The economics of ransomware: If you decide to pay, here's how to negotiate a discount



Reaction score
Financially motivated adversaries target large and profitable companies. However, if you are a small business affected by ransomware, it may cost you more to recover from the situation.

The Art of Negotiation

The researchers concluded that after negotiation, victims could receive a "discount" of between 10% and 90%. In two thirds of the cases examined, this discount was more than 50%. With the right negotiation tactics, in most cases you can recover 50% or more of the ransom.

And here's what NCC Group considers to be a good negotiation tactic:

1️⃣ Be respectful. The NCC group insists that you look at the ransomware crisis as a business transaction. Researchers have seen many examples of companies becoming frustrated and angry in conversations with attackers, leading to chats being closed. The example below shows that it is better to leave your emotions outside the home.

"Thank you sir. We can pay $750,000 in XMR on the condition that you share with me the exact scope, scope and significance of the data you hold. (...) I emphasize the data and not the decryption key as I have learned about your very positive record in providing decryption keys. Looking forward to your thoughts. Best regards, {victim's name}."

2️⃣ Don't be afraid to ask for more time. Opponents will usually try to force you to make quick decisions. The more stress an opponent can cause, the worse the decision making will be. However, in almost all cases in the second data set, the attacker was willing to extend the timer while negotiations were still ongoing.
3️⃣ Promise to pay a small amount now or a larger amount later. In many cases, the attacker in the second database gave deep discounts when he was offered the opportunity to get a small amount of money now rather than a larger amount of money later.
4️⃣ Convince the enemy that you cannot pay the high ransom amount. Here's an example:
“We have discussed this with our management team. We really want the decryptor for our network and our data to be removed, but you asked for a lot of money, especially at the end of a difficult year. Can you offer us a lower price? "
5️⃣ You should not tell the attacker that you have cyber insurance, and it is also advisable not to save any documents related to it on any accessible servers. If attackers know this, it seriously limits any negotiations. Here is the message from the attacker:

“Look, we know about your cyber insurance. Let's save a lot of time together? Now you offer 3M, and we will come to an agreement. I want you to understand that we will not give you a discount below your insurance amount. Never. If you want to resolve this situation now, this is a real chance.”