{
	"id": "a9b99c69-c292-4ebc-9e58-4616fcc42a76",
	"created_at": "2026-04-06T00:11:21.568802Z",
	"updated_at": "2026-04-10T03:20:44.052133Z",
	"deleted_at": null,
	"sha1_hash": "dc0c8d599ae7b5605ab0ecd90b823250d7f9bcc1",
	"title": "Ransomware negotiations: An inside look at the process",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 276725,
	"plain_text": "Ransomware negotiations: An inside look at the process\r\nBy Rob Wright\r\nPublished: 2021-03-29 · Archived: 2026-04-05 13:32:04 UTC\r\nAs ransomware attacks continue to surge across the globe, the demand for negotiation services has also increased -\r\n- and been hard to fill.\r\nKurtis Minder, CEO of GroupSense, experienced the rise firsthand over the last year. GroupSense, a threat\r\nintelligence vendor based in Arlington, Va., specializes in reconnaissance for post-attack engagements to gather\r\ninformation about emerging threats.\r\nMinder said a significant number of the company's customer wins are incident response-driven; often, he said,\r\nlarger incident response vendors would bring GroupSense into breach scenarios to provide additional analysis of\r\nspecific threats in the wild. But something began to shift in the incident response business, starting in early 2020.\r\n\"What happened was we got pulled into a very large incident -- it was a Nasdaq-traded company that suffered a\r\nvery large breach,\" he said. \"We had detected the threat and alerted them, and they brought in their own incident\r\nresponse firm and then brought us back in after the fact.\"\r\nCyber insurance carriers typically have lists or \"panels\" of approved vendors for various incident response\r\nservices that address breaches and ransomware attacks, including ransomware negotiations. In this case, according\r\nto Minder, the victim had just one company for ransomware negotiations on its panel, and that company was\r\n\"completely overwhelmed\" with demand at the time. As a result, GroupSense stepped in and conducted the\r\nnegotiations with the threat actors, which opened the door for future engagements with that carrier.\r\nSoon, the company took on other negotiation jobs. As a result, GroupSense launched dedicated services for\r\nransomware negotiations last September. Minder said he was conducting three to five negotiations a week after\r\nthe launch.\r\nNot too long ago, ransomware negotiations were viewed by many as a largely unscrupulous endeavor performed\r\nby shady ransomware recovery firms that would claim to decrypt victims' data when in fact they were covertly\r\npaying the ransoms behind the scenes.\r\nBut times have changed. Ransomware attacks have steadily increased, as have the ransom demands, which infosec\r\nexperts say routinely reach seven figures. Experts also say many victims, even those with proper backups to\r\nrestore encrypted data, are now opting to pay ransoms to prevent any exposure of stolen data.\r\nThose factors have driven up demand for incident response specialists who can delay a pressing payment deadline\r\nand negotiate a million-dollar demand down to $200,000. Here's how they do it.\r\nThe negotiators\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 1 of 8\n\nKaren Sprenger is COO of LMG Security, an infosec consultancy based in Missoula, Mont., but her unofficial title\r\nis \"chief ransomware negotiator.\" She fell into this role about three years ago when ransomware incidents became\r\nincreasingly common. At that time, negotiating with ransomware threat actors wasn't nearly as common as it is\r\ntoday.\r\n\"I've started to see more clients request ransomware negotiations, and I think part of the reason for that is we're\r\nseeing more of the data extortion component,\" Sprenger said. \"Before, customers could say 'I've got backups; I\r\ndon't need to pay because I can restore my data.'\"\r\nBut that has changed now with data theft and exposure tactics, which Sprenger said have led to an increase in\r\nnegotiations for LMG.\r\nKevin Kline, COO of infosec consultancy Aggeris Group in Essex, Conn., has also seen a steep rise in\r\nransomware attacks, hefty ransom demands and more victims who are willing to pay. Before joining Aggeris\r\nGroup in 2019, Kline spent nearly 30 years with the FBI, most recently serving as assistant special agent in charge\r\nof the New Haven, Conn., field office.\r\nKline said it's hard to determine the full scope of ransomware attacks today. Earlier this month, the FBI's Internet\r\nCrime Complaint Center (IC3) annual report showed a significant increase in ransomware incidents in 2020, as\r\nwell as financial losses -- 2,474 complaints reported to IC3 and losses of more than $29 million, compared with\r\n2,047 complaints and just $9 million in losses the year prior.