As ransomware is increasingly profitable, it is the obvious choice for many gangs. With the potential to wreak havoc on any organization, the average cost of a ransomware scam soared from $761,106 in 2020 to $1.85 million this year, per the Sophos State of Ransomware 2021 report. Beyond the ransom, victims must shoulder the heavy burden of business interruption, insurance policy consequences, mitigation, potential regulatory fines, third-party crossover harm and reputational damage. 

Attacks are increasingly sophisticated, often involve multiple criminal gangs, and leave many organizations feeling like they have little choice but to pay up. As many as 56% of victims pay the ransom; whether they pay or not, only 29% of victims are able to restore all of their encrypted files; some sources peg that figure at eight percent.

Every organization must prepare for this threat. The question is how best to do it. As an added measure, we can turn to an unlikely source for advice on avoiding a ransomware attack – the criminals themselves. 



While ransomware has been with us for 30 years, the scale, tools and ecosystem have evolved. Ransomware as a service is a popular model. Cybercriminals will infect thousands of devices with malware and offer other criminals the chance to load whatever they want onto systems for a fee. Help Desks are set up to support anyone who licenses these ransomware services, which means attackers don’t need any special technical skills. That technical support even extends to victims for guidance on paying ransoms.


Negotiating with Cybercriminals and the “Double Attack”

Most help desks, or support forums, are publicly accessible and reveal the full extent of ransomware negotiations. They are a vital source of information because victims often avoid disclosing their ransomware plight. We now know that victims frequently suffer a double ransomware attack. They may negotiate and pay a ransom to get a decryption key to liberate their files, only to be extorted for another fee under the threat their confidential data will be publicly dumped for all to see. Any cybersecurity insurance policy they hold, which may cover the decryption ransom, will not cover a second payment to prevent data exposure.

It gets worse. Organizations that choose to pay may be penalized for sending funds to cybercriminal groups and state-sponsored hacktivists from economically sanctioned countries blacklisted by U.S. authorities. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) clarifies this ransomware payment advisory. Large fines on top of two ransom payments, before you factor in the cost of improving your defenses, not only delay mitigation but could disrupt organizational integrity for years. 

Many victims are driven out of business entirely. Consider also that 80% of companies that paid a ransom were attacked again. Most suspected that the same criminal gang was behind the second attack, but attackers could also share or sell intelligence on soft targets.


Devising an Incident Response Plan 

Clarity about what needs to be done will defuse panic and minimize disruption. There’s lots of good advice online, and the Cybersecurity & Infrastructure Security Agency is a great place to start. As FBI Supervisory Special Agent Doug Domin, a 20-year veteran of the Boston Criminal Computer Intrusion Squad, told me in a recent webinar, every ransomware plan should include information for contacting the FBI, whether it’s your local field officeCyWatch, or the Internet Crime Complaint Center

While the FBI’s support and advice could prove invaluable for mitigation efforts, you’ll want to consider recommendations from actual criminals. 


Real-life Tips from Ransomware Extortionists

Attackers use support sites to communicate with targets, even hand-holding victims on converting fiat money and transferring it into crypto. Ransomware negotiators from incident response teams use these platforms to negotiate terms and lower settlements. 

Reuters reported a Ragnar Locker ransomware attack on CWT, a $1.5 billion travel management company that counts one-third of the S&P 500 on its client list. Attackers encrypted two terabytes worth of financial and employee data from 30,000 computers, demanding $10 million.

Screen captures from the CWT-Ragnar session give the best evidence for what the extortionists themselves consider best practices to avoid a repeat attack.

As expected, general protocols that govern password etiquette were offered, such as multi-factor authentication, use of at least eight characters, monthly password updates, avoiding the use of personal information (e.g., mother’s maiden name) and comparing new passwords against published compromised ones. 

What follows (verbatim) are eight security tips the Ragnar group directly suggested to the CWT negotiator: 

  • “Write in a ‘real’ programming language.”
  • “Watch for misconfigured firewalls and secure vulnerable ports.”
  • “Approve to run only necessary applications ONLY.” 
  • “Force end of administrator’s sessions.”

Other suggestions the criminals shared included:

  • “Employ the right people. For huge companies, we suggest at least three system administrators working 24 hours maximum for admin’s working three shifts for eight hours per day that would be enough.”
  • “Check for granted privileges for users, to make them maximum reduce privileges and access only to exact applications. In most cases, there would be enough standard Windows software like an Applocker.”
  • “Don’t count on antivirus, there is no one A.V. that really helps, they can be useful only in long-term infections if hackers for some reasons didn’t attack in short time.”
  • “Install Endpoint Detection and Response security (EDR) and teach the IT-admin to work with it.”

Ultimately, it may prove impossible to prevent a ransomware attack, but cybercriminals will always pick the path of least resistance. If you can make your organization a more challenging target, you can drastically reduce the risk of falling victim.