Trade surveys recommend that, whereas the variety of ransomware assaults continues to rise, companies aren’t paying ransoms as usually — or in as giant quantities — as previously.
A February 2025 report from cyberincident response agency Coveware reported that 25% of corporations hit within the final quarter of 2024 paid a ransom. That was an all-time low, Coveware mentioned, and marked “a major milestone within the combat in opposition to ransomware.” The report additionally discovered that the median cost was $110,890, down 45% from the prior quarter.
Equally, Chainalysis, a blockchain analytics firm, estimated that ransomware teams collected a complete of $813 million in funds in 2024, a 35% decline from 2023’s $1.25 billion.
These numbers point out some optimistic information on the cybersecurity entrance, however they do not make a profitable ransomware assault any much less of a disaster when it is your group that is been struck. You may have to scramble to reply, assess the injury and confront a vastly necessary query: Can we pay a ransom?
“In case your group is a sufferer of ransomware, and there may be an an infection regardless of your controls, the questions turn out to be: First, ‘Do we now have to pay this?’ and ‘Are we on the mercy of the ransomware operators?'” mentioned Lee Kim, senior principal of cybersecurity and privateness on the Healthcare Info and Administration Techniques Society (HIMSS) North America. Answering these questions, Kim and others mentioned, just isn’t a simple activity and entails advanced concerns.
Are ransomware negotiations authorized?
The FBI doesn’t encourage ransomware funds. Paying a ransom doesn’t assure your group will get its knowledge again, and, within the FBI’s view, funds encourage perpetrators to focus on extra victims and supply an incentive for others to get entangled in this kind of crime.
Some nations even prohibit paying ransoms. Many countries, together with the USA, prohibit funds that might find yourself in sure nations and different overseas entities. The U.S. Treasury Division’s Workplace of Overseas Belongings Management administers and enforces financial and commerce sanctions in opposition to overseas nations, regimes and people deemed a risk.
A number of U.S. states, together with Florida, North Carolina and Tennessee, have handed legal guidelines that prohibit public sector entities from paying ransoms. North Carolina’s legislation forbids public entities from negotiating with risk actors.
How does ransomware negotiation work?
Ransomware assaults can occur days and even months after risk actors have breached a company’s defenses. After doing a little reconnaissance, the attackers strike, locking units, encrypting knowledge and/or extracting knowledge that they threaten to launch — except the victimized group pays a ransom.
Ransomware teams may contact the group by way of a textual content file or electronic mail. Some attain out by voicemail, whereas others direct their targets to talk apps or websites on the darkish net. It is at this level {that a} victimized group should resolve whether or not to interact the hackers in negotiations, mentioned Kyriakos Vassilakos, assistant part chief of the FBI Cyber Division.
The FBI has labored with organizations whose personal executives deal with the negotiations in addition to organizations that use incident response distributors {and professional} ransomware negotiators. Vassilakos mentioned the FBI doesn’t advocate for one choice over the opposite.
The function of ransomware negotiators
Though risk actors generally warn victims in opposition to involving others, Vassilakos recommends making one name instantly. “Carry within the FBI as early as doable.”
Along with investigating the assault, the FBI can present skilled recommendation and generally even decryption keys. Vassilakos burdened that the FBI retains sufferer info confidential.
Others suggest that sufferer organizations rent skilled ransomware negotiators. Kim famous {that a} sufferer’s cyber legal responsibility insurance coverage coverage often specifies that the group hires knowledgeable negotiator within the occasion of a ransomware assault. The insurer may also dictate which negotiator to retain.
Melissa Okay. Ventrone, chief of the cybersecurity, knowledge safety and privateness follow at worldwide legislation agency Clark Hill, mentioned negotiations contain technical, authorized and monetary elements which might be higher dealt with by seasoned professionals. Negotiators will know tips on how to run checks to make sure funds do not violate nationwide sanctions, they usually’ll have expertise dealing with the cryptocurrency essential to make a ransom cost.
Ventrone, whose agency has been concerned in ransomware responses however hires distributors to offer negotiators, mentioned executives at sufferer organizations who attempt to negotiate on their very own be taught rapidly that they are in over their heads.
Paul Caron, head of cybersecurity for the Americas at S-RM, a worldwide company intelligence and cybersecurity consultancy, mentioned the professionals sometimes have legislation enforcement, army and/or intelligence expertise.
Executives at a victimized group probably might be attempting to handle a disaster on little sleep and underneath excessive stress. An expert negotiator will not have these pressures and distractions, Caron mentioned. They’ll deal with the backwards and forwards with the cybercriminals.
Professionals additionally convey data gathered from prior negotiations, which may help in resolving the state of affairs extra favorably for his or her consumer, Caron added.
Kim, a lawyer, mentioned she advises ransomware victims to rent negotiators. In such high-stakes eventualities, most victims cannot be as analytical or goal as they need to be when negotiating. They may, for instance, let slip a element that could possibly be used in opposition to them.
When to contemplate negotiating with ransomware attackers
Whereas the FBI’s place is in opposition to paying ransoms, Vassilakos mentioned authorities perceive that paying is a enterprise determination.
