Trade surveys counsel that, whereas the variety of ransomware assaults continues to rise, companies aren’t paying ransoms as usually — or in as giant quantities — as previously.
A February 2025 report from cyberincident response agency Coveware reported that 25% of firms hit within the final quarter of 2024 paid a ransom. That was an all-time low, Coveware mentioned, and marked “a major milestone within the struggle towards ransomware.” The report additionally discovered that the median cost was $110,890, down 45% from the prior quarter.
Equally, Chainalysis, a blockchain analytics firm, estimated that ransomware teams collected a complete of $813 million in funds in 2024, a 35% decline from 2023’s $1.25 billion.
These numbers point out some constructive information on the cybersecurity entrance, however they do not make a profitable ransomware assault any much less of a disaster when it is your group that is been struck. You may must scramble to reply, assess the harm and confront a massively essential query: Will we pay a ransom?
“In case your group is a sufferer of ransomware, and there’s an an infection regardless of your controls, the questions grow to be: First, ‘Do now we have to pay this?’ and ‘Are we on the mercy of the ransomware operators?'” mentioned Lee Kim, senior principal of cybersecurity and privateness on the Healthcare Data and Administration Programs Society (HIMSS) North America. Answering these questions, Kim and others mentioned, shouldn’t be a straightforward process and entails advanced issues.
Are ransomware negotiations authorized?
The FBI doesn’t encourage ransomware funds. Paying a ransom doesn’t assure your group will get its knowledge again, and, within the FBI’s view, funds encourage perpetrators to focus on extra victims and supply an incentive for others to become involved in this sort of crime.
Some nations even prohibit paying ransoms. Many countries, together with the US, prohibit funds that may find yourself in sure nations and different overseas entities. The U.S. Treasury Division’s Workplace of International Belongings Management administers and enforces financial and commerce sanctions towards overseas nations, regimes and people deemed a risk.
A number of U.S. states, together with Florida, North Carolina and Tennessee, have handed legal guidelines that prohibit public sector entities from paying ransoms. North Carolina’s regulation forbids public entities from negotiating with risk actors.
How does ransomware negotiation work?
Ransomware assaults can occur days and even months after risk actors have breached a company’s defenses. After performing some reconnaissance, the attackers strike, locking units, encrypting knowledge and/or extracting knowledge that they threaten to launch — except the victimized group pays a ransom.
Ransomware teams would possibly contact the group by way of a textual content file or electronic mail. Some attain out by way of voicemail, whereas others direct their targets to talk apps or websites on the darkish net. It is at this level {that a} victimized group should resolve whether or not to interact the hackers in negotiations, mentioned Kyriakos Vassilakos, assistant part chief of the FBI Cyber Division.
The FBI has labored with organizations whose personal executives deal with the negotiations in addition to organizations that use incident response distributors {and professional} ransomware negotiators. Vassilakos mentioned the FBI doesn’t advocate for one possibility over the opposite.
The function of ransomware negotiators
Though risk actors generally warn victims towards involving others, Vassilakos recommends making one name straight away. “Carry within the FBI as early as potential.”
Along with investigating the assault, the FBI can present knowledgeable recommendation and generally even decryption keys. Vassilakos harassed that the FBI retains sufferer data confidential.
Others suggest that sufferer organizations rent skilled ransomware negotiators. Kim famous {that a} sufferer’s cyber legal responsibility insurance coverage coverage normally specifies that the group hires an expert negotiator within the occasion of a ransomware assault. The insurer may additionally dictate which negotiator to retain.
Melissa Ok. Ventrone, chief of the cybersecurity, knowledge safety and privateness observe at worldwide regulation agency Clark Hill, mentioned negotiations contain technical, authorized and monetary elements which can be higher dealt with by seasoned professionals. Negotiators will know the right way to run checks to make sure funds do not violate nationwide sanctions, and so they’ll have expertise dealing with the cryptocurrency essential to make a ransom cost.
Ventrone, whose agency has been concerned in ransomware responses however hires distributors to offer negotiators, mentioned executives at sufferer organizations who attempt to negotiate on their very own be taught shortly that they are in over their heads.
Paul Caron, head of cybersecurity for the Americas at S-RM, a world company intelligence and cybersecurity consultancy, mentioned the professionals usually have regulation enforcement, army and/or intelligence expertise.
Executives at a victimized group probably shall be making an attempt to handle a disaster on little sleep and beneath excessive stress. An expert negotiator will not have these pressures and distractions, Caron mentioned. They will deal with the backwards and forwards with the cybercriminals.
Professionals additionally deliver information gathered from prior negotiations, which might help in resolving the scenario extra favorably for his or her shopper, Caron added.
Kim, a lawyer, mentioned she advises ransomware victims to rent negotiators. In such high-stakes situations, most victims cannot be as analytical or goal as they need to be when negotiating. They could, for instance, let slip a element that may very well be used towards them.
When to contemplate negotiating with ransomware attackers
Whereas the FBI’s place is towards paying ransoms, Vassilakos mentioned authorities perceive that paying is a enterprise resolution.
“The entities should make the choice that is of their greatest pursuits,” Vassilakos mentioned, including that previous ransomware assaults have destroyed organizations.
Different authorized, safety and enterprise leaders share that view, explaining {that a} ransomware assault forces executives to weigh the price of paying a ransom towards their means to get well from the assault with out paying. Questions to contemplate embody how lengthy the restoration would take, how a lot that restoration would price, the worth of any misplaced knowledge and the influence of downtime.
A corporation’s cyber insurance coverage coverage additionally elements into the choice on whether or not to barter, and insurance policies usually tackle the purpose straight, consultants mentioned.
Even when a company will not pay a ransom, negotiations with their attackers would possibly nonetheless present a profit. Negotiations, which take not less than 24 hours and normally longer, may give organizations precious time to analyze the harm. Ventrone and others mentioned the additional time allows a enterprise to find out whether or not decryption keys will be positioned by way of different channels, whether or not backup recordsdata are ample and whether or not restoration is possible with out paying a ransom.
What are the advantages of ransomware negotiation?
Sufferer organizations could discover that negotiating with the unhealthy actors might yield benefits, consultants mentioned. These embody the next:
- A decrease ransom. Ventrone mentioned funds can vary from a number of thousand {dollars} to tens of millions.
- A pause to the harm. “In the event you’re speaking with them in the course of an assault, they’re going to cease the assault, and so they will not launch secondary assaults. That provides the corporate time to shut again doorways and time to get well,” Ventrone mentioned.
- Extra time to guage the extent of the assault. The time required for negotiation offers groups the chance to determine the kind of assault, the precise harm, which knowledge is encrypted or extirpated and whether or not decryption keys can be found from the FBI or the No Extra Ransom mission, Kim mentioned.
- A safety report. Some risk actors give sufferer organizations details about the safety gaps they exploited to infiltrate programs. This data can assist to enhance a victimized group’s defenses and probably forestall future incidents.
- Verification of injury performed and that decryption will work. Ventrone mentioned expert negotiators can elicit proof that the ransomware group has, in actual fact, stolen what they declare to have stolen. Negotiators must also have the ability to get the attackers to reveal that the decryption strategies they supply will truly work.
- Data to share with regulation enforcement and/or the safety neighborhood. Caron famous that negotiations might yield helpful data, such because the risk actors’ nation of origin and ways.
What are the risks of ransomware negotiation?
Organizations that select to barter with risk actors want to grasp the downsides. Participating with risk actors, based on the U.S. Cybersecurity and Infrastructure Safety Company (CISA), carries essential dangers, together with the next:
- There isn’t any assure that a company will regain entry to its knowledge. CISA famous that, in some circumstances, cybercriminals do not present decryption keys, even after they have been paid a ransom.
- Cybercriminals might goal a company greater than as soon as. Some victims have been extorted to pay extra, CISA mentioned, even after paying the unique ransom.
- Negotiating would possibly reinforce unhealthy habits. Companies that cooperate with hackers would possibly inadvertently encourage others to interact on this legal exercise.
Moral questions are a part of the dialog. “The cash goes to criminals,” Ventrone mentioned. “The cash shouldn’t be going to ‘good’; it should ‘unhealthy.’ So, to the extent we are able to, we speak to purchasers about whether or not that’s one thing they need to contemplate.”
Ransomware negotiation methods
In partnership with the FBI, the Nationwide Safety Company and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC), CISA developed a information that gives recommendation on how to answer a ransomware assault, advising sufferer organizations on steps to take throughout every of the next key levels of an incident:
Whereas legal professionals, safety professionals {and professional} negotiators don’t disclose the precise ways they’ve seen or utilized in ransomware negotiations, they are saying negotiations ought to deal with a number of objectives. Past negotiating a decrease ransom, Caron mentioned, negotiators ought to search to get particulars on the information that the risk actors focused in addition to proof that the information was taken. They need to attempt to be taught the identities and places of the risk actors in addition to different data that may assist future victims.
Caron mentioned negotiators work to get ransomware teams to reveal that they’ve the capabilities to decrypt the recordsdata they’d encrypted. Plus, negotiators use methods to tempo the negotiations to learn the victims — that’s, whether or not to proceed swiftly, if the target is to renew operations as shortly as potential, or transfer extra slowly to achieve extra time for investigation.
Probability of ransomware negotiation success
CISA and others warn that negotiating and paying a ransom to criminals supplies no assure that there shall be a passable final result, regardless of what risk actors would possibly promise.
Nonetheless, there are indications of a sure self-interested honor amongst thieves. Ventrone and Caron mentioned they’ve discovered that victims who negotiated ransoms normally get what they pay for and usually are not re-victimized.
“Many of the risk actors, when you pay a ransom, is not going to assault you once more. It is a matter of their repute. They’re ensuring they will honor their promise so [future victims] pays ransoms,” Ventrone mentioned.
Mary Ok. Pratt is an award-winning freelance journalist with a deal with protecting enterprise IT and cybersecurity administration.
