• Home
  • /Learn
  • /Ransomware Negotiator Insights: Why Ransomware Attacks Are On the Rise
background image


Ransomware Negotiator Insights: Why Ransomware Attacks Are On the Rise


Today's blog topic is all about ransomware negotiator insights... and why the rise of ransomware is directly threatening your organization.

Over the last ten years, cybercriminals have progressed in their technical knowledge and expertise. The ability to readily re-invent themselves and rapidly create new malicious attacks with dedicated preparation and agility gives them an even greater capacity for destruction. According to the Verizon Data Breach Investigations Report 2022, ransomware attacks rose dramatically, accounting for nearly 25% of all significant breaches.

Furthermore, a related study by Sophos revealed ransomware affected 66% of organizations in 2021—a  78% spike compared to 2020. Organizations must remain vigilant against the growing danger of ransomware and its insidious Ransomware as a Service (RaaS) business model.

How? Well, let's dive right in:

Firstly, What is a Ransomware Negotiator?

A ransomware negotiator is a service or individual helping organizations negotiate with ransomware attackers to release encrypted data securely. Ransomware negotiators come into the picture when there is no data backup; they may also be summoned when the security response team fails to implement ransomware decryptors.

The goal of a negotiator is to help the victim organization restore access to their data without fully paying the ransom amount. Ransom negotiators are employed by IT forensics investigation companies or can work independently as freelance researchers. They are also responsible for collecting cyber threat intelligence and analyzing various factors associated with a ransomware attack.

Ransomware Negotiator Insights

Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security, provided the following insights:

Mapping Taxonomy to Ransomware Gangs

Ransomware negotiators do a massive analysis of ransomware taxonomy and how they are related to different ransomware gangs. Based on their study and research, ransomware negotiators categorize ransomware attack groups into four buckets. 

  1. Ephemeral

  2. Full-time

  3. Splinter

  4. Rebrands

They noted that most attacks came from the taxonomy dubbed full-time ransomware groups. They remain active for nine months or more and target multiple victims. According to Schmitt, "Full-time ransomware gangs are the ones doing very consistent operations & can maintain a very high tempo."

Quick Rebranding of Ransomware Groups

Ransomware negotiator Schmitt noted that ransomware groups appear with catchy names and disappear instantly. It shows they love to rebrand to target victim organizations.

Schmitt said, "It does make it very difficult for the blue teamers or the defenders to keep up with these name-changing trends." He added, "Getting an idea of what the threat actors are focusing on, how much they pop up and go away, and other such analytics is very valuable for the defenders."

Ransom Demands Reaching New Heights in 2023

Security analysts and ransomware negotiators noted that the ransom demand has recently increased. Schmitt highlighted the fact that some negotiations go successfully and seamlessly. "So, starting at US$ 15 million and negotiated down to US$ 500,000 is not uncommon. But at the same time, there are just certain threat actors that are like, you know what? That is my price, and I don't care what you say. I am not negotiating." That's when the company needs to decide whether they will pay or not.


Ransomware gangs often utilize tactics, techniques and procedures (TTP) that make detection and response quite effortless. However, large-scale hackers can make a significant difference by utilizing the ransomware-as-a-service (RaaS) model to coordinate with various affiliates and attackers - making negotiations complex as negotiators must interact with several people.

Schmitt highlighted that negotiating earlier with ransomware groups was easy as they were dealing with the same person. But according to him, "In today's ecosystem, there are just so many different groups and so many different affiliates that are participating as part of these groups that you're almost starting from scratch."

Advanced Backup Techniques

An improvisation in the backup strategy helps ransomware negotiators and security professionals recover the data without succumbing to the extortion demands. Ransomware negotiator and expert Schmitt says, "Many organizations that get hit with ransomware recover because they have an excellent backup strategy in place."

However, ransomware negotiators claim numerous organizations remain behind the curve in saving data, leading to more profitable ransomware attacks than ever. The advent of double-extortion and triple-extortion ransomware cripples organizations because they steal data and then threaten the organization by leaking or releasing sensitive information publicly.


Despite what many corporate leaders and professionals suspect, that ransomware will vanish with cryptocurrencies losing their value, ransom negotiators and cybersecurity experts maintain the contrary—ransomware is here to stay. Taking preventative measures, including regular pentesting, can help identify exploitable vulnerabilities.

Ready to safeguard your organization against common ransomware threats? Download our complimentary Buyer's Guide today to learn what your next steps should be.

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.