Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Attackers help victims pay their ransoms, even offer tips to prevent future attack

By Etay Maor
ransomware-attack-freepik
August 23, 2021

As ransomware is increasingly profitable, it is the obvious choice for many gangs. With the potential to wreak havoc on any organization, the average cost of a ransomware scam soared from $761,106 in 2020 to $1.85 million this year, per the Sophos State of Ransomware 2021 report. Beyond the ransom, victims must shoulder the heavy burden of business interruption, insurance policy consequences, mitigation, potential regulatory fines, third-party crossover harm and reputational damage. 

Attacks are increasingly sophisticated, often involve multiple criminal gangs, and leave many organizations feeling like they have little choice but to pay up. As many as 56% of victims pay the ransom; whether they pay or not, only 29% of victims are able to restore all of their encrypted files; some sources peg that figure at eight percent.

Every organization must prepare for this threat. The question is how best to do it. As an added measure, we can turn to an unlikely source for advice on avoiding a ransomware attack – the criminals themselves. 

 

Ransomware-as-a-Service

While ransomware has been with us for 30 years, the scale, tools and ecosystem have evolved. Ransomware as a service is a popular model. Cybercriminals will infect thousands of devices with malware and offer other criminals the chance to load whatever they want onto systems for a fee. Help Desks are set up to support anyone who licenses these ransomware services, which means attackers don’t need any special technical skills. That technical support even extends to victims for guidance on paying ransoms.

 

Negotiating with Cybercriminals and the “Double Attack”

Most help desks, or support forums, are publicly accessible and reveal the full extent of ransomware negotiations. They are a vital source of information because victims often avoid disclosing their ransomware plight. We now know that victims frequently suffer a double ransomware attack. They may negotiate and pay a ransom to get a decryption key to liberate their files, only to be extorted for another fee under the threat their confidential data will be publicly dumped for all to see. Any cybersecurity insurance policy they hold, which may cover the decryption ransom, will not cover a second payment to prevent data exposure.

It gets worse. Organizations that choose to pay may be penalized for sending funds to cybercriminal groups and state-sponsored hacktivists from economically sanctioned countries blacklisted by U.S. authorities. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) clarifies this ransomware payment advisory. Large fines on top of two ransom payments, before you factor in the cost of improving your defenses, not only delay mitigation but could disrupt organizational integrity for years. 

Many victims are driven out of business entirely. Consider also that 80% of companies that paid a ransom were attacked again. Most suspected that the same criminal gang was behind the second attack, but attackers could also share or sell intelligence on soft targets.

 

Devising an Incident Response Plan 

Clarity about what needs to be done will defuse panic and minimize disruption. There’s lots of good advice online, and the Cybersecurity & Infrastructure Security Agency is a great place to start. As FBI Supervisory Special Agent Doug Domin, a 20-year veteran of the Boston Criminal Computer Intrusion Squad, told me in a recent webinar, every ransomware plan should include information for contacting the FBI, whether it’s your local field office, CyWatch, or the Internet Crime Complaint Center. 

While the FBI’s support and advice could prove invaluable for mitigation efforts, you’ll want to consider recommendations from actual criminals. 

 

Real-life Tips from Ransomware Extortionists

Attackers use support sites to communicate with targets, even hand-holding victims on converting fiat money and transferring it into crypto. Ransomware negotiators from incident response teams use these platforms to negotiate terms and lower settlements. 

Reuters reported a Ragnar Locker ransomware attack on CWT, a $1.5 billion travel management company that counts one-third of the S&P 500 on its client list. Attackers encrypted two terabytes worth of financial and employee data from 30,000 computers, demanding $10 million.

Screen captures from the CWT-Ragnar session give the best evidence for what the extortionists themselves consider best practices to avoid a repeat attack.

As expected, general protocols that govern password etiquette were offered, such as multi-factor authentication, use of at least eight characters, monthly password updates, avoiding the use of personal information (e.g., mother’s maiden name) and comparing new passwords against published compromised ones. 

What follows (verbatim) are eight security tips the Ragnar group directly suggested to the CWT negotiator: 

  • “Write in a ‘real’ programming language.”
  • “Watch for misconfigured firewalls and secure vulnerable ports.”
  • “Approve to run only necessary applications ONLY.” 
  • “Force end of administrator’s sessions.”

Other suggestions the criminals shared included:

  • “Employ the right people. For huge companies, we suggest at least three system administrators working 24 hours maximum for admin’s working three shifts for eight hours per day that would be enough.”
  • “Check for granted privileges for users, to make them maximum reduce privileges and access only to exact applications. In most cases, there would be enough standard Windows software like an Applocker.”
  • “Don’t count on antivirus, there is no one A.V. that really helps, they can be useful only in long-term infections if hackers for some reasons didn’t attack in short time.”
  • “Install Endpoint Detection and Response security (EDR) and teach the IT-admin to work with it.”

Ultimately, it may prove impossible to prevent a ransomware attack, but cybercriminals will always pick the path of least resistance. If you can make your organization a more challenging target, you can drastically reduce the risk of falling victim. 

KEYWORDS: cyber security ransomware risk management security management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Etay maor

Etay Maor is the Senior Director of Security Strategy for Cato Networks. Previously, Maor was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Maor has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Maor is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity-freepik1170x658.jpg

    Convergence is the answer for a defense-in-depth approach

    See More
  • threat-intel-freepik1170x658v78.jpg

    Eliminate threat intelligence false positives with SASE

    See More
  • vertical green text on black screen

    The rise of AI in SASE applications will fend off cyber threats

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
  • July 17, 2025

    Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

    From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing