The rise of ransomware attacks directed at U.S. companies is creating demand for a new service from cybersecurity companies: ransomware negotiations.
"We did our first negotiation in June of 2020 based off of contacts that we had had with a victim of ransomware incident," said Groupsense Director of Intelligence Operations Bryce Webster-Jacobsen. "We did a few more after that between June and September and decided to make it a formal offering because word was out that we were doing it. We were starting to get referrals from other victims that we had worked with."
Webster-Jacobsen told Newsy that the end goals of each negotiation are specific to the situation, but that a successful negotiation usually involves pushing ransom prices down and protecting victims from future attacks.
"We've seen negotiations that, we've been able to get the price down to 10 percent of the original asking price," Webster-Jacobsen said. "We don't want to spend too much time in an incident focusing on the why, but to the level appropriate, providing context so that this incident and this negotiation can be an educational experience, so that the victim organization doesn't have to go through this again."
There’s some debate about whether these negotiations or payments should be banned. Paying ransoms is legal so long as the ransom, usually in the form of hard-to-trace cryptocurrencies, doesn’t go to countries like North Korea or Iran. But the FBI advises against ransom payments.
"I think the idea of banning ransom payments because they're such a financially motivated crime appears to be a really good solution. But it's not that cut and dry," said Sarah Powazek, program manager of the Ransomware Task Force at the Institute for Security and Technology.
"This concept of 'let's make paying the ransom illegal,' that's not fixing the problem. That's basically doing what happened to drugs in the United States when you make something illegal. All it does is increase supply and demand, and drive up the price. So all you're going to see is the ransom go up," said Dr. Eric Cole, founder & CEO of Secure Anchor.
Negotiators do recognize their role in keeping this ransomware supply chain alive. Worldwide, ransomware damages are expected to cost companies and governments $20 billion in 2021, according to Cybersecurity Ventures.
"Paying a ransom is putting money into the hands of those criminals. And that is a really tough pill to swallow for many of the victims that we work with. And it is frankly, the worst part about this job is knowing that that money — especially some of the early payments that we made in Bitcoin — have now doubled or tripled in value because the currency is becoming more and more valuable," said Webster-Jacobsen.
Experts note that one way to avoid ransomware payments is for companies to put more resources toward detecting and stopping future cyber attacks, rather than default to paying.
"We need to work first on securing our critical infrastructure, on providing businesses better, clearer ways to prepare and on doing a better job of actually disrupting the criminals. Before we say what we're going to do is we're going to stop you from paying," said Powazek.