Negotiating with Ransomware Attackers: What to Expect


Negotiating with Ransomware Attackers: What to ExpectIn early July of 2021, Kaseya, a company with a strong reputation for providing cybersecurity solutions, was successfully breached by a ransomware attack. What resulted was a virtual house of cards. Because Kaseya is an IT solutions provider for many other companies, the attack impacted around 1,500 other organizations. The attackers, who go by the moniker REvil, demanded Kaseya pay up, asking for $70 million.

Kaseya decided to work with the FBI and the United States Cybersecurity and Infrastructure Security Agency (CISA). Nineteen days later, they got a universal decryptor key, gave it to the organizations that were impacted, and returned to business. However, it wasn’t—and may never again be—“business as usual.” Similar to their servers in July 2021, Google searches for “Kaseya” return results plagued with the term "ransomware." For everyone else, the Kaseya saga is a sobering reminder: If a cybersecurity company can be breached, anyone can.

This reality raises an uncomfortable question: What should you do if you get attacked? And more specifically, what’s the best way to negotiate with digital terrorists?

Let's take a look at the ransomware negotiation process in the event someone holds all your files hostage. We understand this is a complex issue not easily solved in a single blog post. But this is a pressing issue as you might be hit tomorrow or . . . never. While we do cover what to do during the negotiations, and how to manage the aftermath, every situation is different. If you're reading this while systems are down; contact us immediately to get started at or 877-474-4262 x703.

What Is Ransomware?

Ransomware is a kind of malware that’s able to prevent users from accessing a computer or network until they pay a ransom. If the company or user pays, they have to trust that the attacker will provide them with a decryption key to unlock their system—or that the hacker will unlock the system from their end. While there’s no guarantee a ransomware negotiation will produce this outcome, this is the ultimate goal.

There were 304 million ransomware attacks around the world in 2020, and through 2021, 68.5% of organizations surveyed had been attacked.

Statistically speaking, if you choose to pay the ransom, you stand a decent chance of getting your files back: 60% of organizations that made the first ransom payment regained access to their systems. However, your chances of getting your system back will vary depending on the attacker. Some cybercriminal organizations, such as REvil, have a reputation for fulfilling their end of the bargain and granting access after payment. Some others may take the payment and disappear.

It’s important to note that the federal government’s position on whether or not to pay the ransom is clear: The FBI’s website says, “The FBI does not support paying a ransom in response to a ransomware attack.” They reason that paying “encourages perpetrators to target more victims.”

That being said, a lot of companies have decided to pay, and there are some legitimate reasons why.

Why More and More Companies Have Been Paying Ransoms

Paying the ransom, for some companies, has been a difficult but effective decision. In many situations, the effect of an attack, when stretched out over days and weeks, costs far more than what the attackers are asking for. The data and systems the attackers are holding hostage have both tangible and intangible value, prompting the ransomware negotiation process.

For example, companies can avoid losing customers if they regain control of their systems soon enough, and they can protect their reputations if they can prevent hackers from releasing sensitive information to the public.

In addition, many companies carry cyber insurance. This covers ransomware attacks, so if they pay up, their insurance policy can reimburse them for some or all of the money. In addition, paying the ransom quickly can make it easier to hide the breach from authorities, which, in turn, helps prevent it from becoming a widely known—and potentially embarrassing—event.

What to Do Before You Start Negotiating

As soon as you get hit with an attack, your first step should be to ascertain the value of the files or systems that have been hijacked. After a careful valuation of your hijacked digital resources, which is often best performed by a professional cybersecurity company like GSI, you may discover the following best-case scenarios:

  • You have enough of the files backed up already
  • You have redundant systems in place that can be spun up and brought online relatively quickly
  • The information on the computers they’ve targeted is of minimal value
  • Your business will lose very little, in terms of either money or reputational capital, if you don’t regain access to the info or systems affected

However, your analysis may also reveal that you don’t have adequate backups or redundant or parallel systems in place, and the data or infrastructure that’s been hijacked is essential to your business. Therefore, you may be faced with paying the ransom.

What to Do During the Negotiation

If you decide that paying is an option, your first step is to gain an understanding of who you’re dealing with, particularly their track record when it comes to decrypting files and systems. Using a professional tone:

  • Ask the attackers to verify which organization they represent
  • Request that they show evidence of times they’ve decrypted files in the past
  • Determine if they’ve exposed data anyways after the ransom has been paid
  • If they’ve exfiltrated data and promise to destroy it after the ransom has been paid, ask how they will prove that

What to Do After the Negotiation

After the negotiation, the work of preparing for the next attack and mitigating the damage begins, including any public relations fallout. You should take the following steps:

  • Have a professional cybersecurity company perform a post-mortem analysis, determining what happened, when, how, and why
  • Fix any vulnerabilities that paved the way for the attack and engage the services of a cybersecurity expert to identify and address other weak points in your network
  • Prepare a statement for the public that:
    • Reveals only the necessary information without hiding key facts
    • Includes steps you’re taking to prevent another attack, explained in layman’s terms so all stakeholders can understand
    • Reveals the identity of the attacker and the methodologies they used

The oil infrastructure company Colonial Pipeline decided to pay $4.4 million in cryptocurrency to the criminal organization DarkSide. They then regained control of their systems. When the meat supply company JBS Foods was targeted by REvil, they paid $11 million and then got their system back as well. Keep in mind that while these payments were successful, there’s no way to guarantee the attackers will provide what they promise during negotiations.

How GSI Can Help

Of course, prevention is better than a cure, but considering the sophistication of cybercriminal groups, nearly any organization is vulnerable, regardless of the security measures they have in place. When this happens, it’s best to seek help from experts in ransomware negotiations.

Cybersecurity by GSI can help with pre-attack defenses, post-attack analysis, and negotiation strategies. GSI's cybersecurity experts can position your organization to minimize the impact of an attack—or prevent it altogether. Connect with GSI today to learn how.


John Bassett PortraitJohn Bassett is one of GSI's co-founders and has served as its Chief Technical Officer and Chief Security Officer since its inception in 2004. A frequent speaker and lecturer on cyber security and cloud infrastructure, John thoroughly enjoys sharing what he's learned through all phases of his career in information technology. Questions or ideas - connect with him on LinkedIn or send him an email: