How Much Money Does Your Incident Response Team Make on Ransom Payments?
A common trend in the cybersecurity space is incident response teams making a profit on a percentage of the ransom payments paid out to threat actors when a ransomware attack occurs. Since this profit is often far more than the fees the incident response team would pay a crypto currency broker, the incident response team is making money from a situation it should be trying to avoid at all costs.
To truly understand the conflict of interest for an incident response team paying the ransom, let’s look at the process of paying the ransom.
Why an Incident Response Team Shouldn’t Profit from Ransom Payments
The main goals of an incident response team should be to eradicate the threat actor, restore the business to normal operations as quickly as possible, and prevent future attacks.
If the incident response team that is responsible for the ransom negotiation also charges a fee on the ransom, the team has less motivation to negotiate for a lower ransom amount. This means the higher the ransom amount, the more money the response team makes, which is a major conflict of interest.
For example, an incident response team would make considerably more money on a $1.5M ransom versus a $750K ransom.
Typical Fees for Ransom Payments
A ransomware payment company will typically charge a service fee for facilitating a payment, the same way a credit card company charges a service or authorization fee. This fee can range anywhere from 1-2%. An incident response team may pass along this fee to the customer—a part of the cost of doing business.
Alternatively, brokerage is another option that requires a flat fee under $5K, in addition to a pass-through charge percentage. A broker will work with an incident response company and is transparent about these fees; however, an incident response team should not charge more than the fees passed along. If this charge is more than 1-2%, it is likely the incident response team is marking the ransom up.
Another conflict of interest occurs with incident response teams who pay the ransom themselves. This is due to the fact that they make money on: the negotiation, the fee for making the payment, and the markup on the ransom amount. Once again: the bigger the ransom, the more money they receive.
Ways a Ransom Payment Should be Made
When there is no other option and ransomware payments must be made, this payment should be done through a brokerage firm. This option is to partner directly with a broker that pays an incident response team to do the negotiating. This provides complete separation and eliminates the need to depend on a middleman to deliver the payment to the broker. This also allows for greater transparency regarding any fees.
Alternatively, a ransomware payment can be paid through an incident response firm that passes the fee through. A benefit to this is that there is one less vendor involved, which, in turn, removes the time-consuming process of vetting. This also makes the transaction easier because there is only one point of contact to work through. Additionally, due to the amount of work done with them, the incident response team will have more leverage with a broker to reduce fees.
As mentioned above, incident response teams should be focused on eradication, restoration, and prevention—not making a profit on ransomware payments. In order to avoid this conflict of interest, when paying a ransom it is best to deal directly with a broker or to use a response team that only passes the fee through to the client, not an upcharge.