\r\nThe IC3 routinely discloses that its ransomware data is \"artificially low\" for a variety of reasons. But like other\r\ninfosec professionals, Kline said he believes the IC3 report numbers are extremely low and don't provide an\r\naccurate picture of the problem.\r\n\"In a number of instances, companies that are subject to ransomware attacks do not want to report the matter for a\r\nnumber of reasons: Preventing the public from knowing and undermining confidence in their brand or stock, the\r\nability to handle themselves with support from another company and the inclusion of an NDA, or the fear of\r\nhaving a government entity inside of their network and systems all lead to companies underreporting both the\r\nattacks and the amount of loss,\" Kline said.\r\nRather than report attacks to law enforcement, which typically don't have the time or qualified personnel to\r\nresolve incidents within short windows and tight deadlines, businesses often outsource at least part of the\r\nremediation effort to incident response firms like Aggeris Group to quickly -- and discreetly -- address the\r\nproblem in an expedited manner. And in many of these cases, Kline said, clients opt to pay the ransoms.\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 2 of 8\n\nRansom demands like this one from REvil often give victims and negotiators a deadline before\r\ndemands are doubled and stolen data is exposed.\r\nLike Sprenger, Kline said he believes the data thefts and exposure threats have led to a rise in payments. But\r\npaying isn't necessarily the right strategy, since you're left to trust cybercriminals to destroy the stolen data.\r\n\"It's more about the appearance of showing that you did everything you could to protect customer data,\" Sprenger\r\nsaid.\r\nAnother contributor to the rising number of paid ransoms is cyber insurance; more enterprises have policies that\r\nwill cover the price of most ransoms, and the threat actors know it. \"There seems to be an understanding [from\r\nattackers] that a lot of companies have cyber insurance and that the policies will pay for the ransom,\" Kline said.\r\nThese trends have put negotiations services in higher demand, but Minder said it's not an easy business. For one,\r\nnegotiation services don't generate a lot of revenue. When GroupSense was building its offering, there were\r\nsuggestions that compensation for negotiation services be a percentage of the paid ransom.\r\n\"The problem with that is it ripe for fraud between me and the bad guys,\" Minder said, adding that GroupSense\r\ninstead charges an hourly rate as part of its incident response services.\r\nAnother challenge for negotiators is that threat actors can simply \"go nuclear,\" as Minder said, by doubling an\r\nalready-high ransom demand or exposing stolen data on the internet.\r\nFor example, threat actors who attacked Acer with REvil ransomware last week broke off talks with a negotiator\r\nworking on behalf of the computer maker and refused to lower their demand of $50 million. The threat actors later\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 3 of 8\n\nthreatened to launch DDoS attacks against the company, claiming such attacks would continue for years.\r\n\"If a threat actor decides to go nuclear during a negotiation, then that may reflect poorly on us,\" Minder said.\r\nLet's make a deal\r\nRansomware negotiations can vary from incident to incident, but there are some commonalities. For example, all\r\nthree negotiators say threat actors are usually willing to at least discuss lowering their demands.\r\nFor GroupSense, 100% of the negotiations so far have resulted in lower payments, Minder said. Ransom demands\r\noften start out at \"exorbitant\" prices, he said, but they can be negotiated down to more reasonable levels or\r\nreduced by at least 10%.\r\nLMG had a recent case where attackers initially demanded $800,000. When Sprenger simply asked if the attackers\r\nwere open to negotiating, the ransom was immediately dropped to $600,000. \"I didn't even have to name a price at\r\nthat point,\" she said.\r\nBefore negotiations start, the incident response firms must first discuss the incidents with their clients. What starts\r\nas a technical discussion about the specifics of the attack then becomes a business discussion about whether to\r\npay.\r\n\"Incident response starts with the 1s and 0s and the type of encryption the ransomware is using,\" Kline said. \"If\r\nthe client is truly locked out of their systems, then we go to the client and ask what it means to them in terms of\r\nlost access, downtime and reputation.\"\r\nSprenger said there are occasional cases where victims that have proper backups in place choose to pay the\r\nransoms -- even when no data has been stolen -- because they believe it's the fastest way to recover from the attack\r\n(LMG does not recommend that approach). But typically, the decision to pay or not is largely based on whether\r\nsystems can be restored from backups and if confidential data has been stolen.