What Do You Get When You Hire a Ransomware Negotiator?

Time was ticking for the Royal Mail security team on an early winter morning in January 2023, machinery supporting the international courier service abruptly stopped working and began turning itself on and off, and the carrier’s Active Directory locked up with encryption malware.

See Also: Top 10 Technical Predictions for 2025

Then a printer at a Royal Mail facility in Northern Ireland spit out an orange ransomware note that said, “LockBit Black Ransomware group. Your data are stolen and encrypted. The data will be published on TOR website.” To make matters worse, an employee tweeted an image of the ransom note, and the whole world knew Royal Mail was under attack.

The leak put immediate pressure on the Royal Mail to engage with LockBit, recalled then Royal Mail CISO Jon Staniforth, who hired a ransomware negotiator from a leading cyber incident response firm to deal with the cybercriminals who demanding $80 million for an decryption key.

The negotiator, who posed as a junior IT staff, played an pivotal role in buying time, with talks with the hackers extending over three weeks, Staniforth said. Ultimately, Royal Mail never paid the ransom but while the negotiations dragged on, “what we were doing was identifying the files we thought they’d stolen to understand if there were any personal data in them,” he said (see: Royal Mail Refused ‘Absurd’ LockBit Extortion Demand).

Despite calls from law enforcement agencies and some lawmakers urging victims not to make any ransom payment, the demand for experienced ransomware negotiators remains high. The negotiators say they provide a valuable service, even if the victim has no intention to pay. They bring skills into an incident that aren’t usually found in the executive suite – strategies for dealing with criminals.

Demand for Ransomware Negotiators Is High

By all accounts, the ransomware business is booming. While ransom payments dipped last year, Zscaler researchers said a Fortune 50 company in early 2024 paid the highest publicly known ransom in history – $75 million – to the Dark Angels ransomware group. Despite law enforcement crackdowns, 48 new ransomware groups emerged in 2024, and over the past three months, ransomware attacks have surged to record levels to nearly 600 attacks a month.

Demand for ransomware negotiators is high in this threat environment, and victims can benefit from a negotiator even if they have no intention of paying the threat actor, said Grayson North, a ransomware negotiator and principal threat analyst at GuidePoint Security.

“Important information can be gleaned pertaining to the scope of stolen data even without money changing hands. This information helps to inform and accelerate other parallel workstreams, such as forensics and the legal assessment of notification requirements,” North said. “If an organization finds themselves needing to pay a ransom, a negotiator almost always pays for themselves by applying knowledge of specific threat actors and their tendencies to reduce demands.”

Negotiation is more a thinking game, in which you try to outsmart the hackers to buy time and ascertain valuable insight, said Richard Bird, a ransomware negotiator who draws much of his skills from his past stint as a law enforcement crises aversion expert – talking people out of attempting suicide or negotiating with kidnappers for the release of hostages.

“The biggest difference is that when you are doing a face-to-face negotiation, you can pick-up lots of information from a person on their non-verbal communications such as eye gestures, body movements, but when you are talking to someone over email or messaging apps that can cause some issues – because you have got to work out how the person might perceive,” Bird said.

One advantage of online negotiation is that it gives the negotiator time to reflect on what to tell the hackers. “In a face-to-face discussion, you don’t have the luxury of time, you go to have clarity of mind to make quick judgments and decisions,” Bird said.

Gathering Valuable Intel on Attackers

As in the Royal Mail negotiations, delays can help buy time to assess the damage and extent of the compromise, but negotiators can also ask attackers to provide more proof about the data they claim to hold.

“Ransomware engagement has become more common,” said Gareth Mott, a cyber research fellow at The Royal United Services Institute. “You want to give the impression that you’re legitimately negotiating, but ultimately you might just be engaging for the sake of broader objectives, like buying time, finding out information.”

In some cases, negotiators may have previously dealt with the group and can provide insights on the reputation of the group and whether its decryption key will actually work.

Like hostage negotiators, ransomware negotiators must walk a fine line between delaying the adversaries and antagonizing them. As time drags on, ransomware groups turn to triple-extortion tactics to increase the pressure on victims, such as contacting board members, setting up publicly available countdown clocks for data leaks or hitting the victim’s website with DDoS attacks.

“A negotiator is important for walking a victim of ransomware through the process while remaining as safe and informed as possible,” GuidePoint’s North said. “Victims under stress, in some cases, will behave reactively and make costly, uninformed decisions. We see our role as a calming influence that can erase many of the unknowns and work toward a positive outcome.”

Lowering Ransomware Payments

A ransomware group’s business model is built on a high volume of attacks and successful ransom negotiations for some of them. In fact, Coveware recently found that the number of organizations paying a ransom dropped to an all-time low of 25% in 2024.

While little hard data is available the success of negotiations, Comparitech reported that the average ransom demand in 2024 was $2.3 million, while average ransom paid was $923,000.

Ransomware negotiators often find themselves at odds with law enforcement by advising their clients to pay the ransom, which is more likely to happen when an attacks interrupt business operations, and in cases such as attacks against hospitals, threaten patient safety.

For example, one of GuidePoint’s customers was in danger of shutting down when a ransomware attack halted the company’s production and fulfillment processes. The business had just three days to fulfill overdue orders, “then they would lose all of their major contracts, effectively terminating the business,” North said.

The negotiator advised the company to pay the ransom but helped cut the ransom payment in half. “In less than 48 hours, we were able to complete the settlement with a 50% reduction to the threat actor’s initial demand,” he said.

“With the decryptor in hand, they were able to restore operations and remain in business to this day. We always heavily discourage paying a threat actor, but in instances like this, it unfortunately cannot be avoided.”

Experts: Never Pay to Delete Stolen Data

The disruption of Change Healthcare and thousands of hospitals, doctors offices was perhaps the highest-profile ransomware attack of 2024. But the IT outage was mostly the result of Change Healthcare shutting down more an 100 widely used systems for medical services including billing to prevent the malware from spreading to other systems own by parent company. UnitedHealth Group.

But UnitedHealth Group admitted to paying a $22 million ransom to the Russian-speaking – ransomware group Alphv – aka BlackCat – in exchange of a promise to delete 6 terabytes of stolen data. Soon afterward, an affiliate hit the company with a second ransomware request. BlackCat’s operators had shut down their group and kept all of the money, rather than sharing it with the affiliate who actually hacked Change Healthcare. Whether UHG paid a second ransom demand isn’t clear. (see: Change Healthcare Mega Attack: 1 Year Later).

Change Healthcare last month reported that the attack compromised the personal information of 190 million people. But the $22 million payment – made largely to suppress a data leak – is part of an alarming trend, encouraging ransomware operators to go after data for ransoms. In the last quarter of 2024, the cases of victims paying ransom to prevent data leaks rose from 28% to 41%. (see: Ransomware: Victims Who Pay a Ransom Drops to All-Time Low).

Ciaran Martin, former head of the U.K. National Cyber Security Centre who has called for a government ban on ransomware payments, advises victims to never trust promises by criminal gangs to delate data. He pointed out that law enforcement agencies are finding years-old data of victims that paid ransom on data leak sites, despite promises of data deletion.

“LockBit is a big example of this,” Martin said (see: LockBit and Evil Corp Targeted in Anti-Ransomware Crackdown).

Organizations should never pay for stolen data, Martin said, but he does favor negotiating for stolen data as a “bluff.”

“Negotiation for payment to avoid data leaks is fundamentally different from negotiating where business is at risk. Where businesses are at risk, I think negotiators have played a very good role bringing down the ransom, but where there is no serious risk at all, paying to prevent data leak is bluff,” said Martin, who currently serves as the professor of practice in the management of public organizations at the University of Oxford.

Even though Royal Mail did not pay the ransom, the attack was costly. The carrier ended up paying 10 million pounds for system remediation and recovery. The company also suffered a week of service disruptions, and at one point asked customers not send international parcels or use private courier services (see: Royal Mail Starts Limited Delivery Abroad After Cyberattack).

LockBit later leaked some personal information of the victims on its leak sites. Staniforth was applauded for his rapid incident response to the crisis and not paying the ransom.

“There has been much more awareness about the impact following the hack,” Staniforth said.

To Ban or Not to Ban?

Most regulators warn that ransomware will continue to thrive until victims stop paying ransoms. The U.K. government last month opened a consultation on ransom payment ban, while the Australian government enacted mandatory reporting for ransomware attacks – including the amount of payments made to cybercriminals.

Staniforth, who stepped down as the Royal Mail CISO in March 2023, said organizations need the flexibility negotiate and ultimately decide whether to pay. Banning ransom payments, he said, “is a stupid idea.”

“All the big critical infrastructure industry already has enough regulation that tells them to do this stuff,” Staniforth said. “What they should be doing is punishing people and fining people for not putting those controls in place because attackers are always going to find a way around to attack.”

While speaking at the recent ransomware ban payment hearing at the U.K. Parliament, experts said while the success of any sort of ransom will largely depend on its implementation.

“Anything that the government can do to force victims to be a little bit more deliberate about their decision-making around ransom payments would be positive. But ultimately, the goal should be making organizations more resilient in the first place,” said Jamie MacColl, research fellow in cyberthreats and cybersecurity at the Royal United Services Institute (see: UK Lawmakers Don’t Hear Fervor for Ransomware Payment Ban).

But even with under government restrictions, the ransomware negotiator can add value, North said.

“There is value in having a negotiator walk you through the process even if there is no intention of paying the threat actor. Important information can be gleaned. This information helps to inform and accelerate other parallel workstreams, such as forensics and the legal assessment of notification requirements,” North said.