The first time that Kurtis Minder negotiated a ransomware payment, he managed to talk the hacker down from around US$2-million to a figure in the low six digits.
The negotiation was going so well that Mr. Minder was convinced he could save his client, a publicly traded software company, even more money.
“I had gotten so confident, probably overconfident, that when the insurance company said, ‘Hey, this is low enough, let’s sign a deal,’ I was saying, ‘No wait, I can get them to five figures,’” says Mr. Minder, author of the newly released book Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation.
“And they’re like, ‘No, no, we need to move forward.’ But I was getting so confident in my ability to negotiate with this guy, I wanted to keep going and they made me stop.”
Ransomware payments have grown in the roughly six years since, recently hitting what NetDiligence characterized in its latest annual report as “new and unprecedented levels.”
Companies forked over payments as large as US$75-million to hackers, whose initial demands were as high as US$150-million according to the report, which analyzed cyber insurance claims for incidents between 2020 and 2024. There were 50 ransoms paid at or above the US$10-million mark, NetDiligence said.
In total, global ransomware damages are expected to reach US$57-billion annually this year, according to Cybersecurity Ventures, a research and publishing company focused on the global cyber economy.
It isn’t only cybercriminals who stand to profit from ransomware, which is fuelling the growth of a cottage industry focused on assisting companies caught in the crosshairs of increasingly sophisticated cabals of hackers. There are breach coaches at law firms to guide victims through the process, insurance companies to cover the ransom payments, incident response firms to help companies recover from attacks and ransom negotiators to talk hackers down to a more reasonable fee.
At least half a dozen companies offer ransomware negotiation and payment as a service in Canada. Some, such as CyberSteward Inc., are based in Canada, while others, such as Coveware Inc. and Quorum Cyber, are international firms that sell services to Canadian clients. Still other companies offer negotiation services but aren’t registered to facilitate the transfer of cryptocurrency to hackers.
However, recent accusations by U.S. prosecutors against two ransomware negotiators raise questions about how much companies really know about the professionals who negotiate with criminals on the dark web on their behalf – and whether organizations should be paying ransoms at all.
Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University, says the negotiation process can seem opaque to the clients whose networks have been compromised.
“You’re relying on the stated expertise of ransomware negotiators who are negotiating with a counterparty that has no legitimacy or, frankly … no obligation to fulfill their terms of the agreement, in a legal sense, anyway,” Mr. Finlay says.
“From a client perspective, it’s a very murky world, but these clients are desperate … In many cases, they stand to lose their company.”
Mr. Minder, who lives in Grand Junction, Colo., didn’t set out to be a ransomware negotiator. Such a position didn’t even exist when he landed his first tech job at CenCom Internet, one of the earliest dial-up internet service providers in central Illinois. His first engagement with a threat actor occurred when he caught his recently fired boss lurking in the company’s systems, Mr. Minder wrote in Cyber Recon.
In a ransomware attack, hackers infiltrate an organization’s network, steal and encrypt its data and demand a ransom, to be paid via cryptocurrency, in exchange for providing the decryption key. Typically, the hackers vow to destroy the data if the ransom is paid, or to post it on the dark web if it isn’t.
The earliest perpetrators of ransomware attacks mailed floppy disks to their targets. When the victims inserted the disks into their computers, a malicious program would lock their files. Collecting payment was cumbersome; in a 1989 incident widely considered to be the first instance of ransomware, the attacker demanded that payment be mailed to a post office box in Panama.
Since then, increasing connectivity and the advent of virtual currencies such as bitcoin have fuelled a massive illicit industry that has become increasingly commodified over the years. Many ransomware gangs operate on an affiliate model, leasing their tools in exchange for a share of the profits, a business structure referred to as ransomware-as-a-service.
An attacker could purchase access to a compromised organization from one party, then deploy malware created by a separate person or entity. After successfully extorting the victim, the perpetrator can employ a money mule service to launder the proceeds, said Adam Evans, chief information security officer at Royal Bank of Canada.
“That’s given them scalability, and it’s allowed them to really reduce the barriers of entry into criminal behaviour,” says Mr. Evans.
As the illicit ransomware economy has grown, so too has the corresponding cybersecurity industry, which hit US$301.91-billion in 2025, according to Precedence Research, an Ottawa-based market research and consulting firm.
Most large law firms now have a cybersecurity practice that includes breach coaches, Mr. Finlay says. “This is one of the fastest growing areas of law, and it’s incredibly lucrative for the lawyers.”
GroupSense, the company that Mr. Minder co-founded in 2014 and sold earlier this year, started out in the business of cyberespionage – lurking on the dark web under fictitious identities known as “sock puppets” to gather intel on bad actors.
Sometimes that involved communicating with a threat actor directly, for instance to help a client figure out how its network had become compromised or what data had been stolen.
“We built a reputation as the people who can talk to bad guys,” Mr. Minder says.
That’s why, near the start of the COVID-19 pandemic, Mr. Minder was approached by an executive at a software company that needed help negotiating a ransom. Initially, he declined.
“I said, ‘No, you don’t understand. When we talk to bad guys, we’re not sitting at a negotiation table with them – they think we’re other bad guys,’” Mr. Minder says.