\r\nOnce the decision to pay a ransom has been made by the client, the negotiators contact the threat actors.\r\nPreviously, ransomware gangs used email, but most of the well-known, successful groups now have \"customer\r\nservice\" portals for live chats.\r\nEstablishing trust with the threat actors is key, Minder said, and part of that is being upfront about who you are\r\nand what you're doing. \"We never tell the threat actors who we are, but we tell them we are a third party\r\nnegotiating on behalf of the customer.\"\r\nThe negotiators, meanwhile, must assess the threat actors and ask some key questions. Does this ransomware\r\ngroup have a history of decrypting systems after payment, or is its track record spotty? Is the threat actor an\r\noperator of this ransomware group, or a random affiliate that purchased the ransomware code on a dark web\r\nmarket? Has the group exposed victims' data even after they've received ransom payments?\r\nAnd while ransom demands can vary wildly from victim to victim and gang to gang, Kline said these days, the\r\nnumbers tend to be very large and sometimes based on the victim's brand or type of industry. \"The bad guys\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 4 of 8\n\nalways go high for ransoms now,\" he said. \"They'll know generally what industry a company is in, like healthcare,\r\nbut maybe not the specifics like how much cash on hand they have.\"\r\nSprenger said in some cases, LMG has found certain ransomware groups scanning victims' files for balance sheets\r\nand cyber insurance information. In one case, the threat actors gained access to the victim's cyber insurance policy\r\nand knew that the maximum ransom payment the policy would cover was $2 million; as a result, the threat actors\r\nsettled for a $1.95 million payment.\r\nAs with almost all ransomware negotiations, time is critical. Victims are often given deadlines -- sometimes as\r\nlong as a week, sometimes as little as 24 hours -- to respond and/or pay ransoms. And often, ransom notes drop on\r\nwhat LMG calls \"Forensic Fridays\" because, as threat researchers have noted, attackers like to strike on or just\r\nbefore the weekend.\r\nWhile the ticking clocks can add pressure for victims and negotiators, Kline said it can sometimes be used to their\r\nadvantage.\r\n\"If we get a big ransom demand, $1 million or more, and we counter with 'We can pay you $100,000 in an hour,'\r\nthey usually take it,\" he said. \"Taking a quick cash payment is more attractive to them than negotiating for days or\r\neven weeks and waiting for cyber insurance payments for $250,000 or $500,000 demands that they ultimately\r\nmay not get.\"\r\nObstacles and questions\r\nNegotiations can sometimes turn tense, especially when threat actors are unwilling to negotiate or asked to\r\nprovide substantial evidence they've actually stolen a significant amount of sensitive data. Minder said negotiators\r\nhave to get a feel for the threat actor and an accurate read on the tone of the conversation, which can be difficult.\r\n\"It's a soft skill,\" he said of negotiations. \"It's not easily taught.\"\r\nThere are also potential language barriers. Kline said most of Aggeris Group's negotiations are with threat actors\r\nwho appear to be non-native English speakers, based on email exchanges and chat conversations. And most\r\nattackers are willing to negotiate a lower payment, though occasionally they'll terminate communications and\r\nmove on to other victims.\r\nThe negotiators said nearly all threat actors follow through with decryption upon payment, though Sprenger said\r\nLMG has sometimes run into cases where the encryption used by specific ransomware variants has trouble with\r\nSQL databases, for example. And occasionally, the decryptors will contain hidden backdoors and other malware.\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 5 of 8\n\nNegotiators say most ransomware threat actors view their operations as a business and will agree to\r\ndecrypt data upon payment.\r\nBut even though the majority of attackers provide decryptors, a nagging question remains for negotiators: Do the\r\nthreat actors actually destroy victims' data? Sprenger said she's seen no indication that any of the attackers she's\r\ndealt with have gone back on their promises and sold or exposed victims' data after a payment. But she's not\r\nconvinced it hasn't happened.\r\n\"I think it's a little too soon to tell,\" Sprenger said. \"It's a money-making opportunity, so I wouldn't be surprised if\r\nthey sold the data.\"\r\nSprenger cites Uber's notorious breach in 2016, which was covered up by several executives, as evidence that\r\nhackers can't be completely trusted. Last August, the Department of Justice announced former Uber CSO Joe\r\nSullivan had been indicted on two criminal counts in connection with the attempted cover-up of the breach.