Experts warn that desperate ransomware attackers are shifting focus from businesses to individuals, applying “psychological pressure” with personal threats that bring digital extortion into the physical world. In one stunning recent example, Guy Segal and Moty Cristal from ransomware negotiator and incident response firm Sygnia said a threat actor personally called an executive’s mobile phone and referenced sensitive details extracted from the company’s internal system.
“During the call, they referenced personal information, underscoring just how much data an employer may hold on its employees,” Cristal — a tactical negotiator — told TechRepublic. “Ransomware attacks aren’t just about encrypted files; they can become invasive in other ways.”
Ransomware payments decline, but threats escalate
While ransomware has been a problem for decades, global payouts in 2023 surpassed $1 billion for the first time, marking a historic escalation in cyber extortion. Attackers have continuously refined their tactics, finding new ways to extract maximum payments from victims.
New data revealed last month that ransomware payments decreased by 35% in 2024. Experts attribute the decline to successful law enforcement takedowns and improved cyber hygiene globally, which have enabled more victims to refuse payment. In response, attackers are adapting, acting faster to initiate negotiations and developing stealthier, harder-to-detect ransomware strains.
SEE: Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds
Targeted individuals are often C-level executives or work in legal fields. The stolen personal data can include information about where their children live or go to school or even photos of loved ones. Cristal added that it is “extremely rare” for an attacker actually to act on these physical threats, but the success of the attack only requires the victim to believe they could.
“It can become deeply personal to encourage a knee-jerk reaction from the victim,” he said. Cristal added that about 70% of ransoms do not get paid. The majority of the time, the attacks are not personal.
But when attackers escalate threats by promising to leak sensitive data, they also demonstrate their effectiveness within the cyber crime community—if they do not receive payment, they can sell the valuable data on the black market for a last-minute payday.
The risks of using AI in ransomware negotiations
Modern ransomware attacks are using AI in new ways, with attackers using freely available chatbots to write malware, craft phishing emails, and create deepfake videos to trick individuals out of valuable information or money. As a result, these tools have lowered the barrier to entry for staging a cyber attack. However, the Sygnia ransomware negotiation teams have also witnessed victims trying to use tools like ChatGPT to help them say the right thing to escape their ordeal.
“Typically, AI is not sensitive enough to pick up on human emotion or provide the necessary nuance required to connect with threat actors and diffuse the situation, and this is where it can escalate,” Cristal told TechRepublic. It can encourage victims to break the golden rules of not using “negative language” or telling the threat actor outright that they won’t pay the ransom.
SEE: UK Study: Generative AI May Increase Ransomware Threat
Attackers “can be extremely polite, even friendly to begin with,” Sygnia’s Vice President of Corporate Development Guy Segal said. But they may get more “aggressive and threatening” if they don’t get what they want quickly — which would be the case if all hope of payment was extinguished. It is not uncommon for attackers to leave backdoors in malware that let them retaliate with additional encryption, or even by wiping all data, especially if they sense a lack of respect or that they’re being strung along.
Therefore, negotiators try to remain “approachable,” Cristal said.
“Defensive behavior will create a more hostile atmosphere,” he told TechRepublic. Negotiators may be able to steer the conversation to extract more information from the attackers, such as what data they hold, how they breached the system, and the likelihood that they may return or publish data.
“Every threat actor has their motives and life experiences that make them who they are — conversing is important to understand how we approach the situation,” he said. “Do they have enough data to damage the company? Could they cause real-world damage, particularly for critical infrastructure clients, or impact people’s lives? The threat actor may well be happy with a smaller ransom payment than their initial request because they just need the money.”
The debate over banning ransomware payments
In January, the U.K. government announced it was considering banning ransomware payments to make critical industries “unattractive targets for criminals,” reducing the frequency and impact of incidents in the country. The ban would apply to all public sector bodies and critical national infrastructure, which includes NHS trusts, schools, local councils, and data centers.
SEE: Starbucks, Supermarkets Targeted in Ransomware Attack
The Office of Foreign Assets Control has identified several sanctioned ransomware groups linked to Russia or North Korea that U.S. companies and individuals are legally prohibited from paying ransom to.
Segal and Cristo say that ransomware bans are not a straightforward fix, noting that they have seen evidence of attacks increasing and decreasing. While some threat actors may be discouraged, others are forced to raise the stakes with more aggressive or personal threats. Some are driven by data theft or disruption for geopolitical reasons, not money — the ban does not affect them.
But the Sygnia negotiators agree that bans on ransom payments within governments are positive on the whole.
“A blanket decision to never pay ransom is a privilege that governments can afford,” Segal said. “But it is far less applicable in the business sector.”
Indeed, in the documentation outlining the U.K.’s ban proposal, the Home Office acknowledged the potential for the legislation to disproportionately impact small and micro-businesses “which cannot afford specialist ransomware insurance, or clean up specialists.” These businesses will find it harder to recover from any financial losses incurred through operational disruption and the ensuing reputational damage.
Such consequences may encourage some businesses to covertly pay ransoms through third parties or cryptocurrencies to avoid fines. Paying this way also aids the attacker, as they receive the payment anonymously, bypass jurisdictional restrictions, and can continue their operations without fear of being tracked or penalised.
If the business is caught doing this, they will, of course, have to contend with a fine from the government on top of the ransom payment, exacerbating the damage to their operations. On the other hand, if they comply and report the incident to the authorities, it creates an additional administrative burden that disproportionately affects smaller firms.
“This is why there must be more in place to support businesses before they suffer the brunt of a ransomware ban,” Segal said.
Sygnia’s Senior Vice President of Global Cyber Services Amir Becker suggested that if governments impose a ban, they should also:
- Exempt critical infrastructure and healthcare sectors, as withholding the ransom could result in lives lost.
- Simultaneously provide incentives for organisations to enhance their cybersecurity posture and incident response capabilities.
- Provide financial and technical support to help businesses recover from the consequences of not paying a ransom.
“This balanced approach can address the ransomware threat while minimizing collateral damage to businesses and the broader economy,” he told TechRepublic.
