Ransomware Negotiations

Ransomware attacks are devastating because they are malware attacks that deny victims of access to their system and personal information. In order for the victim to regain access to their systems, there is often a ransom demand in the form of a crypto currency or other hard-to-trace channels. After paying the ransom, there is no absolute certainty that the victim will get all their data restored or not leaked into the wild.

Ransomware has become an attractive crime because of the low risk and the lack of harsh punishments for these offenses. This attack vector is only likely to rise and thus be a menace to government institutions and corporations. Ransomware spreads most-commonly via targeted email phishing, spam, and malicious code in web applications. Once an unsuspecting user opens the attachment or clicks the link, the ransomware can infect the victim’s computer and spread throughout the network.


Although law enforcement agents advice against paying ransom, this presents a dilemma for victims. Especially in cases where there is insufficient backup or that it may take too long to recover applications and data. In most cases, the leakage of the hijacked information into the wild would have a serious financial, reputational, regulatory, and legal impact on their operations. All these risks have to be weighed up against resorting to paying the ransom. 

Based on a comprehensive risk assessment, PROTECT IT negotiators will assist senior managers to come to an informed decision about whether to pay or not to pay the ransom. In cases where the decision has been made to pay, we facilitate the negotiation with the attackers in order to understand their requirements and to come to an amicable agreement with the victims.

The process we usually follow would be;

  • Identifying the value of the data for which ransom is demanded.
  • Identifying the readiness of your backup and the speed with which data can be recovered.
  • Assessing the decision to pay or not to pay.
  • Engaging with the attackers.
  • Negotiating the terms on which the compromise will be based.
  • Coming to a conclusion on the method and time of payment.
  • Gaining reasonable assurances against the possibility of subsequent attacks and the security of the data they currently have.
  • Recommending effective controls to prevent further attacks.