\r\nSullivan and others were accused of paying $100,000, disguised as a bug bounty payment, to two individuals who\r\nobtained Uber's corporate data from an Amazon S3 bucket. The two individuals, who pled guilty to extortion for\r\nthe hack in 2019, agreed to delete the stolen data in exchange for the payment; however, they didn't inform Uber\r\nthat a third, unnamed individual was also involved in the breach and had apparently kept their own copies of\r\nUber's data.\r\nAt the end of the day, Minder said, it's up to the client to make the final decision. Some GroupSense clients are\r\nlarge enterprises that have a CISO as well as outside counsel, breach coaches, incident response vendors and cyber\r\ninsurance representatives all sitting at the table and providing feedback, while other clients are small and midsize\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 6 of 8\n\nbusinesses like a regional dairy farm that has a single IT operations manager. But ultimately, it's the company\r\ndecision, and Minder tries to provide guidance to reach the best possible outcome.\r\nThere are no guarantees threat actors will keep their word, he said, but \"these guys are basically running a\r\nbusiness, and if they don't honor the agreement, then eventually no one is going to pay.\"\r\nPotential bans on payments?\r\nA new wrinkle for ransomware negotiations arrived last fall when the U.S. Department of the Treasury's Office of\r\nForeign Assets Control's (OFAC) issued an advisory concerning ransomware payments. In short, OFAC said\r\nmaking payments to entities on the U.S. sanctions list is against the law and could result in civil penalties such as\r\nfines.\r\nWhile there was no policy change -- prohibiting ransom payments to sanctioned entities had been a longstanding\r\nregulation -- experts saw the advisory as an effort by the federal government to discourage such actions amid a\r\nrise in overall ransom payments.\r\nThe negotiators said paying ransoms has become much more common. Sprenger attributed the rise to the\r\nadditional threat of data theft and exposure. The majority of clients for LMG have cyber insurance policies --\r\naround 80%, which is far higher than just two years ago. And most policies will cover a ransomware payment.\r\nMinder said he wasn't surprised by the advisory, but he saw it as a \"CYA move\" from the government that adds a\r\ncomplicated piece of the negotiation puzzle.\r\nSprenger said the OFAC sanctions list is a concern that negotiators and IR providers must consider. It's a routine\r\npart of the process to check the list and making sure the cryptocurrency wallet isn't on there.\r\nBut the larger concern is that, as the ransomware situation grows worse, the government may try to restrict or even\r\nban ransomware payments. For example, Ciaran Martin, former head of the U.K.'s National Cyber Security\r\nCentre, said paying ransoms incentivizes further attacks and suggested banning such payments.\r\nMinder said banning payments isn't the solution. \"I agree -- it's subsidizing and encouraging the behavior,\" he\r\nsaid. \"But to simply say 'Don't do it,' that doesn't solve the actual problem. It seems pretty tone-deaf.\"\r\nHe added that too many companies will be harmed and potentially put out of business if payments are outlawed. If\r\nthe government institutes a ban, Minder said, then it will have to offer some kind of financial assistance or relief\r\nprogram for victims.\r\nEven if the U.S. government put some sort of ban in place, Kline said he doesn't believe it will do much good. If\r\nthe decision for a company is paying an illegal ransom or shutting down completely, then it will find a way to\r\nmake the payment to stay afloat. Then the government will be in a thorny situation of deciding whether it wants to\r\ninvestigate those companies and how to penalize them.\r\n\"I don't think that's feasible,\" Kline said. \"It sounds good on paper, but it doesn't seem enforceable in reality.\"\r\nFor now, the OFAC advisory is merely a reminder, but Sprenger and others are bracing for a future where their\r\njobs as ransomware negotiators become even more complicated.\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 7 of 8\n\n\"The advisory didn't really change anything,\" she said. \"But I would not be surprised if we start to see sanctions at\r\nthe federal level.\"\r\nSource: https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nhttps://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process"
	],
	"report_names": [
		"Ransomware-negotiations-An-inside-look-at-the-process"
	],
	"threat_actors": [],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc0c8d599ae7b5605ab0ecd90b823250d7f9bcc1.pdf",
		"text": "https://archive.orkl.eu/dc0c8d599ae7b5605ab0ecd90b823250d7f9bcc1.txt",
		"img": "https://archive.orkl.eu/dc0c8d599ae7b5605ab0ecd90b823250d7f9bcc1.jpg"
	}
}