Content area
Ransomware attacks are a serious and growing threat based on a cybercrime business model exploiting the lack of security in many organizations. The criminal groups behind these attacks have received tens of millions of dollars in ransomware payments, as more and more organizations choose to pay to minimize disruption and the risk of further financial loss. Despite the importance of the topic, the process of ransom negotiation has remained underexplored in the literature. For this reason, the aim of this article is to provide an overview of the negotiation process and to give an insight into the inner workings of these procedures. Specifically, we will look at what happens from the time of the occurrence of a ransomware attack until the time of the decision to pay the ransom. This is followed by an analysis of the steps leading up to and during the negotiation process. Finally, a brief overview of the Conti ransomware negotiation process is provided.
Introduction
The high incidence of cyberattacks in recent years is a clear indication that the ferocity and frequency of cyberattacks are on the rise [22]. As a result, cybersecurity has become a critical issue for organizations and individuals around the world [26]. Cyber threats, such as ransomware attacks, can cause costly infrastructure disruptions and generate massive losses due to downtime, recovery costs and ransom payments [30]. Ransomware is a type of malware that typically denies victims access to their computer or data in order to extort a ransom. Ransomware attacks are carried out via malicious email attachments, compromised websites, infected external storage devices, or software applications [13]. The encrypted data remains unavailable or may even be deleted if the ransom is not paid [27]. Businesses also have to contend with the emergence of ransomware-as–a-service (RaaS), which allows ransomware to spread via the dark web. RaaS subscribers can purchase access to custom malware in the same way that users subscribe to, for example, Microsoft Office 365; in return, developers receive not only a subscription fee, but also a cut of ransomware payments. One of the most successful and widely deployed RaaS is LockBit. In 2022, it accounted for 26.09% of the total number of victim organizations [32]. For example, DarkSide, a variant of RaaS, was used in May 2021 to launch a ransomware attack against Colonial Pipeline, the largest fuel pipeline operator in the United States of America, which transports refined gasoline and jet fuel along a long route from Texas to New York. The company paid a ransom of around $ 5 million to the attackers [35].
According to Statista, in 2023, nearly 73% of businesses worldwide that had become victims of a ransomware attack paid ransoms for the recovery of data [24]. Furthermore, according to Chainalysis, ransomware gangs made approximately $449 million from victims during the first 6 months of 2023, while also noting that ransomware gangs often target large companies with strong financial positions to get the largest payouts possible [18]. The Dutch Organization for Scientific Research, which invests 1 billion euros a year to fund thousands of researchers, refused to pay a ransom, and on 24 February 2021, hackers released internal documents of the organization, and the effects spread beyond the organization to its many subsidiaries [34]. However, many companies are willing to pay a ransom. For instance, in June 2020, a group of hackers attacked the University of California San Francisco (UCSF), encrypting the institution’s servers and critical data. Cybercriminals initially demanded a $3 million ransom, but the university negotiated down the ransom, eventually paying $ 1.14 million, later revealing that no data was compromised. Therefore, there are two options for ransomware victims: loss of data or payment of the ransom. If victims lose data, the value is proportional to the hours required to recover data and rebuild network infrastructure. On the other hand, paying the ransom may leave the victim vulnerable to a future ransomware attack, either from the same or a different actor. In many cases, the victim may choose to pay the ransom in order to minimize the disruption and the risk of incurring further financial loss. It should be noted that Cryptonite ransomware effectively acts as a wiping malware, destroying encrypted files and leaving no possibility of data recovery. For this reason, researchers warn that this poorly constructed ransomware destroys files, so payment of the ransom is not recommended [21].
However, despite the importance of the issue, the process of ransom negotiation has not been the subject of sufficient discussion in the literature. The aim of this paper is therefore to contribute to this research gap by examining the way in which ransom negotiations are conducted. In doing so, it aims to provide an overview of the negotiation process and an insight into the inner workings of these procedures. Additionally, the negotiation process of one of the most aggressive and notorious ransomware groups, Conti, is explored to provide a practical perspective into the negotiation process.
The remainder of this article is structured as follows. Section 2 discusses what happens when a ransomware attack occurs. Section 3 provides an overview of the negotiation process, i.e., the steps before and during the ransom negotiation. Section 4 gives a brief overview of the ransomware negotiation process with Conti. Section 5 contains a discussion and recommendations. Final conclusions are presented in the last section.
What happens when a ransomware attack occurs?
Of course, in an ideal scenario, a ransomware attack should be the trigger for a well-thought-out disaster recovery plan. The role of incident response is to ensure the protection of the organization, its reputation and customer confidence, and to prevent a similar threat from recurring. However, in spite of the increase in the number of attacks and data leaks, organizations are often unprepared. While some large organizations may have an incident response team and a plan for dealing with cyberattacks, they may still lack some procedures for dealing with certain aspects of a ransomware attack, such as communicating externally with customers and regulators, and deciding whether to negotiate with threat actors. Typically, incident response plans often follow the common framework based on Cybersecurity and Infrastructure Agency (CISA), National Institute of Standards and Technology (NIST), and SANS Institute incident response models [15]. Incident response phases are generally divided into five steps: preparation and identification (monitoring the network to identify vulnerabilities), containment (stopping the attack before it causes damage and overwhelms resources), eradication (removing the threat and restoring affected systems to their previous state), recovery (returning affected systems and devices to the business environment after the threat has been eliminated), and learning (understanding the root cause of the attack and addressing vulnerabilities to strengthen systems against future attacks) [30].
For organizations today, it is no longer a question of if they are going to be targeted by a ransomware attack, but rather when [31]. Therefore, organizations need to know and accept this in order to prevent a ransomware attack from causing serious damage [25]. One of the first steps that can be taken in the event of a ransomware attack is to immediately disconnect the affected devices from the network in order to prevent the spread of the ransomware to other computers or devices. It is also important to identify the data affected and assess the extent of the damage, as well as the specific type of ransomware virus with which the devices have been infected. Consideration should also be given to the possibility of notification of the attack, particularly as in some regions organizations may have a legal obligation to report an attack. Australia, India, and the United States are among the countries that have introduced mandatory reporting requirements for cyber incidents. In the European Union, the Network and Information Security Directive 2.0 extends reporting requirements. Although the general requirements are in place in the European Union and the United States, specific regulations and guidance are still being developed to operationalize these laws. In the United States, this process will take until mid-2025. Under the European Union directive, each member state must have legislation in place for its implementation by October 2024. Other countries are considering similar legislation [8]. Therefore, companies need to determine whether paying the ransom is permitted under the applicable laws, otherwise they may find themselves inadvertently violating international sanctions by paying the ransom.
In addition, in the European Union, for example, many cybercriminal groups are subject to financial penalties. For example, the EU Council’s first round of restrictive sanctions identified and imposed travel bans and asset freezes on entities and individuals from Russia, China, and North Korea involved in the NotPetya, Cloud Hopper, and WannaCry cyberattacks. This means that EU individuals and entities are prohibited from making funds available to those listed [20]. This makes any payment to them illegal [2]. Furthermore, it is important that organizations do not act alone; they can seek professional help from ransomware recovery services, cybersecurity experts, and cyber emergency response teams.
Ransomware allows cyberattackers to take control of devices, then threatens to delete or release encrypted data unless the victim pays the ransom [29]. To spread and target as many victims as possible, criminals often use highly effective phishing campaigns and social engineering tactics. Attackers are also increasing the pressure on organizations to pay ransoms through data infiltration and the threat of data leakage. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach will be $ 4.45 million in 2023, an increase of 15% over 2020 [14]. Even if the data can be recovered from a company’s backups without the company having to pay a ransom, the data can still be leaked to database sites operated by threat actors. Additionally, organizations need to be aware of the multiple extortion models used by criminals and consequently plan for and understand the possibility of double, triple, and quadruple extortion. Preventing a successful ransomware attack therefore requires a comprehensive security plan, and for many organizations this presents a significant challenge [28].
Who decides whether or not the ransom will be paid?
The decision to pay is usually made by the organizations themselves, who then contact their insurers to see if they approve. The General Counsel, the Director of Information, and the Director of Operations are usually involved in the decision-making process. Ultimately, the Chief Executive Officer (CEO) will often have an input or, in many cases, the final approval for the settlement payment [4]. In some cases, if the impact of the attack on the business is very serious, the affected organization may decide to pay regardless of whether or not its insurance covers a ransomware payment, in the hope that the money, or part of it, can be recovered from the insurance provider at a later date. Insurance companies will ask a variety of questions about the status of backups, as well as how many systems have been affected or how long it will take to restore them, before they will approve a ransomware payment [3]. They will also do research on the ransomware group to see if they are on any penalty lists; if they are, they may refuse to make the payment, as it would then be illegal. Payments for ransomware are usually made in cryptocurrency (sometimes millions of dollars in cryptocurrency), and companies often have to rely on a third party that has the infrastructure in place to make such payments. Specialist ransomware trading companies are usually the facilitators of payments on behalf of the victim [5].
How does one negotiate with cybercriminals?
Before negotiations
If an organization decides to negotiate with the attackers and pay the ransom, it is important to record all communications as well as any instructions given to pay the ransom. All of this information can be particularly useful to cybersecurity experts and law enforcement agencies during the investigation of the attack [12]. Encrypted communication channels and cryptocurrencies are often used for ransomware payments. Typically, cyberattackers offer an encrypted email or chat service to communicate. However, it should be noted that ransom payments or negotiations with cyberattackers are generally not recommended [27, 33]. Nevertheless, if an organization decides otherwise, it is important to ask cybercriminals to show the decryption key and demonstrate that it actually works by decrypting several random files. It is also important to analyze the past behavior of cybercriminals to know whether they have negotiated or provided the decryption key after receiving payment, and whether they have leverage to negotiate a lower price [33]. Organizations should also take into account that ransomware groups sometimes demand additional payments as part of double and triple extortion ransomware attacks. For example, they may demand an additional payment in exchange for the non-disclosure of exfiltrated data or the extortion of individuals or companies whose data were part of the initial attack [16].
During negotiations
The victim’s willingness to pay the ransom, which is influenced by the likelihood of subsequent data recovery and, the reliability of the cyberattacker, is the key factor in any ransomware negotiation [23]. In very rare cases, a ransomware negotiation can result in the complete disappearance of a ransom demand, but a successful negotiation can mean the difference between paying hundreds of thousands of dollars instead of millions of dollars [36]. Due to the complexity of ransomware attacks, it is often useful to seek the assistance of experts, such as criminal analysts or cybersecurity professionals, as they can help organizations with the development of a response plan and an assessment of the situation. Furthermore, ransomware negotiation services know how to work with cybercriminals and are focused on engaging with them with the aim of reducing the amount of ransom paid. As a result, they have a higher chance of achieving the desired results [16].
Ransomware groups typically tailor their ransom demands to the victim’s profile, demanding a percentage of the organization’s estimated annual revenue [10]. However, when obtained from unreliable sources without more details about the business structure, this percentage can sometimes be overestimated. For this reason, negotiators can provide the attackers with information on the true financial situation of the victim. Typically, cyberattackers provide an encrypted chat service to communicate, and all interactions with the attackers are made available to the victim organization in real time through the secure portal, allowing them to intervene and make suggestions or comments at any time.
The company needs to gather all the information about the attack and determine what data was compromised. It also needs to identify which ransomware group and what their track record is. In this way, the organization can determine the maturity level of the ransomware group and what ransom demands they have had in the past. If the cyberattacker group has compromised a higher number of organizations, it may mean that they are less patient when it comes to negotiations due to the higher number of options they have. Therefore, all of this information can dictate how the victim approaches the negotiation [34]. If the victim is able to restore some of their systems from backups, this can be used as a bargaining chip. The victim is unlikely to pay the full ransom just to decrypt the data on a few remaining systems. Furthermore, if there are only a few systems affected that can be quickly restored from backups, the victim may not even need to pay the ransom.
Time is of the essence for ransomware groups. As a result, they are often willing to negotiate, and victims frequently end up paying a lower percentage of what was originally demanded. Nevertheless, before any transaction can take place, cyberattackers must demonstrate their file decryption capabilities, usually on a sample data set. Once the payment has been made, the full record of the communication and the information about the threat agent and the transaction is retained by the victim [5].
An overview of ransomware negotiations with Conti
Conti is one of the most aggressive and notorious ransomware groups. Conti uses a RaaS attack model that works like a business. Specifically, a group of developers create ransomware, which they then distribute to affiliates they recruit to successfully deploy malware on an organization’s system. A portion of the ransom, paid in specific cryptocurrencies, is then retained by each party [6]. Affiliates allow the RaaS groups to expand on a temporary basis, hitting hundreds or even thousands of victims each year and generating a higher level of revenue. Conti uses the double extortion model, not only encrypting the victim’s files, but also stealing the files and threatening to publish them on a website or elsewhere if the initial ransom demand is not met. In other words, they may demand both a ransom for the decryption of the files and payment for the non-disclosure of the sensitive data [19].