“The entities need to make the choice that is of their finest pursuits,” Vassilakos mentioned, including that previous ransomware assaults have destroyed organizations.
Different authorized, safety and enterprise leaders share that view, explaining {that a} ransomware assault forces executives to weigh the price of paying a ransom in opposition to their skill to get better from the assault with out paying. Questions to contemplate embrace how lengthy the restoration would take, how a lot that restoration would value, the worth of any misplaced knowledge and the affect of downtime.
A company’s cyber insurance coverage coverage additionally elements into the choice on whether or not to barter, and insurance policies sometimes handle the purpose immediately, specialists mentioned.
Even when a company will not pay a ransom, negotiations with their attackers may nonetheless present a profit. Negotiations, which take a minimum of 24 hours and often longer, may give organizations priceless time to analyze the injury. Ventrone and others mentioned the additional time permits a enterprise to find out whether or not decryption keys may be positioned by different channels, whether or not backup information are ample and whether or not restoration is possible with out paying a ransom.
What are the advantages of ransomware negotiation?
Sufferer organizations could discover that negotiating with the dangerous actors might yield benefits, specialists mentioned. These embrace the next:
- A decrease ransom. Ventrone mentioned funds can vary from a number of thousand {dollars} to tens of millions.
- A pause to the injury. “Should you’re speaking with them in the midst of an assault, they’re going to cease the assault, they usually will not launch secondary assaults. That provides the corporate time to shut again doorways and time to get better,” Ventrone mentioned.
- Extra time to judge the extent of the assault. The time required for negotiation offers groups the chance to determine the kind of assault, the precise injury, which knowledge is encrypted or extirpated and whether or not decryption keys can be found from the FBI or the No Extra Ransom challenge, Kim mentioned.
- A safety report. Some risk actors give sufferer organizations details about the safety gaps they exploited to infiltrate techniques. This info may help to enhance a victimized group’s defenses and probably forestall future incidents.
- Verification of harm performed and that decryption will work. Ventrone mentioned expert negotiators can elicit proof that the ransomware group has, the truth is, stolen what they declare to have stolen. Negotiators must also be capable of get the attackers to exhibit that the decryption strategies they supply will really work.
- Info to share with legislation enforcement and/or the safety group. Caron famous that negotiations might yield helpful info, such because the risk actors’ nation of origin and techniques.
What are the hazards of ransomware negotiation?
Organizations that select to barter with risk actors want to know the downsides. Partaking with risk actors, in line with the U.S. Cybersecurity and Infrastructure Safety Company (CISA), carries necessary dangers, together with the next:
- There isn’t any assure that a company will regain entry to its knowledge. CISA famous that, in some circumstances, cybercriminals do not present decryption keys, even after they have been paid a ransom.
- Cybercriminals might goal a company greater than as soon as. Some victims have been extorted to pay extra, CISA mentioned, even after paying the unique ransom.
- Negotiating may reinforce dangerous habits. Companies that cooperate with hackers may inadvertently encourage others to interact on this prison exercise.
Moral questions are a part of the dialog. “The cash goes to criminals,” Ventrone mentioned. “The cash just isn’t going to ‘good’; it’ll ‘dangerous.’ So, to the extent we will, we discuss to purchasers about whether or not that’s one thing they need to take into account.”
Ransomware negotiation methods
In partnership with the FBI, the Nationwide Safety Company and the Multi-State Info Sharing and Evaluation Middle (MS-ISAC), CISA developed a information that provides recommendation on how to reply to a ransomware assault, advising sufferer organizations on steps to take throughout every of the next key levels of an incident:
Whereas attorneys, safety professionals {and professional} negotiators don’t disclose the particular techniques they’ve seen or utilized in ransomware negotiations, they are saying negotiations ought to deal with a number of targets. Past negotiating a decrease ransom, Caron mentioned, negotiators ought to search to get particulars on the information that the risk actors focused in addition to proof that the information was taken. They need to attempt to be taught the identities and areas of the risk actors in addition to different info that may assist future victims.
Caron mentioned negotiators work to get ransomware teams to exhibit that they’ve the capabilities to decrypt the information they’d encrypted. Plus, negotiators use methods to tempo the negotiations to profit the victims — that’s, whether or not to proceed swiftly, if the target is to renew operations as rapidly as doable, or transfer extra slowly to realize extra time for investigation.
Chance of ransomware negotiation success
CISA and others warn that negotiating and paying a ransom to criminals gives no assure that there might be a passable consequence, regardless of what risk actors may promise.
Nonetheless, there are indications of a sure self-interested honor amongst thieves. Ventrone and Caron mentioned they’ve discovered that victims who negotiated ransoms often get what they pay for and are usually not re-victimized.
“Many of the risk actors, for those who pay a ransom, is not going to assault you once more. It is a matter of their fame. They’re ensuring they are going to honor their promise so [future victims] pays ransoms,” Ventrone mentioned.
Mary Okay. Pratt is an award-winning freelance journalist with a deal with overlaying enterprise IT and cybersecurity administration.
