• Home
  • /Learn
  • /Ransomware Negotiator Explains Why Ransomware Attacks Are On The Rise


Ransomware Negotiator Explains Why Ransomware Attacks Are On The Rise


Over the last ten years, cybercriminals have progressed in their technical knowledge and expertise. The ability to readily re-invent themselves as well as rapidly create new kinds of malicious attacks with dedicated preparation and agility gives them an even greater capacity for destruction. According to the Verizon Data Breach Investigations Report 2022, ransomware attacks rose dramatically, accounting for nearly 25 percent of all significant breaches. A report by Sophos revealed ransomware affected 66 percent of organizations in 2021—a  78 percent spike compared to 2020. Organizations must remain ever vigilant against the growing danger of ransomware and its insidious Ransomware as a Service (RaaS) business model.

What is a ransomware negotiator?

A ransomware negotiator is a service or individual helping organizations negotiate with ransomware attackers to release encrypted data securely. Ransomware negotiators come into the picture when there is no data backup. They may also be summoned when the security response team fails to implement the ransomware decryptors. The goal of a negotiator is to help the victim organization restore access to their data without fully paying the ransom amount. Ransom negotiators are employed by IT forensics investigation companies or can work independently as freelance researchers. They are also responsible for collecting cyber threat intelligence and analyzing various factors associated with a ransomware attack.

Insights on ransomware from a ransomware negotiator

Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security, provided some insights.

Mapping taxonomy to ransomware gangs

Ransomware negotiators do a massive analysis of ransomware taxonomy and how they are related to different ransomware gangs. Based on their study and research, ransomware negotiators categorize ransomware attack groups into four buckets. 

  1. Ephemeral

  2. Full-time

  3. Splinter

  4. Rebrands

They noted that most attacks came from the taxonomy dubbed full-time ransomware groups. They remain active for nine months or more and target multiple victims. According to Schmitt, "Full-time ransomware gangs are the ones doing very consistent operations & can maintain a very high tempo."

Quick rebranding of ransomware groups

Ransomware negotiator Schmitt noted that ransomware groups pop up with catchy names and disappear instantly. It shows they love to rebrand to target victim organizations. Schmitt said, "It does make it very difficult for the blue teamers or the defenders to keep up with these name-changing trends." He added, "Getting an idea of what the threat actors are focusing on, how much they pop up and go away, and other such analytics is very valuable for the defenders."

The ransom demand is reaching new heights

Security analysts and ransomware negotiators noted that the ransom demand have recently increased. Schmitt highlighted the fact that some negotiations go successfully and seamlessly. "So, starting at US$ 15 million and negotiated down to US$ 500,000 is not uncommon. But at the same time, there are just certain threat actors that are like, you know what? That is my price, and I don't care what you say. I am not negotiating." That's when the company needs to decide whether they will pay or not.

Ransomware-as-a-Service is a negotiation wildcard

Ransomware gangs often utilize tactics, techniques and procedures (TTP) that make detection and response quite effortless. However, large-scale hackers can make a significant difference by utilizing the ransomware-as-a-service (RaaS) model to coordinate with various affiliates and attackers - making negotiations complex as negotiators must interact with several people. Schmitt highlighted that negotiating earlier with ransomware groups was easy as they were dealing with the same person. But according to him, "In today's ecosystem, there are just so many different groups and so many different affiliates that are participating as part of these groups that you're almost starting from scratch."

Better backup techniques

An improvisation in the backup strategy helps ransomware negotiators and security professionals recover the data without succumbing to the extortion demands. Ransomware negotiator and expert Schmitt says, "Many organizations that get hit with ransomware recover because they have an excellent backup strategy in place."

However, ransomware negotiators claim numerous organizations remain behind the curve in saving data, leading to more profitable ransomware attacks than ever. The advent of double-extortion and triple-extortion ransomware cripples organizations because they steal data and then threaten the organization by leaking or releasing that sensitive information publicly.


Despite what many corporate leaders and professionals suspect, that ransomware will vanish with cryptocurrencies losing their value, ransom negotiators and cybersecurity experts maintain the contrary—ransomware is here to stay. Taking some preventative measures, including regular pentesting, can help identify exploitable vulnerabilities.

Ransomware Penetration Testing

Ransomware penetration testingevaluates the preparedness and risk of a ransomware attack. In addition to a complete analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), and a technical assessment of security controls, a full penetration test is conducted to measure the robustness of your systems.