âWhy should we pay these criminalsâ the hidden world of ransomware negotiations Cybercrime The Guardian

pCybersecurity experts reveal what they do for highprofile clients targeted by hackers such as Scattered Spider ppThey call it âstopping the bleedingâ the vital window to prevent an entire database from being ransacked by criminals or a production line grinding to a haltppWhen a call comes into the cybersecurity firm SRM headquartered on Whitechapel High Street in east London a hacked business or institution may have just minutes to protect themselvesppSRM which helped a highprofile retail client recover from a Scattered Spider cyberattack has become a quiet often wordofmouth successppMany of the companyâs senior workers are multilingual and have a minimal online footprint which reveals scant but impressive CVs suggestive of corporate or government intelligencebased careersppSRM now claims the UKâs largest cyberincident response team Its firstresponder service is comprised of about 150 experts worldwide It has clients who keep it on retainer victims referred by insurers and âwalkinsâ people who suddenly realise their business is under attack and call the first few results on their search enginesppIn the case of the Scattered Spider victim which the Guardian understands was not Marks Spencer or the Coop â two retailers that were attacked in 2025 â a 30minute Teams call with a retailer became âa 24hour call with a rotating cast of expertsâ says Ted Cowell the director of SRMâs cyber business armppâOn average weâre getting back to clients within six minutes Which is critical because often the first hours of a cyber incident can be the biggest chance window to determine the outcome of a case and its impactâ he says âWhat can start as a network intrusion can then metastasise into a fullblown malware or ransomware scenarioâppCowell a Cambridgeeducated Russian speaker says that getting a handle on the attack during a âreconnaissanceâ period can result in a radically different outcome compared with a slow response Criminals often need time after their first penetration of a businessesâ systems to work out what is of most value This short spell of time can therefore allow experts to prevent the most operationally painful of attacks âExfiltrationâ â the theft of critical data â and encryption whereby businesses can be locked out of their own systems can be the most damagingppâSometimes we can stop it from going boomâ Cowell says Teams focus on âstopping the bleedingâ by limiting or cutting the attackerâs access to systems This is what SRMâs team was able to do with the Scattered Spider victim stopping the detonation of malware across systemsppBusiness is good as the cybercrime industry grows but that comes with ethical challenges SRM and its industry peers have faced criticism for helping to facilitate the payment of ransoms to criminals who hijack businesses for moneyppâExtortion supportâ is an important part of SRMâs work This means its specialists are in the room when ransoms are negotiated sometimes doing the negotiation itself on behalf of a client Cowell appears keen to avoid criticisms of feeding organised crime by helping businesses to pay ransoms or by acting for insurers that sell policies covering ransom paymentsppâWeâre instructed by the policyholder by the insuredâ he saysppâOur ambition is to guide âno paymentâ decisions wherever and whenever possibleâ he continues adding that businesses are increasingly taking that approach and not paying ransomsppâOur role is to facilitate strategic thinkingâ he says âGive clients some structure to order their thoughts Theyâve probably not been in a situation like this beforeppâThe businessesâ decision as to what they do is their own We just offer the template of a crisis how things play out based on our experienceppâWhy should we pay these criminalsâ is a challenge Cowell says his team puts to top staff at affected businesses âOne of the things that we often educate boards on is that ransomware is an organised criminal enterpriseâppThese nefarious groups have he explains âbrands to upholdâ Established ransomware groups typically speaking will honour a settlement SRM also has an increasingly detailed picture of how these groups have behaved in previous negotiationsppThe more established the group the more likely they are to honour whatever settlement is agreed either by deleting stolen data or providing keys to decrypt critical files SRM offers a rundown of whoâs who in terms of reliability negotiating patterns behaviours even extending to sanctions concernsppThe latter rarely applies however Trying to impose sanctions on statelinked groups is a game of âwhackamoleâ Cowell says If socalled âthreat actorsâ do appear on sanctions lists they tend to disband and reform in a new guise The risk of putting money albeit indirectly into stateenemy hands is therefore another consideration for firms facing a cyberattackppStill businesses do sometimes decide to pay up It can be rational for their companyâs circumstances and ultimately âitâs always their decisionâ Cowell saysppAs the corporate moral code of paying ransoms matures and decisions not to fund organised crime become more common restoration and recovery services have become a bigger part of the cybersecurity response market Increasingly it is a priority to just get systems back up and running as soon as possible with the forensic analysis of how someone got into a system becoming secondaryppIn recent years the UK governmentâs cyberintelligence role has also shifted significantly The National Cyber Security Centre âover the last four or five years has hugely transformedâ Cowell says The NCSC has caught up with its Nordic equivalents and now proactively reaches out to victims telling them they may be targeted based on intelligenceppâIt was more of an information takerâ asking the likes of SRM for information which they would willingly provide with client consent Cowell saysppâNow they are playing a more robust role getting on the front foot and getting people together to facilitate information sharing We saw the impact of that with the Scattered Spider attacksâ he addsp