Trade surveys counsel that, whereas the variety of ransomware assaults continues to rise, companies aren’t paying ransoms as typically — or in as giant quantities — as up to now.
A February 2025 report from cyberincident response agency Coveware reported that 25% of corporations hit within the final quarter of 2024 paid a ransom. That was an all-time low, Coveware stated, and marked “a big milestone within the battle towards ransomware.” The report additionally discovered that the median cost was $110,890, down 45% from the prior quarter.
Equally, Chainalysis, a blockchain analytics firm, estimated that ransomware teams collected a complete of $813 million in funds in 2024, a 35% decline from 2023’s $1.25 billion.
These numbers point out some constructive information on the cybersecurity entrance, however they do not make a profitable ransomware assault any much less of a disaster when it is your group that is been struck. You will must scramble to reply, assess the injury and confront a vastly essential query: Will we pay a ransom?
“In case your group is a sufferer of ransomware, and there may be an an infection regardless of your controls, the questions develop into: First, ‘Do we’ve got to pay this?’ and ‘Are we on the mercy of the ransomware operators?'” stated Lee Kim, senior principal of cybersecurity and privateness on the Healthcare Data and Administration Techniques Society (HIMSS) North America. Answering these questions, Kim and others stated, just isn’t a straightforward process and includes complicated issues.
Are ransomware negotiations authorized?
The FBI doesn’t encourage ransomware funds. Paying a ransom doesn’t assure your group will get its knowledge again, and, within the FBI’s view, funds encourage perpetrators to focus on extra victims and supply an incentive for others to get entangled in any such crime.
Some international locations even prohibit paying ransoms. Many countries, together with america, prohibit funds that might find yourself in sure international locations and different international entities. The U.S. Treasury Division’s Workplace of Overseas Belongings Management administers and enforces financial and commerce sanctions towards international international locations, regimes and people deemed a menace.
A number of U.S. states, together with Florida, North Carolina and Tennessee, have handed legal guidelines that prohibit public sector entities from paying ransoms. North Carolina’s legislation forbids public entities from negotiating with menace actors.
How does ransomware negotiation work?
Ransomware assaults can occur days and even months after menace actors have breached a corporation’s defenses. After performing some reconnaissance, the attackers strike, locking gadgets, encrypting knowledge and/or extracting knowledge that they threaten to launch — until the victimized group pays a ransom.
Ransomware teams would possibly contact the group through a textual content file or electronic mail. Some attain out via voicemail, whereas others direct their targets to speak apps or websites on the darkish internet. It is at this level {that a} victimized group should resolve whether or not to interact the hackers in negotiations, stated Kyriakos Vassilakos, assistant part chief of the FBI Cyber Division.
The FBI has labored with organizations whose personal executives deal with the negotiations in addition to organizations that use incident response distributors {and professional} ransomware negotiators. Vassilakos stated the FBI doesn’t advocate for one possibility over the opposite.
The position of ransomware negotiators
Though menace actors typically warn victims towards involving others, Vassilakos recommends making one name instantly. “Deliver within the FBI as early as attainable.”
Along with investigating the assault, the FBI can present knowledgeable recommendation and typically even decryption keys. Vassilakos burdened that the FBI retains sufferer data confidential.
Others advocate that sufferer organizations rent skilled ransomware negotiators. Kim famous {that a} sufferer’s cyber legal responsibility insurance coverage coverage often specifies that the group hires an expert negotiator within the occasion of a ransomware assault. The insurer may also dictate which negotiator to retain.
Melissa Okay. Ventrone, chief of the cybersecurity, knowledge safety and privateness apply at worldwide legislation agency Clark Hill, stated negotiations contain technical, authorized and monetary parts which are higher dealt with by seasoned professionals. Negotiators will know how one can run checks to make sure funds do not violate nationwide sanctions, they usually’ll have expertise dealing with the cryptocurrency essential to make a ransom cost.
Ventrone, whose agency has been concerned in ransomware responses however hires distributors to offer negotiators, stated executives at sufferer organizations who attempt to negotiate on their very own study rapidly that they are in over their heads.
Paul Caron, head of cybersecurity for the Americas at S-RM, a world company intelligence and cybersecurity consultancy, stated the professionals sometimes have legislation enforcement, navy and/or intelligence expertise.
Executives at a victimized group doubtless will likely be making an attempt to handle a disaster on little sleep and below excessive stress. An expert negotiator will not have these pressures and distractions, Caron stated. They will deal with the backwards and forwards with the cybercriminals.
Professionals additionally deliver information gathered from prior negotiations, which might help in resolving the scenario extra favorably for his or her shopper, Caron added.
Kim, a lawyer, stated she advises ransomware victims to rent negotiators. In such high-stakes situations, most victims cannot be as analytical or goal as they need to be when negotiating. They could, for instance, let slip a element that might be used towards them.
When to think about negotiating with ransomware attackers
Whereas the FBI’s place is towards paying ransoms, Vassilakos stated authorities perceive that paying is a enterprise choice.
