March 21, 2024 By Mark Stone 4 min read

Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.

Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.

Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware negotiation. Their work involves understanding the intricacies of ransomware attacks, assessing the severity and potential impact on the organization, and negotiating terms that can minimize damage and recover encrypted data.

In this exclusive and insightful Q&A, we spoke with Andrew Carr, Director of Cybersecurity Graduate Programs and Assistant Professor of Cybersecurity at Utica University.

Carr spent several years in supervisory roles at leading organizations, with expertise in digital forensic analysis, threat actor tactics, techniques and procedures, ransomware negotiations, application of data privacy law concerning breach events, financial audit considerations for cyber incidents, intellectual property theft investigations and cryptocurrency tracing.

Read the Definitive Guide to Ransomware

Did you go to college? What did you go to school for?

I received my bachelor’s and master’s degrees in Cybersecurity from Utica University. My specific concentrations were in digital forensics, and therefore, over the years, I have held several digital forensics certifications that have since lapsed. I currently hold GIAC Certified Incident Handler and CipherTrace Cryptocurrency Tracing Certified Examiner certifications. I have also participated in more than 1,000 hours of training within the digital forensics and incident response discipline.

What was your first role in IT?

My first role was as a digital forensic analyst for a regional crime lab in New York. I interned at a local police department’s crime lab prior to that, so I didn’t follow the path that many individuals do by starting out in an infrastructure role. I had a keen interest in forensics that developed during my degree, and I went all in on it as soon as I graduated and never looked back.

How does a ransomware negotiator differ from other typical negotiator roles?

A typical negotiation starts with both sides pursuing an outcome most favorable to their side while respecting the integrity of the other party and the process. Ransomware negotiations, unfortunately, often start with the negotiator and their client being on the losing side of the equation from the very beginning.

In these situations, the ransomware group often has a significant upper hand as they attempt to control the cadence and focus of communications due to the urgent needs of the affected organization to recover encrypted files or suppress exfiltrated data. It is up to the negotiator to try to claw back as much control of the situation as they can and use strategic communication to regain control of cadence, gain valuable insight into data theft and ultimately secure a deal that provides their client with the best possible outcome given the situation.

It is an uphill battle the entire way, but with enough insight and experience, negotiators can frequently secure acceptable terms for their clients while minimizing their risk exposure.

What is the most valuable skill you learned in your roles in incident response and, of course, as a ransomware negotiator?

The most valuable skill I’ve learned is the ability to quickly problem-solve. Incident response happens at a blistering pace and often deals with novel attacks and tools. You learn quickly that you must think critically and figure things out on the fly.

The same holds true in ransomware negotiations. You are often trying to simultaneously weigh an organization’s needs, like decryption, data exfiltration and attack vector insight, with the inherent risks of federal sanctions and threat group origins and affiliations. Often, we encounter a new group and have to problem-solve from both a negotiation and payment perspective to find ways of ensuring our client can return to normal operations while not exposing them to the risk of violating sanctions. It can be a daunting task without the right people involved.

Are there any soft skills that make a person successful as a ransomware negotiator?

Strong communication and writing skills are essential to being successful in ransomware negotiations. You are often communicating about vast sums of money and highly technical topics on accelerated timelines with individuals whose native language differs from your own. Therefore, your communication must be concise, precise and well-delivered. Even small issues in your communications can create significant problems later in the negotiation process.

Those same skills are important from the client interaction side. An organization is usually at its lowest during a ransomware negotiation, and people are usually exhausted, stressed and confused. It is important for the ransomware negotiator to convey confidence by leading the discussion, anticipating the organization’s needs and adhering to the same clear communication style that makes them a good negotiator.

Organizations are putting their trust in us to do what is best for them, and we must always ensure they feel heard and understood while simultaneously helping them fully understand a process that may be completely foreign to them.

Is there anything else you’d like to add?

The success of an organization’s ransomware negotiations really comes down to the expertise of the people negotiating on their behalf. It is imperative that an organization seek out a firm experienced in negotiations. Attempting negotiations on your own can have serious consequences that could be avoided by bringing in the right people. Cybersecurity insurance providers, cyber law firms and reputable incident response providers can typically provide you with quality recommendations on who would be a good fit for your negotiations, but the key is to involve them as quickly as possible.

Ransomware is an unfortunate part of the business landscape’s new reality, but there are people out there who can help you navigate the difficult path through it.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today