March 21, 2024 By Mark Stone 4 min read

Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.

Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.

Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware negotiation. Their work involves understanding the intricacies of ransomware attacks, assessing the severity and potential impact on the organization, and negotiating terms that can minimize damage and recover encrypted data.

In this exclusive and insightful Q&A, we spoke with Andrew Carr, Director of Cybersecurity Graduate Programs and Assistant Professor of Cybersecurity at Utica University.

Carr spent several years in supervisory roles at leading organizations, with expertise in digital forensic analysis, threat actor tactics, techniques and procedures, ransomware negotiations, application of data privacy law concerning breach events, financial audit considerations for cyber incidents, intellectual property theft investigations and cryptocurrency tracing.

Read the Definitive Guide to Ransomware

Did you go to college? What did you go to school for?

I received my bachelor’s and master’s degrees in Cybersecurity from Utica University. My specific concentrations were in digital forensics, and therefore, over the years, I have held several digital forensics certifications that have since lapsed. I currently hold GIAC Certified Incident Handler and CipherTrace Cryptocurrency Tracing Certified Examiner certifications. I have also participated in more than 1,000 hours of training within the digital forensics and incident response discipline.

What was your first role in IT?

My first role was as a digital forensic analyst for a regional crime lab in New York. I interned at a local police department’s crime lab prior to that, so I didn’t follow the path that many individuals do by starting out in an infrastructure role. I had a keen interest in forensics that developed during my degree, and I went all in on it as soon as I graduated and never looked back.

How does a ransomware negotiator differ from other typical negotiator roles?

A typical negotiation starts with both sides pursuing an outcome most favorable to their side while respecting the integrity of the other party and the process. Ransomware negotiations, unfortunately, often start with the negotiator and their client being on the losing side of the equation from the very beginning.

In these situations, the ransomware group often has a significant upper hand as they attempt to control the cadence and focus of communications due to the urgent needs of the affected organization to recover encrypted files or suppress exfiltrated data. It is up to the negotiator to try to claw back as much control of the situation as they can and use strategic communication to regain control of cadence, gain valuable insight into data theft and ultimately secure a deal that provides their client with the best possible outcome given the situation.

It is an uphill battle the entire way, but with enough insight and experience, negotiators can frequently secure acceptable terms for their clients while minimizing their risk exposure.

What is the most valuable skill you learned in your roles in incident response and, of course, as a ransomware negotiator?

The most valuable skill I’ve learned is the ability to quickly problem-solve. Incident response happens at a blistering pace and often deals with novel attacks and tools. You learn quickly that you must think critically and figure things out on the fly.

The same holds true in ransomware negotiations. You are often trying to simultaneously weigh an organization’s needs, like decryption, data exfiltration and attack vector insight, with the inherent risks of federal sanctions and threat group origins and affiliations. Often, we encounter a new group and have to problem-solve from both a negotiation and payment perspective to find ways of ensuring our client can return to normal operations while not exposing them to the risk of violating sanctions. It can be a daunting task without the right people involved.

Are there any soft skills that make a person successful as a ransomware negotiator?

Strong communication and writing skills are essential to being successful in ransomware negotiations. You are often communicating about vast sums of money and highly technical topics on accelerated timelines with individuals whose native language differs from your own. Therefore, your communication must be concise, precise and well-delivered. Even small issues in your communications can create significant problems later in the negotiation process.

Those same skills are important from the client interaction side. An organization is usually at its lowest during a ransomware negotiation, and people are usually exhausted, stressed and confused. It is important for the ransomware negotiator to convey confidence by leading the discussion, anticipating the organization’s needs and adhering to the same clear communication style that makes them a good negotiator.

Organizations are putting their trust in us to do what is best for them, and we must always ensure they feel heard and understood while simultaneously helping them fully understand a process that may be completely foreign to them.

Is there anything else you’d like to add?

The success of an organization’s ransomware negotiations really comes down to the expertise of the people negotiating on their behalf. It is imperative that an organization seek out a firm experienced in negotiations. Attempting negotiations on your own can have serious consequences that could be avoided by bringing in the right people. Cybersecurity insurance providers, cyber law firms and reputable incident response providers can typically provide you with quality recommendations on who would be a good fit for your negotiations, but the key is to involve them as quickly as possible.

Ransomware is an unfortunate part of the business landscape’s new reality, but there are people out there who can help you navigate the difficult path through it.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today