Skip to main content
Reading Time: 4 minutes

We cannot emphasize enough the importance of guarding against cyber criminals. The new European guidelines (NIS2) highlight that cybercriminals should not be taken lightly. The number of cyber attacks is consistently increasing at a rate of approximately 25 per cent each year. Evidently, this form of crime is proving to be lucrative. But what exactly makes it so intriguing? And most importantly, who are the individuals behind these acts? In this article, we delve into the mindset of a cybercriminal.

Who are we dealing with?

Ransomware is a type of malware that seizes control of a computer and/or its data, effectively holding them hostage. The rightful owner of the IT systems is then compelled to pay a sum of money in order to release the ransom. An increasing number of organizations find themselves confronted with this form of cybercrime. This comes as no surprise, considering the staggering amounts of ransoms paid annually. Gone are the days when cybercriminals were solitary individuals in dimly lit rooms, haphazardly dispersing malware in the hopes of ensnaring unsuspecting victims. We are now faced with bona fide organizations boasting management structures, “customer” service operations, and even HR policies.

Furthermore, the realm of cybercrime encompasses a myriad of organizations, each specializing in different aspects of illicit activities. Some excel at breaching security defenses and subsequently sell access to another group adept at hacking into networks. This second group then transfers access to yet another specialized faction skilled in extortion, and so forth. To heighten the sense of menace, victims are meticulously targeted, ransom amounts are meticulously calculated, and negotiation techniques have become increasingly refined. All these efforts are geared towards maximizing financial gain.

Cybercrime: a look behind the Scenes

If you happen to fall victim to ransomware, do not assume it was merely a stroke of bad luck due to opening an email by mistake or updating too late. It is safe to presume that the cybercriminal gang, your adversary, has conducted thorough research. This is supported by the findings of Check Point Research, which delved into the ransomware economy, offering intriguing insights into the workings of this “industry.” One noteworthy aspect of their research involved analyzing chat conversations within a ransomware gang. The researchers also examined the losses suffered by victims and the profits reaped by cyber criminals.

When cybercriminals infiltrate a network, they do not immediately encrypt the data. In some cases, they spend months quietly operating within the network, gathering information bit by bit. They meticulously identify vulnerabilities in the IT environment and amass comprehensive knowledge about the targeted organization. The researchers discovered that the ransom amount demanded in cases of dynamic ransomware is determined based on the victim’s annual income. In other words, the estimated earnings of the victim play a role in determining the ransom’s magnitude. This sheds light on the fact that setting a realistic ransom amount is deemed a crucial factor for a successful negotiation within this “business.” The criminals do not take any chances with these estimations. They examine publicly available data from sources like ZoomInfo and DNB, while also scouring for specific information about the victim, such as accounting and bank details.

The negotiation strategy

Even when it comes to negotiating, cybercriminals go to work well thought out. The research distinguishes five steps in the average strategy.

  • It all begins with a threat. Following this, the stolen data from the targeted company is searched for confidential files. If such files are discovered, the gang issues a threat to make them public unless the victim pays promptly.
  • The second step involves offering discounts for swift payment. Yes, you read that correctly. The research reveals that some victims received a 20 to 25 per cent discount when they paid within a few days. Cybercriminals capitalize on expedited agreements, reaping benefits from quick transactions.
  • Subsequently, victims often resort to involving third parties. They explore various avenues to delay payment or even negotiate additional discounts. Cybercrooks anticipate and account for such actions in their strategy, remaining undeterred and swiftly moving on to the next step.
  • Next, new data emerges where (small) portions of sensitive information are often leaked, intensifying the threats made.
  • Ultimately, negotiations take place within one of the following scenarios: either the ransom is paid, the data is made public, or the payment of the ransom becomes obscured, leading to further extortion attempts. In all cases, there is one clear victim: you, as an entrepreneur. Depending on the leaked information, there is a significant likelihood of multiple victims, including your customers and the reliability of your staff.

Even insurance is not a guarantee of safety

“But I can protect myself by getting insurance against these risks,” you might think. Well, here’s one final surprise from the research: organizations with cyber insurance often become more appealing targets. This is because they present a higher likelihood of paying the ransom. Consequently, hackers prioritize searching for any documents related to cyber insurance. In this case, prevention is always the best remedy. However, if you do find yourself facing ransomware, it is crucial not to underestimate your adversaries. Nevertheless, it’s important to remember that no matter how advanced the attack and extortion methods may be, you are still dealing with individuals. Thus, you can mitigate potential damages through clear communication and careful negotiation planning.”


Joanknecht sponsored this article. You can find out more about the company at:

Leave a Reply