The infiltration process usually begins with a phishing email being sent to the victim. The intruder gains initial access to the victim’s network when the victim opens the email and unwittingly executes the malicious dropper [1]. The next step is the launch of the ransomware cryptor, which locks the victim’s files. Each encrypted file contains a ‘Read me’ file, informing the victim that data has been encrypted and providing a portal to contact Conti to pay the ransom and obtain decryption software. Negotiations with Conti can take several weeks. A special negotiation platform developed by the group is used for communication. The victim’s representative is asked to introduce himself and his organization. This shows that the people conducting the negotiations are not necessarily the same people who have penetrated the victim. Normally, the perpetrator would have to know who the victim is. If the victim fails to respond, Conti usually starts threatening to publish the collected data or to sell access to the data. The Conti operators offer a data package to the victims who decide to negotiate the price, since the latter usually ask for a guarantee that their files will be recovered. The victim’s name and usually a percentage of the directory listing tree for the encrypted files are included in the data package. Negotiations start with an initial ransom demanded by the attackers. However, the agreed payment is usually less than the initial demand. As soon as the victim has made the payment, Conti makes a decryption tool available to the victim [7].
Discussions and recommendations
Ransomware has been one of the most devastating threats to organizations in recent years. Ransom demands have risen from tens of thousands of dollars to millions of dollars as cyberattackers have realized that organizations are willing to pay. Ransomware negotiations have, until recently, been seen as the unscrupulous efforts of dodgy ransomware recovery companies that claim to decrypt a victim’s data, when in fact they are secretly paying the ransom behind the scenes. However, the increase in the number of ransomware attacks and the high number of ransom demands has automatically led to an increase in the demand for incident response specialists who can sometimes negotiate a claim from $ 1 million to $200,000 [36]. Therefore, ransoms can be negotiated from as little as 20% to up to 90%. In most cases, discounts of over 50% have been negotiated [17]. Nevertheless, a measured approach is required when negotiating a ransomware attack. Typically, the likelihood of achieving an optimal outcome is higher when using negotiation services. Their consultants have more knowledge of the attackers’ tactics and the cause of the attack than the organization may have.
If organizations decide to enter into ransomware negotiations, they may also want to consider some negotiation tactics on how to do so. For example, negotiations with cybercriminals should be treated as a business transaction and victims should be calm and show no signs of desperation. In addition, victims should refrain from disclosing whether or not they have a cyber insurance policy in place and, if they do, the cyber insurance documents should not be backed up on accessible servers [11]. Victims should also ask the perpetrators for more time. This could help them explore all options for recovery. Another strategy that is highly effective for victims is to convince the cybercriminals that they are not in a financial position to pay what was originally demanded. Typically, in order to make a quick profit and move on to another target, criminals will accept large discounts [33].
The situation is even more complicated in the case of data theft as part of the same attack, where the attackers are also threatening a data leak, because there is no way to guarantee that the attackers have destroyed the stolen data. Thus, as more and more ransomware groups adopt this method, ransomware incidents will have to be treated as data breaches and go through all the processes required in such instances. The European Union’s General Data Protection Regulation (GDPR), for example, requires organizations to report a breach to a data protection officer (DPO) in their region within 72 h and, in some cases, to notify individuals whose data has been exposed [9]. In addition, some ransomware gangs have gone even further with the use of triple extortion tactics. Victims may want to consider hiring a threat intelligence firm to monitor underground marketplaces and forums for stolen data, to understand how and where it is being used, and to take additional precautions. It is also important that after each incident, there is a review between the various parties involved—the legal team, the IT and incident response teams and the ransomware negotiation specialist—where all the information is analyzed, and all this information can then form a plan to improve the organization’s ability to slow down or completely block such attacks in the future.
