Experts warn that desperate ransomware attackers are changing business focus to people, applying “psychological pressure” with personal threats that bring digital extortion to the physical world. In a surprising recent example, Guy Segal and Moty Cristal of the Ransomware negotiator and the incident response firm Sygnia said that a threat actor personally called the mobile phone of an executive and made reference to sensitive details extracted from the company's internal system.
“During the call, they referred to personal information, underlining how many data an employer can have on their employees,” said Cristal, a tactical negotiator, to Techrepublic. “Ransomware attacks are not just about encrypted files; they can become invasive in other ways.”
Ransomware payments decrease, but threats increase
Although ransomware has been a problem for decades, global payments in 2023 exceeded $ 1 billion for the first time, marking a historical escalation in cyber extortion. The attackers have continually refined their tactics, finding new ways of extracting maximum payments from the victims.
The new data revealed last month that ransomware payments decreased by 35% in 2024. Experts attribute the decrease in successful eliminators of the law and improved cyber hygiene worldwide, which has allowed more victims to reject payment. In response, the attackers are adapting, acting faster to start negotiations and develop more stealthy and more difficult to detect ransomware strains.
See: most ransomware attacks occur when security personnel are asleep, discovers the study
Specific people are often level C executives or work in legal fields. Stolen personal data may include information about where their children live or go to school or even photos of loved ones. Cristal added that it is “extremely rare” that an attacker really acts on these physical threats, but the success of the attack only requires that the victim believes they could do it.
“It can be deeply personal encouraging an instinctive reaction of the victim,” he said. Cristal added that approximately 70% of rescues are not paid. Most of the time, attacks are not personal.
But when the attackers increase threats by promising to filter confidential data, they also demonstrate their effectiveness within the community of cyber crimes; If they do not receive the payment, they can sell the valuable data in the black market for a last minute payment day.
The risks of using AI in ransomware negotiations
Modern ransomware attacks are using new ways, with attackers that use chatbots freely available to write malware, create phishing emails and create defake videos to deceive people with valuable information or money. As a result, these tools have lowered the entrance barrier to organize a cyber attack. However, Sygnia Ransomware negotiation teams have also witnessed victims trying to use tools such as Chatgpt to help them say the right thing to escape their terrible experience.
“In general, AI is not sensitive enough to capture human emotion or provide the necessary nuances to connect with threat actors and spread the situation, and this is where it can intensify,” Cristal to Techrepublic told Techrepublic. You can encourage victims to break the gold rules not to use “negative language” or tell the threat actor that he will not pay the rescue.
See: United Kingdom Study: generative AI can increase ransomware threat
The attackers “can be extremely educated, even friendly to begin with,” said Vice President of Corporate Development of Sygnia, Segal. But they can be more “aggressive and threatening” if they do not get what they want rapidly, which would be the case if all hope of payment was extinguished. It is not uncommon for the attackers to leave the rear in malware that allow them to retaliate with additional encryption, or even cleaning all the data, especially if they feel disrespect or that are being hung.
Therefore, negotiators try to remain “accessible,” Cristal said.
“Defensive behavior will create a more hostile atmosphere,” he told Techrepublic. Negotiators can direct the conversation to extract more information from the attackers, such as what data they have, how they violated the system and the probability that they can return or publish data.
“Each threat actor has their reasons and life experiences that they do to them: talking is important to understand how we address the situation,” he said. “Do they have enough data to damage the company? Can they cause real -world damage, particularly for critical infrastructure clients or impact people's lives? The threat actor can be happy with a smaller rescue payment than their initial application because they only need money.”
The debate on the ban on ransomware payments
In January, the United Kingdom Government announced that it was considering banning ransomware for “unattractive objectives for criminals” critical industries, reducing the frequency and impact of incidents in the country. The prohibition would apply to all public sector agencies and critical national infrastructure, which includes NHS trusts, schools, local advice and data centers.
See: Starbucks, supermarkets directed in the ransomware attack
The foreign asset control office has identified several sanctioned ransomware groups linked to Russia or North Korea to which US companies and individuals legally have the rescue.
Segal and Christ say that ransomware prohibitions are not a simple solution, and points out that they have seen evidence of attacks that increase and decrease. While some threat actors can be discouraged, others are forced to raise bets with more aggressive or personal threats. Some are driven by data theft or interruption for geopolitical reasons, not money: the prohibition does not affect them.
But Sygnia negotiators agree that the prohibitions of rescue payments within governments are positive in general.
“A general decision to never pay the rescue is a privilege that governments can pay,” Segal said. “But it is much less applicable in the business sector.”
In fact, in the documentation describing the proposal for the prohibition of the United Kingdom, the Ministry of Interior recognized the potential of the legislation of disproportionately small and micro companies “that cannot pay specialized ransomware insurance or clean specialists.” These businesses will be more difficult to recover from any financial loss incurred through operational interruption and the consequent reputation damage.
These consequences can encourage some companies to pay in a covert manner rescues through third parties or cryptocurrencies to avoid fines. Paying in this way also helps the attacker, since they receive the payment anonymously, avoid jurisdictional restrictions and can continue their operations without fear of being tracked or penalized.
If the business is caught doing this, of course, they will have to deal with a government fine in addition to the payment of the rescue, exacerbating the damage to their operations. On the other hand, if they comply and inform the incident to the authorities, it creates an additional administrative burden that disproportionately affects smaller companies.
“That is why there must be more instead to support companies before suffering the worst part of a ransomware ban,” Segal said.
The senior vice president of Global Cybernetic Services of Sygnia, Amir Becker, suggested that if governments impose a prohibition, they should also:
- Exempt critical infrastructure and medical care sectors, since rescue retention could cause lost lives.
- Simultaneously provide incentives for organizations to improve their cybersecurity position and incident response capabilities.
- Provide financial and technical support to help companies recover from the consequences of not paying a ransom.
“This balanced approach can address the threat of ransomware while minimizing collateral damage to companies and the economy in general,” he told Techrepublic.
