header image

Who Is Holding Your Data for Ransom?

S-RM 11 March 2020
11 March 2020    S-RM

Cyber Incident Response: Perspectives from Inside the Risk Ecosystem

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download the report

S-RM works closely with ransomware specialist firm, Coveware. We spoke with Coveware CEO Bill Siegel on communicating and negotiating with cybercriminals.

When faced with a ransomware attack, the question of whether or not an organisation should pay or negotiate with the attacker always arises. However, one of the reasons these types of attacks are very successful is that the value of the encrypted data, for the target, is so high that not paying up could result in a full business shutdown or severely disrupt operations. Gaining some key insights into who your attacker is can help targets answer that question more confidently, and even determine whether negotiating the ransom amount downward is a plausible option.

Coveware is a cyber incident response firm with the narrow specialisation of assisting enterprises through cyber extortion events, such as a ransomware attack or data exfiltration. They focus on dealing directly with threat actors:  ‘We use a multitude of personas and communication methods depending on the case we are working on,’ says CEO Bill Siegel, ‘and we build detailed profiles on each actor so that we can leverage our prior experience for our clients’ benefit.’

Coveware’s dataset includes details of past attacks by various different threat actors, including ransom amounts demanded, their history of negotiations, and how often they decrypt data once payment is made. ‘Given the volume of incidents we handle, we can see the trends and changes to the tactics used over time’ says Siegel. Coveware’s datasets reveal unique insights into the mindsets and likely behaviours of specific group/s.

Ransomware Market Share (%) by Type Q4 2019


Some cybercriminals will deploy ransomware indiscriminately to as many targets as possible, and essentially play a numbers game, demanding the same ransom amount from all targets and counting on at least some of them paying up. They would rather not spend time negotiating with individual targets – time that could be better spent infecting new ones.

Where you are more likely to get willing negotiators is when the cybercriminal group is doing highly targeted ransomware attacks. For example, one of the largest and most proficient ransomware groups active today are the developers of the Ryuk ransomware. Ryuk not only specifically targets organisations, but also takes the time to work out how much they can pay. There is quite a bit of obscurity around who this group is and whether it is state-sponsored, but they are certainly very well-resourced.

Average Ransom Amount: Top 3 Ransomware Types


Once they have infected an organisation, they will have a look around to find out as much as they can about the company, look up their public records, determine their number of staff etc. Given their approach, Ryuk are generally open to negotiating, because they’re more targeted and are asking for much higher ransoms compared to less sophisticated, opportunistic cybercriminals. It is also because they’re more selective in their approach that they will target companies they know can’t live without their data, allowing them to demand much higher ransoms.

The negotiation process can also have an influence on the type of incident response required, which is why Coveware works collaboratively with forensic and restoration incident response firms during an attack. According to Siegel, ‘it’s important to remain in close coordination as information from the threat actor negotiation may influence remediation and vice versa.’

A key concern in the negotiation or payment decision is whether or not the attacker will indeed decrypt the target’s data once they’ve received the ransom money. This is where datasets of past attacker behaviour of the kind collated by Coveware come in particularly handy. They provide insight into the attackers’ likely behaviour, and also let attackers know that they themselves are building a track-record for behaving in a certain way. Ultimately, like any business, they have a reputation to uphold, and if they get a name for not giving victims the decryption keys they need to access their data, targets will be far less likely to pay them. It is therefore also quite common for ransomware threat actors to be incredibly helpful in terms of data decryption. They will give their victims software that is designed to decrypt the files they have encrypted and provide support, similar to what an IT support company might do.

Ultimately, the most effective way to respond to a ransomware attack is to remember that there’s an individual or group with a specific motivation, a specific objective, and a specific track record behind it. In the cybersphere the timeless maxim holds: know your enemy.

S-RM is a global risk consultancy providing intelligence, resilience and response solutions to clients worldwide. To discuss this article or other industry developments, please reach out to one of our experts.

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report