Inside the World of Ransomware Negotiations
A world-renowned ransomware responder and negotiator, Kurtis Minder, has spent two decades tracking threat actors and negotiating with cybercriminals on behalf of companies fighting for survival. The Co-Founder and CEO of GroupSense and author of “Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation” says that behind every attack, real people pay the price.
How did you get into ransomware negotiation?
By accident. The initial case, I turned down when I was asked. Instead, I referred the client to someone else. But that person, the negotiator, didn't show up to any of the meetings. The software company was in a hurry, so I tried, and I was successful. Afterwards, the insurance company called me: can we do more of that? Later the negotiations became more professional, more complex. It snowballed from there.
People might imagine it is just you and the hacker on opposing sides. How many parties are actually involved?
A lot of people oversimplify that. You have quite a few parties to manage: the victim, the cybersecurity company, lawyers, insurance, incident response—and the bad guys. You need to keep everyone happy. It is the most soft-skills-intensive work there is, bar none.
What is it like dealing with the victims?
Emotions vary enormously. Imagine a small company, a family that spent years building their business. It became their entire life, and ransomware threatens to ruin it all overnight. Or you walk into a boardroom of a large company and leadership is angry, lawyers telling you not to do anything. It is very seldom calm, at least initially.
What kind of real-world harm are we talking about in ransomware incidents?
Think about a 200-year-old family-owned company in a small community in the middle of the US. When such business is impacted by ransomware, they get locked out—and with them half the town that works for that company. It does not just impact the business. It impacts the whole community. And that is something people just do not get, and they never account for it. These companies are the financial backbone of their communities, and this happens every day.
Then there are attacks on medical facilities. X-rays, radiology, patient monitoring are all affected. We are talking about direct impacts on people's health.
Are any sectors targeted more than others?
It can look that way, but in reality, these attacks are more opportunistic than people think. You see series of attacks in logistics, for example. But what is really happening is a threat actor attacks one supplier, extracts their data, and uses it to attack the next company in the chain. It looks like a vertical focus, but cybercriminal gangs are using intelligence from the previous attack. That said, manufacturing, logistics, and healthcare can be particularly vulnerable.
What is it like negotiating with cybercriminals?
It depends on the perpetrator. In the early years, it felt like you could reason with them. Renegotiate fees more easily. There was almost a strange professionalism to it. But they have since made so much money that they will walk away from a six-figure payoff just to prove a point.
New groups keep emerging too, and they do not have the same “brand recognition”. Which raises the question on the victim's side: how do I know I can trust them? Even though we are still speaking about criminals.
And how do you answer that?
It comes down to their criminal “business model”. For the groups with a high volume of victims, it is a numbers game. Once they have that model running, they have guaranteed income. A single victim matters less. The ones who are most likely to follow through are the ones who have the most to lose reputationally.
But here is the hard truth: the incident happening to you is the most important thing in your universe. To them, it is Tuesday. They may take their weekend off while your systems are completely down. The people on the other side of the world simply do not give a damn about your pain.
What happens after a ransom is paid?
People assume paying is the end. It is not even close. Every system still needs to be decrypted, and that can take hours per machine. For a mid-size company with an already exhausted IT staff—who now need to get back to work right after the overtime during the attack—the toll on morale is enormous.
And then there is the CISO. Full trauma, sometimes for a month or longer. They had incident response plans, insurance, all the right measures in place, and it still happened. That guilt is real.
Public sector victims—are they different from private companies?
Very different. They are extremely hesitant to engage with threat actors at all. A company, even if it were technically illegal, would often just pay. But a school superintendent? Far more hesitant. Large municipalities will sometimes choose to rebuild everything even when it costs significantly more.
And there is a shadow industry that exploits exactly that. Data recovery companies who offer what they claim is “special decryption software”. What they actually do is buy the decryptor from the bad guys and sell it to the municipality. The municipality pays, stays away from the bad guys on paper, and law enforcement is none the wiser.
Has doing ransomware negotiations taken a personal toll on you?
I underestimated how emotionally exhausting this is when you do this kind of work continuously. Multiple cases at the same time, over many years. No business hours. Your holidays and weekends are interrupted. It is relentless.
What would you want policymakers to understand?
A lot of what is happening is effectively cyberwarfare. These are non-state actors doing the bidding of other economies—stealing money and moving it elsewhere, to support a foreign budget and government. And we are expecting small businesses to defend themselves against an army of cybercriminals. It is fundamentally unfair. These companies are outgunned and outnumbered.
If a country were dropping soldiers on our soil, the military would come to save them. The digital version of that happens every day, and these businesses are left entirely on their own.
There is a cyber poverty line, and most companies fall below it. They cannot afford the tools, and they cannot afford the people to operate them. Until we reckon with that, we are setting them up to fail.
Kurtis Minder, Ransomware Negotiator