However, to avoid becoming a victim of a ransomware attack, it is always preferable for organizations to focus on preventive measures. This requires educating employees on the key risks of ransomware attacks, as well as educating them on how to protect themselves from ransomware, such as not clicking on unknown links or opening unknown attachments. It is important for organizations to implement a robust cybersecurity policy that includes using security software and ensuring that software is updated on a regular basis. The use of strong passwords and, where possible, the use of multi-factor authentication (MFA) is also advisable [30]. Backups should be protected. A disaster recovery plan is necessary to be able to recover data if it is encrypted. Furthermore, to protect the organization from financial losses resulting from a ransomware attack, the purchase of cybersecurity insurance should be considered [33].
Conclusion
Ultimately, in making the decision to pay the ransom, victims weigh up the pros and cons of paying the criminals versus recovering the encrypted information by other means or even losing it altogether. In some cases, even when backup copies are available, victims may choose to pay the ransom in order to minimize the disruption and the risk of further financial loss. In spite of the importance of the topic, the process of ransom negotiations has not yet been discussed sufficiently in the literature. Therefore, the aim of this paper is to contribute to this research gap by providing an overview of the negotiation process and an insight into the inner workings of these procedures. It also examines the negotiation process of one of the most aggressive and notorious ransomware groups, Conti, in order to provide a practical perspective on the negotiation process.
Conflict of interest
S. Boticiu and F. Teichmann declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
1. Alzahrani, S; Xiao, Y; Sun, W. An analysis of conti ransomware leaked source codes. IEEE Access; 2022; 10, pp. 100178-100193. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3207757]
2. Amos Z (2023) What are the legal implications of a ransomware attack? https://incyber.org/en/what-are-legal-implications-ransomware-attack/. Accessed 16 June 2023
3. Cartwright, A; Cartwright, E; MacColl, J; Mott, G; Turner, S; Sullivan, J; Nurse, JR. How cyber insurance influences the ransomware payment decision: theory and evidence. Geneva Pap. Risk Insur. Issues Pract.; 2023; 48,
4. Connolly, AY; Borrion, H. Reducing ransomware crime: analysis of victims’ payment decisions. Comput Secur; 2022; 119, 102760. [DOI: https://dx.doi.org/10.1016/j.cose.2022.102760]
5. Constantin L (2021) How ransomware negotiations work. https://www.csoonline.com/article/570365/how-ransomware-negotiations-work.html. Accessed 3 Oct 2023
6. Constantin L (2022) Conti ransomware explained: what you need to know about this aggressive criminal group. https://www.csoonline.com/article/571503/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html. Accessed 4 Oct 2023
7. Cymru T (2022) Analyzing ransomware negotiations with CONTI: an in-depth analysis. https://difr.unipi.gr/docs/conti.pdf. Accessed 4 Oct 2023
8. Daniel M (2023) Reporting cyberattacks will soon be mandatory. Is your company ready? https://hbr.org/2023/04/reporting-cyberattacks-will-soon-be-mandatory-is-your-company-ready. Accessed 19 Oct 2023
9. European Data Protection Board (2023) Guidelines 9/2022 on personal data breach notification under GDPR. https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf. Accessed 19 Oct 2023
10. Hack, P; Wu, ZY. We wait, because we know you.“inside the ransomware negotiation economics.”; 2021;
11. Hill M (2021) 9 tips for an effective ransomware negotiation. https://www.csoonline.com/article/571659/9-tips-for-an-effective-ransomware-negotiation.html. Accessed 19 Oct 2023
12. Hofmann, T. How organisations can ethically negotiate ransomware payments. Netw Secur; 2020; 2020,
13. Hull, G; John, H; Arief, B. Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci; 2019; 8,
14. IBM (2023a) Cost of a data breach report 2023. https://www.ibm.com/reports/data-breach?_gl=1. Accessed 28 Sept 2023
15. IBM (2023b) What is incident response? https://www.ibm.com/topics/incident-response. Accessed 19 Oct 2023
