How to negotiate when hackers are holding you to ransom?

According to online-security giant Symantec, over $4 billion in ransom money was paid to hackers in 2013. Estimates suggest that this number has increased significantly since. Like any negotiation, cyber-extortion negotiation is a dialogue in which a decision has to be made: do you pay the ransom money or do you pay the price of not making a deal? If you decide to negotiate, how do you improve the decision-making dynamics?

One of the major mistakes that enterprises and IT managers make is to assume that negotiation with a hacker is similar to bargaining with an angry business partner or a disappointed customer. Bargaining with cyber criminals entails a combination of three unique elements: a high level of uncertainty, an internal "blame game" dynamic that distorts the decision-making process and, above all, the inability to assess the cost of no deal.

The cost of no deal, or WATNA in negotiation terms (Worse Alternative To a Negotiated Agreement), should be considered in three ways:

  1. Potential damage to the company's technological infrastructure
  2. Potential, and likely, damage to services provided by the company
  3. Potential damage to the company's reputation and brand

In addition, if you pay the ransom it’s impossible to know whether the hacker has made copies of your data or left backdoors into the system. Furthermore, in virtual negotiations, unlike real-world situations, it's almost impossible to find points of leverage with professional hackers. A survey by ThreatTrack Security demonstrates that IT managers in the most hacked industries – finance and health – tend not to hand over ransom money. Meaning, they are willing to pay the cost of no deal.

Three rules to follow in any cyber-extortion negotiation:


Negotiate as if you don’t know what the hacker possesses: the hacker will never expose all of his assets, your IT personnel might not reveal the severity of the damage to the system, and because of owners' and shareholders' conflicting interests. The operational consequence of this uncertainty is that the hacker should be treated with professional respect, because the information he has will always be more accurate, relevant and meaningful than the information the negotiator holds.


Make sure the negotiation is synchronised among the entire crisis team: security personnel – intelligence, forensic and investigators – legal advisors, public-relations experts, your insurers and so on. A professional negotiator will have to navigate these different actors, who sometimes have conflicting interests.


Even experienced hostage negotiators have to adapt to the rapid pace of change in cyber-extortion negotiations. The process should be carried out rapidly, especially when a deal is possible: hackers always act under time constraints to avoid exposure. The longer negotiation lasts, the more the risk increases. Hesitation could become a drawback if the hacker becomes uncomfortable with the pace. Make sure that your professional negotiator is working not only to reduce the ransom and offer an adequate assessment of the terms, but reducing the price of a "no deal" as well.


Monday 15 May 2017