Geert Baudewijns of Secutec has conducted four hundred negotiations with hackers, from the home script-kiddie hacker to professional gangs. He has written a book about his experiences, ‘Negotiating In The Dark’, with these observations.

1. Paying the ransom is usually inevitable

‘My main task is to get the amount of the ransom down. Because you will almost always pay,’ is Baudewijns’ premise. Some organisations do not pay ransoms for ethical reasons. ‘Based on the so-called wall of shame of ransomware groups, we see that seven out of ten victims pay. Once you pay, you basically disappear from such a wall.’

There is also a practical consideration at play. ‘Most companies have recovered their data faster after paying a ransom than through their own restore.’ Often, ‘if you don’t pay, there’s a chance you’ll go out of business.

The ransoms demanded by hackers (usually in bitcoins) are usually based on turnover figures. ‘For a small business with around 30 to 100 employees, you should be looking at €50,000 to €150,000.’ But turnover figures say little about profit. ‘If hackers know your profit figures, you are in a difficult negotiating position. Because they know how much you can really pay.’

2. More than ransom: four negotiation objectives

In each negotiation – which lasts an average of one and a half weeks – Baudewijns has four objectives. ‘The first is to keep the price as low as possible for the client, and the second is to get the right keys to decrypt the data, starting with the most important data.’

But the other goals are perhaps even more important. ‘The most important is to find out exactly what data the hackers have stolen and copied, so that the customer can better assess the risk,’ he says. ‘And the fourth, also very important, is to get down in full how the hackers got in, so that we can secure those vulnerabilities in the system.’

3. Making data public is not a disaster

Many companies shudder at the thought of hackers making company data public. Often an unjustified fear, according to Baudewijns. After all, hackers cannot just put company data on the Internet because of the risk of being identified. So these confidential data end up on the darknet, where they are much harder to track down. ‘You can also only download data much more slowly on the darknet.’

Making public is even a negotiating tactic. ‘If I can convince the customer to publish his data, I am stronger as a negotiator against the hackers.’

4. Expect a slow recovery

Many people think that once the encryption keys are in, everything will soon be back to normal. ‘But it doesn’t work that way. The software that hackers use to encrypt uses the full power of the server. Decryption software only works at ten per cent of that. So it takes a lot longer,’ he argues.

Decrypting data is only one part. ‘Moreover, you also have to rebuild the network, otherwise the hacker will be back inside in no time.’