Advisen FPN

Advisen Cyber FPN - Monday, March 28, 2022

Negotiating in a ransomware attack: What really happens?


Negotiating in a ransomware attack: What really happens?

By Erin Ayers, Advisen

Ransomware is a hot topic these days, but the details of these events may remain a mystery to organizations that haven’t experienced an attack. A recent webinar conducted by insurance broker Gallagher sought to clear up some potential misconceptions about the ransomware negotiation process.

During the webcast, John Farley, managing director of Gallagher’s cyber practice, walked through a sample ransomware event with Evgueni Erchov, head of security research and strategy at Arete, kicking off with a voicemail from an “attacker” with threats, promises, and details of the compromise.

Things escalate rapidly, with intellectual property and extensive sensitive information on clients and employees reportedly stolen. The hackers demand $1 million in bitcoin or they will begin releasing that data – much of it potentially damaging to the company’s reputation – to the public.

“Our aim is to have some benefits from your company and walk away,” says the cybercriminal in a voicemail played during the webinar, directing the targeted firm to a Tor browser. Use of the browser protects the attacker’s anonymity, according to Erchov. This tactic, of encrypting and exfiltrating sensitive data, is now quite common, he added, with 70% of cases involving some form of double extortion.

In the depicted scenario, the firm’s IT team wants to pay the ransom. Gallagher’s Farley noted that knowing who provides the bitcoin is a key part of the equation – much of the audience said the cyber insurer. Not so, according to Farley and Erchov. It’s actually the incident response firm, or forensic investigator, they said, who will handle ransom payments.

However, having cyber insurance opens the door to those experts and the insurer should be the first call when an incident comes to light to coordinate response. Vetted breach coaches, attorneys, forensic firms, and negotiators will be at your service, Farley explained.

“The beauty of the cyber insurance policy is that you’ve got these experts that have access to bitcoin,” he said. “When they’re available on a 24/7 basis, which they are in the majority of standalone cyber policies, that’s the most important thing.”

A firm in this situation might wonder: Can I negotiate with the threat actors? Yes, according to Erchov; in about 70% of cases negotiation is successful but there are many different factors. Whether the affected company has good backups and doesn’t need a decryption key makes a difference, as does the company’s financial status. Erchov cited events where ransomware actors required verification on their targets’ inability to pay high amounts. However, the threat actor’s first demand is often just their opening gambit.

“They always expect the initial demand is not going to be paid,” he said. However, they might also be offended by a lowball offer, so a professional negotiator should be engaged to handle the discussions. Those connections to ransomware response experts also come into play when complying with bans on making payments to federally sanctioned threat actors.

“It would be nice if the bad guys sent us their passports so we could check their ID against the FinCen list, but that’s not the case,” said Erchov. Instead, teams conduct due diligence checks for compliance, he said. It can take a few hours or up to a day depending on the specific details to verify a payment won't be made to actors on the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctions list.

While the audience felt that 30% of ransomware attacks are likely to involve OFAC-sanctioned entities, the number is more like 1%, according to Erchov. In the event that it does occur, a payment cannot be legally made by the breach team.

Understanding how involved ransomware events can be may shed some light on the state of the cyber insurance market these days. Price hikes, capacity restrictions, and lower limits are commonplace in the market right now, according to Farley.

“We really are in a place where ransomware and other factors are getting the underwriting community very nervous,” said Farley. “We’re seeing it go up. We’re seeing six- and seven-figure demands.”

He added, “I think we’re going to be in this place for at the next year or two, until things start to change.”

Managing Editor Erin Ayers can be reached at

SecurityScorecard, Inc.