- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: Ransomware negotiation economics; an increasingly relevant topic
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Ransomware negotiation economics; an increasingly relevant topic
The research looked at how opponents use economic models to maximize their profits and also examined the victims' position during the negotiation phase and what strategies ransomware victims can use to level the playing field as much as possible. For this, more than seven hundred attacker-victim negotiations were collected between 2019 and 2020.
The ransomware groups investigated were among the most notorious. The researchers had access to the negotiation process between these groups and their victims and, in addition, a large amount of data was examined. The negotiations under investigation were partly done by a negotiator and partly handled by the victim itself. In many cases, however, it was not clear, a negotiator does not always indicate that he is from an external party.
Negotiations should yield maximum profit for the attacker, while the victim is after paying as little as possible. The researchers have seen that after negotiating, the victims managed to get between 10% and 90% in a 'discount' - the term used by the attackers. In two thirds of the cases examined, this discount is more than 50%. Once payment has been made, the ransomware groups investigated have in all cases adhered to the agreements made. However, in one of every two cases, the decryptor that was sent was not very efficient, which led to calling on an external specialist to build a better one.
We also found that the same attackers (at least until now) have not come back to try again. What was found was a rare case where two groups had gained entry at the same victim at the same time and these two agreed to divide the loot.
The importance of time
In addition to money, time is also of the essence to both the victim and the attacker. The attacker wants to collect the ransom amount demanded as soon as possible. The victim needs time to map out exactly what happened and what sensitive data may have been obtained by the attacker. But the victim also needs time to collect the ransom (in bitcoins) and the attacker knows that too. Pressure the opponent to pay as soon as possible. For example, by threatening to leak documents or by threatening to double the ransom if payment is not made before a certain deadline. In many of the cases investigated, the attacker remained willing to extend the deadline. This is to the advantage of the victim and provides more time to map out the situation and work out different strategies.
Perhaps the most important outcome of the study is that despite the unlevel playing field, victims are not completely powerless. The research report provides a comprehensive overview of the strategies victims can follow to minimize some of the adversary's advantages as well as practical tips about the negotiation process itself, all illustrated with examples from practice.