16. Johnson K (2023) Why using ransomware negotiation services is worth a try. https://www.techtarget.com/searchsecurity/feature/Why-using-ransomware-negotiation-services-is-worth-a-try. Accessed 3 Oct 2023
17. Lapienytė J (2021) Ransomware economics: if you decide to pay, here’s how to negotiate a discount. https://cybernews.com/editorial/ransomware-economics-if-you-decide-to-pay-heres-how-to-negotiate-a-discount/. Accessed 17 Oct 2023
18. Malwarebytes (2023) Ransomware review: August 2023. https://www.malwarebytes.com/blog/threat-intelligence/2023/08/ransomware-review-august-2023. Accessed 27 Sept 2023
19. Meegan-Vickers (2023) The rise and fall of the Conti ransomware group. https://globalinitiative.net/analysis/conti-ransomware-group-cybercrime/. Accessed 4 Oct 2023
20. Morbin T (2020) EU sanctions for WannaCry, NotPetya, OPCW & Cloud Hopper attackers. https://www.itsecurityguru.org/2020/07/30/eu-first-sanctions-imposed-on-wannacry-notpetya-opcw-cloud-hopper-attackers/. Accessed 19 Oct 2023
21. Palmer D (2022) This broken ransomware can’t decrypt your files, even if you pay the ransom. https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/. Accessed 19 Oct 2023
22. Rizov, V. Information sharing for cyber threats. Inf Secur; 2018; 39,
23. Ryan, P; Fokker, J; Healy, S; Amann, A. Dynamics of targeted ransomware negotiation. IEEE Access; 2022; 10, pp. 32836-32844. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3160748]
24. Statista (2023) Annual share of companies worldwide that paid ransom and recovered data from 2018 to 2023. https://www.statista.com/statistics/700894/global-ransom-payers-recovered-data/. Accessed 27 Sept 2023
25. Teichmann, F. Ransomware attacks in the context of generative artificial intelligence—an experimental study. Int Cybersecur Law Rev; 2023; [DOI: https://dx.doi.org/10.1365/s43439-023-00094-x]
26. Teichmann F, Boticiu SR, Sergi BS (2022a) Cybersecurity trends in 2023. https://jusletter-it.weblaw.ch/en/issues/2022/20-Dezember-2022/cybersecurity-trends_400d374d22.html__ONCE&login=false. Accessed 5 Oct 2023
27. Teichmann F, Boticiu SR, Sergi BS (2022b) Ransomware—a growing threat for law firms. https://jusletter.weblaw.ch/juslissues/2022/1126/ransomware---a-growi_5933ba139a.html__ONCE&login=false. Accessed 27 Sept 2023
28. Teichmann F, Boticiu SR (2023) The importance of cybersecurity incident response plans for law firms. https://jusletter.weblaw.ch/juslissues/2023/1149/the-importance-of-cy_3c77b063f1.html__ONCE&login=false. Accessed 5 Oct 2023
29. Teichmann, F; Boticiu, SR; Sergi, BS. Latest technology trends and their cybersecurity implications. Int Cybersecur Law Rev; 2023; [DOI: https://dx.doi.org/10.1365/s43439-023-00091-0]
30. Teichmann, F; Boticiu, SR; Sergi, BS. The evolution of ransomware attacks in light of recent cyber threats. How can geopolitical conflicts influence the cyber climate?. Int Cybersecur Law Rev; 2023; [DOI: https://dx.doi.org/10.1365/s43439-023-00095-w]
31. Teichmann, FMJ; Wittmann, C. When is a law firm liable for a data breach? An exploration into the legal liability of ransomware and cybersecurity. JFC; 2022; [DOI: https://dx.doi.org/10.1108/jfc-04-2022-0093]
32. Trend Micro (2023) LockBit, Blackcat, and Clop Prevail as Top RaaS Group. https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-clop-prevail-as-top-raas-groups-for-1h-2023#:~:text=LockBit%2C%20Clop%2C%20and%20BlackCat%20are,total%20number%20of%20victim%20organizations. Accessed 19 Oct 2023
33. Vakulov A (2023) The dos and don’ts of ransomware negotiations. https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-of-ransomware-negotiations. Accessed 3 Oct 2023
34. Wade, M. Digital hostages: leveraging ransomware attacks in cyberspace. Bus Horiz; 2021; 64,
35. Wilkie C (2021) Colonial Pipeline paid $ 5 million ransom one day after cyberattack, CEO tells Senate. https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html#:~:text=WASHINGTON%20%E2%80%94%20Colonial%20Pipeline. Accessed 28 Sept 2023
36. Wright R (2023) Ransomware negotiations: an inside look at the process. https://www.techtarget.com/searchsecurity/feature/Ransomware-negotiations-An-inside-look-at-the-process. Accessed 3 Oct 2023
© The Author(s), under exclusive licence to Springer Fachmedien Wiesbaden GmbH 2023.