“The entities must make the choice that is of their greatest pursuits,” Vassilakos stated, including that previous ransomware assaults have destroyed organizations.
Different authorized, safety and enterprise leaders share that view, explaining {that a} ransomware assault forces executives to weigh the price of paying a ransom towards their means to recuperate from the assault with out paying. Questions to think about embrace how lengthy the restoration would take, how a lot that restoration would price, the worth of any misplaced knowledge and the impression of downtime.
A company’s cyber insurance coverage coverage additionally components into the choice on whether or not to barter, and insurance policies sometimes handle the purpose immediately, specialists stated.
Even when a corporation will not pay a ransom, negotiations with their attackers would possibly nonetheless present a profit. Negotiations, which take a minimum of 24 hours and often longer, may give organizations precious time to analyze the injury. Ventrone and others stated the additional time permits a enterprise to find out whether or not decryption keys could be positioned via different channels, whether or not backup recordsdata are enough and whether or not restoration is possible with out paying a ransom.
What are the advantages of ransomware negotiation?
Sufferer organizations might discover that negotiating with the unhealthy actors may yield benefits, specialists stated. These embrace the next:
- A decrease ransom. Ventrone stated funds can vary from a number of thousand {dollars} to thousands and thousands.
- A pause to the injury. “In the event you’re speaking with them in the midst of an assault, they’re going to cease the assault, they usually will not launch secondary assaults. That provides the corporate time to shut again doorways and time to recuperate,” Ventrone stated.
- Extra time to judge the extent of the assault. The time required for negotiation provides groups the chance to establish the kind of assault, the precise injury, which knowledge is encrypted or extirpated and whether or not decryption keys can be found from the FBI or the No Extra Ransom challenge, Kim stated.
- A safety report. Some menace actors give sufferer organizations details about the safety gaps they exploited to infiltrate methods. This data will help to enhance a victimized group’s defenses and probably forestall future incidents.
- Verification of injury achieved and that decryption will work. Ventrone stated expert negotiators can elicit proof that the ransomware group has, the truth is, stolen what they declare to have stolen. Negotiators must also be capable to get the attackers to reveal that the decryption strategies they supply will truly work.
- Data to share with legislation enforcement and/or the safety neighborhood. Caron famous that negotiations may yield helpful data, such because the menace actors’ nation of origin and ways.
What are the hazards of ransomware negotiation?
Organizations that select to barter with menace actors want to grasp the downsides. Partaking with menace actors, in keeping with the U.S. Cybersecurity and Infrastructure Safety Company (CISA), carries essential dangers, together with the next:
- There isn’t any assure that a corporation will regain entry to its knowledge. CISA famous that, in some circumstances, cybercriminals do not present decryption keys, even after they have been paid a ransom.
- Cybercriminals may goal a corporation greater than as soon as. Some victims have been extorted to pay extra, CISA stated, even after paying the unique ransom.
- Negotiating would possibly reinforce unhealthy conduct. Companies that cooperate with hackers would possibly inadvertently encourage others to interact on this prison exercise.
Moral questions are a part of the dialog. “The cash goes to criminals,” Ventrone stated. “The cash just isn’t going to ‘good’; it’ll ‘unhealthy.’ So, to the extent we will, we speak to shoppers about whether or not that’s one thing they need to take into account.”
Ransomware negotiation methods
In partnership with the FBI, the Nationwide Safety Company and the Multi-State Data Sharing and Evaluation Middle (MS-ISAC), CISA developed a information that gives recommendation on how to answer a ransomware assault, advising sufferer organizations on steps to take throughout every of the next key phases of an incident:
Whereas attorneys, safety professionals {and professional} negotiators don’t disclose the precise ways they’ve seen or utilized in ransomware negotiations, they are saying negotiations ought to deal with a number of targets. Past negotiating a decrease ransom, Caron stated, negotiators ought to search to get particulars on the info that the menace actors focused in addition to proof that the info was taken. They need to attempt to study the identities and places of the menace actors in addition to different data that may assist future victims.
Caron stated negotiators work to get ransomware teams to reveal that they’ve the capabilities to decrypt the recordsdata they’d encrypted. Plus, negotiators use methods to tempo the negotiations to learn the victims — that’s, whether or not to proceed swiftly, if the target is to renew operations as rapidly as attainable, or transfer extra slowly to achieve extra time for investigation.
Chance of ransomware negotiation success
CISA and others warn that negotiating and paying a ransom to criminals offers no assure that there will likely be a passable consequence, regardless of what menace actors would possibly promise.
Nonetheless, there are indications of a sure self-interested honor amongst thieves. Ventrone and Caron stated they’ve discovered that victims who negotiated ransoms often get what they pay for and usually are not re-victimized.
“Many of the menace actors, for those who pay a ransom, is not going to assault you once more. It is a matter of their popularity. They’re ensuring they will honor their promise so [future victims] can pay ransoms,” Ventrone stated.
Mary Okay. Pratt is an award-winning freelance journalist with a deal with protecting enterprise IT and cybersecurity administration.
