Security News
Sarah Gooding
December 17, 2024
A fascinating Reddit AMA is happening right now with ransomware negotiators, offering a rare glimpse into the shadowy world of cybercrime negotiations. These professionals serve as intermediaries between organizations hit by ransomware attacks and the criminal groups holding their data hostage.
The handling of ransomware incidents is shrouded in secrecy, with victims often hesitant to speak publicly about their experiences. This discussion reveals how surprisingly business-like these criminal operations have become, with established playbooks, reputation management, and even customer service teams.
All AMA participants were chosen by the editors at CISO Series ( r/CISOSeries ), a media network for security professionals, and some are commenting anonymously, due to the sensitive nature of their work.
One of the most striking revelations from the AMA is how ransomware groups have evolved into sophisticated business operations. As one negotiator explains: "They have groups that perform the following: compromise the environment, recon and lateral movement, identify and exfiltrate sensitive information, understand financial statements, perform negotiations, and coding support." This division of labor mirrors traditional corporate structures, with specialized teams handling different aspects of the operation.
One of the most pressing questions surrounding ransomware is how companies decide whether or not to pay the ransom. The AMA participants emphasized that this is ultimately a business decision, weighing the cost of downtime and data loss against the potential risks of paying criminals. u/Ransomware_IR stated:
Typically the need to pay/not pay is a business decision... Sometimes clients are able to contain the damage and recover quickly/successfully (think actual working backups or ransomware being stopped before the blast radius took out too much.)
However, even with payment, there are no guarantees. u/Ransomware_IR also cautioned:
I have seen a number of cases where the attackers came back for additional payments. Sometimes a client 'attempts' to pay the attacker with their own BTC wallet and the threat actor sees more funds... so they want more. Other times it is just part of dealing with criminals. They will extort you as much as they can.
Strong backups and incident response plans are not always enough to protect a company from the damaging effects of having customer data stolen. As we have highlighted in previous posts, the decision to pay a ransom is highly nuanced as the ransomware ecosystem has plenty of ways to pressure organizations with the threat of leaking sensitive data.
The numbers shared in the AMA are staggering. According to recent data from Semperis, a security and recovery platform, a survey of nearly 1,000 IT and security professionals shows 83% of organizations were targeted by ransomware attacks in the past year with a high degree of success: 78% of targeted organizations paid the ransom, with 72% paying multiple times.
Participants in the AMA reported dealing with ransom demands ranging from as low as $5,000 to over $50 million. Like any business, these groups understand their market and price accordingly. The negotiators report that many groups research their victims' financial statements to calculate demands they're likely to pay.
One negotiator explained how the tactics evolved: "When I started we could use the 'we don't make that kind of money' in our negotiations. Then they started collecting the financial statements...They pivoted to reading the balance sheet and understanding the actual income and money at hand for an organization. Of course some companies would keep their insurance coverage online as well and the attackers could see what the coverage was."
Price negotiations can be significant - one negotiator described reducing a $1.5 million demand down to $5,000 for a small HVAC company. Most transactions are in Bitcoin, though some groups have experimented with other cryptocurrencies like Monero. Negotiators reported that payment timelines can be extensive - negotiations typically last anywhere from one month to three months, depending on the goals (delay or actual negotiations).
Perhaps most surprisingly, ransomware groups actively manage their reputation. "Most of the larger groups that I've dealt with operate under a 'Ransomware-as-a-Service' model... Most of these groups and operators care about their reputation, and know that if word spread that their affiliates didn't hold their end of the bargain, then that would tarnish their reputation and result in fewer ransom payments," explains one negotiator.
They compared it to a food delivery app's business model, where maintaining trust is crucial for continued operations. Groups that don't deliver on their promises to decrypt data after payment find themselves struggling to secure future ransoms, as word spreads quickly through the cybersecurity community.
"In my experience, I've not had a single ransomware actor break any of their promises when a victim has opted to settle,” another negotiator reported.
What does a ransomware negotiator do? Participants in the AMA describe a methodical process that involves “extracting as much information as possible,” including:
Communications typically happen through dark web chat portals or encrypted email channels. The negotiators often intentionally play specific roles to gain advantages. As one explains: "One thing to keep in mind is typically we do not want the attacker knowing we are a firm with a background in negotiations. I likely to play the admin assistant because the IT guy got fired. I don't know anything about anything. Which buys me time in slowing the negotiations down."
The process can be delicate - negotiators mentioned cases where well-meaning clients damaged negotiations by trying to communicate directly with attackers. "Having the IT guy actively communicating with the attacker while I'm trying to negotiate... and yeah he agreed to an amount before we were cleared to talk about money" was cited as one of the worst situations clients can create.
Time management is also crucial. Negotiations typically last one to three months, with negotiators sometimes deliberately stalling: "Other times simply playing the delay game with them was enough to upset them. Our board of directors is meeting this week to discuss payment, followed by a two board directors couldn't make it last week so they are meeting this week... that only can go for a couple weeks before they get upset."
Throughout the process, negotiators work closely with forensic teams, feeding them intelligence gathered from communications with the attackers to help understand the scope of the breach and guide recovery efforts.
Despite their business-like approach, the negotiators emphasize that these are still criminal enterprises. Even after payment, there's no guarantee that stolen data won't be sold or leaked. As one negotiator notes: "I don't trust them even if they state they are deleting everything." They shared a case where a group claimed to have deleted stolen files, only to accidentally reveal in a later negotiation that they still had the data.
It takes a certain type of professional to navigate these high-stakes interactions with criminal enterprises, balancing the need to build rapport while maintaining appropriate skepticism.
So how does one become a ransomware negotiator? The AMA reveals there's no single career path, but most practitioners come from technical backgrounds in digital forensics, incident response, security operations, or cyber threat intelligence. Some have also transitioned from law enforcement or intelligence careers.
What's clear is that this isn't typically an entry-level position. Most negotiators started at established firms already doing this work, beginning with smaller cases under $100,000 and gradually building trust within their organizations. As one negotiator explained: "From my experience, I had to get a job with a company that was already established doing this type of work. Then 'luck' would have it that someone thought I’d be good fit."
It's also worth noting that ransomware negotiation is rarely a standalone role. Most practitioners have other full-time positions in security and handle negotiations as part of their broader responsibilities. As one negotiator put it: "Basically I don't think there are shortcuts for this type of position and you somewhat have to prove yourself with an organization before they let anyone start negotiating."
The professionalization of ransomware operations presents new challenges for cybersecurity. Organizations need to understand they're not dealing with lone hackers but sophisticated criminal enterprises with customer service teams, negotiation playbooks, and business strategies.
For those interested in understanding how modern ransomware operations really work, the complete AMA provides a rare and valuable window into the world of criminal enterprises and the professionals who negotiate with them. It’s running all week through December 20, 2024.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.
Security News
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.
