Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Why hostage negotiation tactics don’t work on ransomware

Max Smeets 28 November 2024
Share On:
Max Smeets unpacks the key differences between ransomware attacks and hostage-taking, explaining why ransomware operators feel no pressure to make concessions while victims grow increasingly desperate
Main Top Image
Image created using DALL-E 2 and Chat GPT-4o

In recent years, ransomware has emerged as one of the most pervasive and complex forms of cybercrime. With ransomware attacks on the rise, developing effective frameworks to understand and address their dynamics has become urgent. Many experts initially sought insights from hostage negotiation literature, hoping its principles could shed light on the issue. This is not surprising, given the apparent similarities between holding a person hostage and holding a business’s data for ransom. 

However, my upcoming book, Ransom War: How Cyber Crime Became a Threat to National Security (February 2025), reveals critical differences that make the hostage negotiation analogy for ransomware fall short.

Surface similarities

It is easy to see why the hostage-taking analogy is used when discussing ransomware. In both situations, victims face high stakes due to leverage, demands, and limited trust. The attacker has seized something critical, a person or data, to increase pressure on the target. This power imbalance creates an urgent, intense setting where the victim may feel compelled to comply quickly to avoid irreversible loss or harm.

A central component in each scenario is the ransom demand. This transactional aspect shapes the negotiation. Victims may attempt to lower the ransom or request assurances, such as proof of life in hostage situations or partial decryption in ransomware cases. Even if these assurances are granted, however, the trust dilemma remains significant. Victims are left to weigh whether the attackers will fulfil their end of the deal if they pay them.

Given the complexity and high-pressure nature of both ransomware and hostage situations, ransomware incidents have also spurred the rise of specialised negotiators, similar to those in traditional hostage-taking scenarios. Companies like GroupSense and Coveware are well-known for managing ransomware negotiations on behalf of clients in the US and beyond, often facilitating not only the negotiation process but also payments between the victim and the ransomware group. During my research into ransomware group Conti for Ransom War, I came across one such figure: ‘The Spaniard’, a Romanian negotiator working for a ransomware recovery firm in Canada. He frequently facilitated Conti negotiations, sometimes helping the criminal group secure favourable outcomes and other times pushing back against their demands. 

Absence of physical risk

One of the central issues with applying hostage negotiation principles to ransomware is the absence of physical risk for the attacker. In typical hostage situations, the hostage-taker is physically present and under stress – tired, hungry, and potentially exposed to law enforcement. The longer a hostage crisis drags on, the more vulnerable the hostage-taker becomes.

By contrast, ransomware operators operate behind layers of anonymity and technological barriers, often from jurisdictions where law enforcement has little reach. They face limited physical risk. They can step away from their workday, enjoy dinner, get a night’s rest, and return to the negotiations fresh the next morning; they can afford to be patient. There is no equivalent ‘breaking point’ in ransomware negotiations where the attacker’s endurance or resources are stretched.

Time favours the ransomware operator

In hostage negotiations, time is generally on the side of the negotiator. The longer the situation drags on, the more likely the hostage-taker is to make a mistake or grow too fatigued to maintain control. The European Interagency Security Forum, an independent network of NGOs, recommends that negotiators prolong the process, exhausting the hostage-takers until they surrender or make concessions. 

Time does provide some advantages for ransomware victims. It allows them to assess the extent of the breach, explore independent recovery options, and verify the ransomware group’s credibility. Ultimately, however, time mostly favours the ransomware operator. 

For businesses hit by ransomware, every minute their systems are offline is a ticking financial time bomb. Whether it is lost productivity, damaged customer relationships, or regulatory fines, the costs mount quickly. Unlike in hostage scenarios, where time can wear down the attacker, time in ransomware cases benefits the attacker, whose leverage increases as the victim grows more desperate to restore normal operations.

Note that both hostage-takers and ransomware operators often exploit this sense of urgency by threatening to escalate the situation. For ransomware, this could involve setting a timer on the leaking of stolen data, increasing the ransom demand, or beginning distributed denial-of-service (DDoS) attacks if the victim delays payment. One group went as far as threatening to call media outlets and a victim’s business partners to spread the news about the attack if demands weren’t met. 

For hostage-takers, escalation might involve setting a deadline for executing a hostage or harming additional victims to force compliance. For both ransomware and hostage situations, this tactic places pressure on the victim to act quickly. Yet the reasons behind it differ. Unlike hostage situations, where prolonged negotiations weaken the captors’ position by increasing personal risk, ransomware operators use compressed timelines to strengthen their position, facing no comparable threats.

Lack of emotions

In hostage situations, human emotions play a critical role. The FBI’s ‘stairway model’ for hostage negotiations, for example, prioritises understanding and managing the emotions of the hostage-taker. This often requires careful listening and empathetic engagement to de-escalate tensions. 

In ransomware, however, this emotional layer is largely absent. Ransomware operators typically view their target as a faceless entity. Their victim is normally a business or institution they have no personal connection to (on the victim’s side, it is common for the negotiator to create a persona, usually a company employee). The exchange is reduced to a cold business transaction. This transactional interaction also makes it much harder to apply conventional hostage negotiation techniques.

A different type of negotiation

Comparing hostage-taking to ransomware may seem fitting, but it quickly unravels upon closer scrutiny. The absence of physical risk for ransomware operators, the inverted time dynamics, and the lack of emotional engagement all contribute to a fundamentally different negotiation landscape.

avatar
Max Smeets

Related

Featured image
Binding Edge
Europe’s cyber rapid response teams should pivot to proactive missions
Taylor Grossman 1 March 2024
Read more arrow
Featured image
Binding Edge
Learning to supply cyber capabilities
Joseph Jarnecki 10 June 2024
Read more arrow
Featured image
Binding Edge
How to ‘harden’ open-source software
John Speed Meyers / Jacqueline Kazil 7 November 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.