August 17, 2023

Understanding the Costs of Incident Response: Ransom Payments

The next big piece in understanding the costs of incident response can sometimes be the most controversial: ransom payments. Do you pay or not pay? Is the ransom demand proportionate to the severity of the recovery or the data that’s compromised? Will paying really make recovery any easier? Attackers have become increasingly sophisticated, targeting backups and wiping them clean, leaving organizations with limited options.

Adding to the difficulty answering these questions is the fact that ransom demands have risen significantly over the past couple of years – ransoms that were $50k jumped to $500k and we often see ransoms going into the millions, making this one of the costs that can be the most difficult to plan for.  

So, what happens after a victim decides they are willing to pay the ransom? The first step is to engage professional investigators and negotiators. These experts, dedicated full-time to such negotiations, possess invaluable knowledge and a wealth of data to maximize positive outcomes. They employ a structured framework and strategic approach, leveraging personas and understanding different attacker groups to minimize the ransom amount.

Another crucial action these negotiators take is establishing real “proof of life.” It is essential to verify that the attacker can indeed decrypt your data after payment. After all, paying a ransom without assurance of decrypting your systems and recovering your data is a nightmare scenario. Negotiators also strive to minimize the initial demand, especially when facing more sophisticated groups that may demand a significant percentage of your annual revenue. By leveraging their expertise, negotiators can often achieve substantial reductions in the ransom amount.

It's also worth noting that some ransomware actors actively target specific information within their victim's environment to support their initial ransom demand. Attackers are not oblivious; they are adept at maximizing their profits. This underscores the importance of having seasoned professionals lead these negotiations to helpguide the conversation and find the best strategy to minimize the ransom amount.

While paying the ransom may be the only way forward in some cases, we want to dispel the misconception that paying it is like hitting the “easy” button and quickly solves the problem. You may get a decryptor, but there’s no guarantee that it’s going to work well. Keep in mind, a decryptor is software written by criminals who don’t have your best interests in mind – it’s not going to be fast; it’s going to be buggy and there’s no support or documentation. There’s still going to be significant effort and costs put into recovery, which will be the topic of our next post.

<< Previous Post                      Next Post: Recovery Costs >>

Need help now? Contact us at or on our website and talk to one of our technical advisors.

James Gimbi

James Gimbi brings over ten years of breach response, cybersecurity strategy, and public interest technology experience to MOXFIVE. He investigated state sponsored and criminal cyber attacks across defense, finance, healthcare, and government and advanced bipartisan privacy and technology initiatives as a policy advisor in the US Senate. James's blended expertise helps corporate and federal leaders reduce cyber risk and tackle complex threats.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More