What goes on in the minds of cyber criminals?

What goes on in the minds of cyber criminals?

Cybersecurity Special October 2022

We cannot stress enough how important it is to arm yourself against cybercriminals. The fact that this is not just casual advice is made clear by the new European directive (NIS2). The urgency is also evident from the increasing number of ransomware attacks. These increase by around 25 percent each year. Apparently, this kind of crime pays off. But what makes it so enticing? And most importantly, who are we dealing with here? We crawl inside the minds of cybercriminals.

Who are we dealing with here?

Ransomware is a kind of malware that takes a computer and/or the data on it hostage. The owner of the computer then has to pay money to ‘free’ it again. A growing number of organisations are facing this form of cybercrime. This is not surprising, as billions in ransom are paid every year. These cybercriminals have also long since evolved from isolated individuals in attics randomly spreading malware in the hope that someone will take the bait. We are now dealing with veritable organisations with management structures, ‘customer’ service and HR policies. This also involves networks of cybercrime organisations. The first organisation is good at gaining access, who then sells the access to another group that is good at penetrating into networks. They in turn sell it on to a group that is good at extortion, etc. To make the situation even more ominous, victims are meticulously targeted, the ransom is carefully determined and even the negotiation techniques are becoming increasingly sophisticated. All of this is aimed at maximising the financial gain.

Cybercrime: a look behind the scenes

Should you fall victim to ransomware, please do not assume it was just bad luck because you accidentally opened the wrong email or were late with an update. You can safely assume that the cyber gang – your adversary – has been doing its homework. At least, that is according to research conducted by Check Point Research into the ransomware economyThis research offers an interesting look behind the scenes of this ‘line of business’. It reveals astonishing as well as terrifying and disturbing information, for example through chat conversations from inside a ransomware gang. For instance the researchers examine victims’ losses and cybercriminals’ profits.

Cybercriminals do not instantly encrypt your data once they have penetrated. Sometimes they spend months inside a network gathering information bit by bit. This allows them to map out the vulnerabilities in an IT environment and obtain all of the information they need about the organisation. The researchers discovered that the starting point for the financial dynamics of ransomware is usually the victim’s annual revenue.  In other words, the victim’s estimated income will determine the ransom amount set. A realistic demand also appears to be the most important factor for successfully negotiating in this ‘business’. When making these estimates, the criminals don’t make hasty decisions. They look for available data in public sources such as ZoomInfo and DNB. But they also search in the data they have taken hostage for things like accounting and banking details.

The negotiation strategy

When it comes to negotiating, cybercriminals also adopt a well-thought-out approach. The study identifies five steps in the average strategy.

  • They always start with a threat. This involves searching the company’s stolen data for sensitive files. If any are found, the gang threatens to make them public if the victim does not pay up quickly.
  • Step two is to offer a discount for prompt payment. Yes, you read that correctly. The research revealed that some victims received 20 to 25 percent discounts if they paid within a few days. Criminals apparently benefit from quick negotiations.
  • What then often happens is that victims start negotiating through third parties. They try various ways of delaying payment or even getting additional discounts. Cyber crooks have long been taking this into account in their strategies. They will not be deterred. It will only lead to them taking the next step.
  • New threats where often (small) chunks of sensitive information are leaked to give teeth to the threat.
  • Ultimately, the negotiations result in one of the following scenarios: the ransom is paid, the data is disclosed or, after paying the ransom, you face extortion again at a later point. In each case, there is one victim: you, the entrepreneur. Depending on the information that is leaked, chances are that there will also be multiple victims, such as your customers, suppliers or staff.


Want to know how this kind of negotiation works? Read about how retailer FatFace negotiated with the cybercrime organisation Conti here (source: Computer Weekly).

Insurance makes it even more inviting

“But surely I can insure myself against this kind of risk,” you may be thinking. Well, the research has one final surprise in store for you: organisations with cyber insurance tend to be more attractive targets. After all, they have a greater chance of being able to pay the ransom. That’s why hackers always first look for any documents related to cyber insurance. Even in this case, prevention always proves to be better than cure. If you do have to deal with ransomware, do not underestimate your opponent. But also remember that no matter how sophisticated the attack and extortion methods, you are still dealing with humans. So you can limit any damage with clear communication and careful negotiation planning. Do you want to know more about this topic? Please contact one of our cybersecurity specialists. You can always trust them!

Lucas Vousten | +31 (0)40 240 9516 | lvousten@joanknecht.nl

Ties Meesters | +31 (0)40 240 9459 | tmeesters@joanknecht.nl

Tip: Apply for the digitisation subsidy at RVO.
You get 50% of your investment reimbursed up to a maximum of €2,500.

Have a look at our cybersecurity visual.

Contact us