A ransomware payment primer

In a recent Fast Company article titled “From Colonial Pipeline to JBS, how ransomware gangs negotiate ransom payments”, various ransomware experts including ITsMine CEO Kfir Kimhi, provided insights on the little-understood but critically important world of ransomware negotiations. 

Ransomware – when malicious software is used to encrypt and steal data, with a ransom demanded in return for decryption – has been increasing of late, both in terms of scope and frequency.

The average ransomware payment, according to the article, is $925,162, but this is just the tip of the iceberg; there are significant costs around ransomware in addition to the ransom itself, such as reputational damage, loss of customer trust, interruptions to the business, and so on. This is why IBM have pegged the total cost of a ransomware attack north of $9m. 

It makes it more understandable, despite recommendations to the contrary, that many organizations feel that paying the ransom is the right course of action for them. 

This brings us to the murky world of ransomware negotiations. 

How Ransomware negotiations work

The list of ransomware payments is long, and is getting longer all the time. 

As mentioned, official bodies such as CISA recommend against paying a ransom to attackers, however this is not always possible. While some companies refuse to talk to the attackers at all, others engage either in order to buy time, to negotiate a lesser ransom, or to coordinate payment and decryption. 

Here’s are some key elements of ransom negotiations:

From the victim’s side, common tactics include:

While these tactics may work in some cases, experts such as ITsMine CEO Kfir Kimhi highly recommend bringing in cyber insurers as early as possible. This is for several reasons:

  1. Trying to go alone, you’ll be fighting in unfamiliar territory
  2. They have professional Incident Response (IR) teams
  3. They have large, dedicated cybersecurity teams and the experience of having worked on a number of attacks
  4. They can determine risk levels effectively
  5. They have trusted, professional negotiators that also precludes collusion between outside negotiators and cybercriminals

Get yourself into the best position

At some point, cyber insurance will have to be introduced, and hopefully this will be done sooner rather than later. One of the first things cyber insurers (and regulators) will want to know is, “What’s been compromised? What’s the damage?”

It’s also important to note that in the absence of specifics, regulators specifically can assume that all data was compromised, resulting in heavy penalties. 

The good news is that there is something you can do now to prevent this state of confusion and instability. By adding ITsMine’s Agentless Managed Data Protection MDP, organizations can get:

Real-time alerts: these are crucial when an attacker uses forbidden files outside the company: ITsMine’s Managed Data Protection proactively monitors file activities and triggers real-time alerts when unauthorized individuals attempt to access or use restricted files. This immediate notification enables security teams to respond swiftly and mitigate potential data breaches.

Know exactly which files were leaked: by leveraging advanced data tracking and monitoring capabilities, ITsMine’s solution provides organizations with granular visibility into the files that have been compromised. This knowledge empowers organizations to take the necessary actions to mitigate the impact of data breaches and meet regulatory requirements for reporting incidents.

Kill sensitive files remotely: even after they are far beyond company boundaries. ITsMine enables organizations to remotely delete sensitive files, even if they have been exfiltrated from the company’s network. This unique capability allows companies to maintain control over their data, ensuring that even if stolen, they do not pose an ongoing risk to the organization. 

For example, with ITsMine, a company can investigate in seconds, and come to their insurance company confidently with the knowledge that:

Where ransomware is going

As the Fast Company article notes, ransomware is likely to increase further, among other factors due to the rise of RaaS (Ransomware as a Service) groups, and cooperation between attackers and state-sponsored entities. 

And while governments are rightly being looked towards to provide an umbrella of protection, they have also made it clear that private IT departments are the owners of ransomware protection.

To learn more about ITsMine’s agentless solution, for protecting against ransomware attacks, preventing data leakage and theft, and mitigating attack consequences, reach out to a product expert today


Encryption-less Ransomware: Best Practices for CISOs to Ensure Protection