Ransomware: the professional negotiator’s role

For an article published on December 29, 2023 in Numerama, journalist Bogdan Bodnar met with an expert cybercrime negotiator, Mike. The man works for a crisis management company specialized in communicating with criminals, in cases of hostage-taking, kidnappings and, since 2016, cyberattacks, specifically ransomware.

Mike gives us a behind-the-scenes look at his profession. The negotiator always starts by identifying the cybercriminals he is dealing with, their MO, their habits, and the ways they have reacted in the past. The second step is assessing the situation.

“Let’s start with a reminder that the rule is to not pay the hackers. We must therefore ensure everything is implemented to avoid this outcome. We have to be both quick, since downtime costs money, and careful, to get a grasp on what exactly the hacker is in possession of. Once the full assessment is carried out, we ask ourselves the ultimate question: do we have to pay the ransom?”, explains Mike.

The negotiation itself can then begin. The expert advises victims to not communicate directly with cybercriminals in order to avoid giving them an advantage. “When our experts enter a negotiation, they act (…) as if a life was at stake. Exchanges sometimes closely resemble those in a kidnapping,” explains Mike.

The expert explains that ransomware gangs generally have well-established, predictable, negotiating methods. “They work like businesses and, in exchanges, you understand they have one individual dedicated to negotiating in English, for example. (…) If there isn’t some rigor to the discussions and the results one might expect, then no one will want to pay, because they will not be considered trustworthy,” he points out.

“The conversation remains polite and relatively professional. We cannot disclose the arguments we use against hackers, as we do not want them anticipating our tactics,” concluded the expert.