But after getting ghosted by the consultant he’d brought in, Mr. Minder relented and agreed to conduct the negotiation. He discovered that he had a knack for the work, and more engagements followed.
What made Mr. Minder effective was his ability to get inside the perpetrators’ heads.
“A lot of it’s just psychology,” he says, adding, “You’re dealing with human beings, and I think a lot of people forget that.”
The key, Mr. Minder explains, is to avoid entering into positional bargaining – a process in which each party throws out a number until they eventually meet somewhere in the middle – for as long as possible.
“If you start there, you’re going to pay a lot more,” he says.
Instead, Mr. Minder will typically challenge the threat actor to justify how they came up with their demand. He’s usually able to convince the attacker to lower their ask once or even twice before countering, he says.
For instance, when an attacker once falsely claimed to have seen his client’s financials, Mr. Minder wrote back: “With due respect, perhaps you have your files mixed up. If you had looked at our financials, you would never have asked for such an unreasonable number.”
Sometimes negotiators can go rogue, as a continuing legal case suggests. Earlier this year, Kevin Martin, a Texas resident working as a negotiator, was indicted in an alleged ransomware scheme. Mr. Martin allegedly conspired with another, unnamed negotiator employed at the same firm, according to a Federal Bureau of Investigation affidavit filed in September.
A third alleged co-conspirator, Ryan Goldberg, was employed as a director of incident response at Sygnia Cybersecurity Services. (Sygnia said in a statement that it terminated Mr. Goldberg as soon as it learned of the situation, and that it is working closely with the FBI.)
The three men are accused of conducting ransomware attacks against a medical device company, a doctor’s office, a pharmaceutical company, an engineering firm and a drone manufacturer, successfully extorting US$1.27-million from one of the victims, according to U.S. court documents. None of the allegations have been proven in court.
Mr. Martin’s lawyer declined to comment, while Mr. Goldberg could not be reached.
Although the court documents don’t name the firm that employed the negotiators, Kevin Martin is listed as one of the speakers at the 2024 Technology Law Conference in Austin, Tex. At the time, he worked for Chicago-based DigitalMint Cyber, according to the event program.
Marc Jason Grens, DigitalMint’s co-founder and president, said the company is co-operating as a witness in the continuinginvestigation.
“Our business remains strong and we continue to be a trusted partner for organizations navigating critical security incidents. We are also happy that major law firms and carriers continue to trust us to achieve the best results in these incidents,” Mr. Grens said in a statement.
Some people argue that the only way to put an end to ransomware attacks is to cut off the industry’s lifeblood: money.
Law enforcement agencies around the world, including the RCMP, advise against making ransomware payments.
“We do not recommend people pay,” said Chris Lynam, Director General of the RCMP’s National Cybercrime Coordination Centre and the Canadian Anti-Fraud Centre. For one thing, there’s no guarantee that the criminal on the other side of the transaction will uphold their end of the bargain, he says.
Generally, it’s in the threat actor’s best interests to abide by the conditions of the payment. Otherwise, nobody will pay them, said Mr. Finlay.
Still, incidents of re-extortion, in which attackers later return and demand more money, have become increasingly common, experts say.
And ransomware payments fuel the criminal ecosystem, allowing perpetrators to reinvest the profits into their operations.
“We saw a lot of that with that LockBit group … where they kept evolving,” says Mr. Lynam. “There was LockBit 1, 2, 3, because it was so lucrative. They were able to make their malware better.”
Although companies have a legal obligation to ensure that they’re not paying a sanctioned entity, sanctions checks are not foolproof.
“There’s limited information. It can be imperfect,” says Corey Omer, a partner at Davies Ward Phillips & Vineberg LLP.
The Britishgovernment is planning to ban operators of critical infrastructure from paying ransoms, a move that some critics caution could leave victims in a bind.
“I think that is misunderstanding who the bad actor is here,” says Mr. Finlay. “The bad actors are the criminals who are attacking these companies, not the companies who are then potentially having to pay the ransoms. We should be focusing on providing resources for law enforcement so that they can go after these ransomware gangs, not trying to further punish or diminish the options of victims of these attacks.”
Some corporate leaders may feel obligated to pay a ransom if doing so would provide the fastest and most cost-efficient path to getting their business back up and running.
In some instances, it can even be a matter of life and death. Take, for instance, a hospital without thestaff to rebuild critical systems, a process that can take weeks according to Terry Cutler, the chief executive officer of Quebec-based cybersecurity firm Cyology Labs Inc.
“There’s no way the system can be offline for weeks, so they’re forced to make this payment,” Mr. Cutler said.
David Shipley, the CEO of cybersecurity software firm Beauceron Security Inc., said the key for regulators is to move slowly.
“You don’t do it immediately. You’ve got to phase this out,” he says.
As a first step, companies could be required to register ransom payments with a federal government agency, he suggests, before eventually making those payments subject to a review.
The third and final phase is to cut the money off entirely.
“Then we are closed for business for digital extortion,” Mr. Shipley says. “That’s how you dig yourself out of this mess.”
