they have data backups, or other ways to get critical services up and running.
Negotiators should engage with hackers sooner rather than later to prevent escalations, experts say. “They expect to be ignored and will respond by escalating their threats, calling executives, making threats via social media, and increasing hostilities until they feel they are being listened to,” says Roach.
But, while hackers might use time pressure to compel victims to pay up, so too can businesses slow down the process — giving them time to recover their data or operations behind the scenes. “Companies may choose to negotiate in an attempt to instil delays rather than merely reduce the ransom amount or avoid the payment altogether,” says Roach.
Ultimately, it is the victim and the negotiators who need to define how they will measure success, Weirup says — be that data recovery, minimising financial loss and disruption, or reducing reputational harm.
“It’s crucial to establish . . . a point beyond which they are not prepared to continue negotiations,” she says.