The Business of Ransomware: How Modern Attacks Are Planned and Negotiated
- Cybersecurity Podcast
Ransomware has outgrown the stereotype of lone hackers operating from basements. Today, ransomware is a highly organized, profitable, and disturbingly professional industry. It operates like a business, complete with affiliate-style ecosystems, negotiation playbooks, and even “tech support” when decryptor tools don’t work properly. If that sounds unbelievable, it should not, because ransomware groups have evolved faster than most organizations’ defenses.
In this episode of the Cybersecurity Podcast by EC-Council, host Jay Bavisi interviews Kurtis Minder, a ransomware negotiator and threat actor researcher who works with Fortune 500 companies facing ransom demands. His insights make one thing clear: ransomware is not just malware. It is an underground economy built on planning, psychology, and leverage.
This blog post breaks down the business of ransomware, how attacks are structured, why negotiations matter, and what organizations must do to survive in this new era of cybercrime.
Ransomware Has Become a Criminal Business Model
Ransomware groups today are not disorganized gangs. They are structured organizations that function at scale. According to Kurtis, many of these groups have ranks, quotas, bonuses, training manuals, and even “middle management.” That means when a company is attacked it is not dealing with opportunistic criminal; it is dealing with professional adversaries who know exactly what they are doing.
The ransomware ecosystem has matured into what many call Ransomware-as-a-Service (RaaS). In this model, the developers build the tools, while affiliates carry out the attacks. Everyone takes a cut of the profits, similar to a franchise system. This dramatically lowers the barrier to entry. You no longer need deep hacking expertise, just access to the platform, Tor, and cryptocurrency.
Even more alarming is the automation. Modern ransomware platforms can encrypt files, exfiltrate sensitive data, generate ransom notes, and execute double-extortion strategies with minimal human involvement. In many cases, it is literally “push-button ransomware,” where criminals launch full-scale disruption like product deployment.
This is why ransomware continues to grow: it is scalable, repeatable, and profitable. Criminals have turned ransomware into a streamlined industry, yet many companies are still defending themselves with a 2015 playbook.
How Ransomware Attacks Are Planned Before the Encryption Starts
One of the most misunderstood parts of ransomware is that critical decisions start before you ever message the threat actor. By the time a ransom note appears, attackers have often spent days or weeks inside the network. They have already mapped systems, stolen credentials, identified backups, and located the most valuable data.
Kurtis explains that ransomware groups frequently purchase access through Initial Access Brokers. These brokers specialize in breaking into organizations through vulnerabilities, stolen credentials, or phishing. They then sell that access to ransomware operators. This division of labor makes attacks faster and more industrialized.
Attackers also rely heavily on business intelligence. They do not choose ransom amounts randomly. They research victims using tools like ZoomInfo, financial documents stolen during exfiltration, and public revenue estimates. Their demand is often calculated as a percentage of perceived ability to pay. In other words, ransomware pricing is strategic.
The underground has also embraced AI and deepfake technology. Jay highlights how North Korean operatives are using AI-driven identity fraud to land remote jobs in U.S. companies, gaining insider access and generating revenue. This shows that ransomware is no longer just a technical threat; it is tied to geopolitical strategy and modern deception.
The planning phase is where ransomware becomes the most dangerous. Organizations that only focus on encryption response are already too late. Prevention must happen upstream: credential security, monitoring, and rapid containment.
The Negotiation Phase: Psychology, Ethics, and Survival
When ransomware strikes, negotiation becomes one of the most emotionally charged and strategically complex stages. Kurtis emphasizes that the decision to even engage with attackers is pivotal. Simply responding to a ransom note puts you “on the radar,” signaling that you are paying attention, and potentially willing to pay.
Negotiations typically last around two weeks. During that time, businesses may be partially crippled, losing revenue, operational capability, and trust. Large enterprises often have disaster recovery resources to restore some functions, but even then, the costs can reach millions.
Kurtis notes that professional negotiators do not start with aggressive lowball offers. Instead, they work to understand how attackers justified the demand, while continuously signaling intent to transact. The goal is to reduce the ransom while keeping attackers cooperative. It is a careful balance of leverage, empathy, and strategic communication.
The ethical dilemma is unavoidable. Paying ransom fuels the criminal economy. But refusing to pay may mean bankruptcy, massive layoffs, or even loss of life in cases involving hospitals. Kurtis describes a case involving a breast cancer charity where attackers reduced the demand to $5,000 claiming that was simply their “cost of goods.” That moment reveals the chilling truth: ransomware groups see victims as transactions.
Kurtis argues that banning ransom payments outright may backfire, pushing payments underground. Instead, governments and industries should invest in prevention and recovery support, especially for small and mid-sized businesses that live below the “cyber poverty line.”
Ultimately, ransomware negotiation is not just about money. It is about time, survival, reputation, and values.
About the Author
Alexander Reimer
Certified Ethical Hacker (CEH)
Alexander Reimer is a Certified Ethical Hacker (CEH), AI red team specialist, and technical writer at EC-Council. He has led red-teaming projects at Meta Superintelligence Labs, evaluated LLM models at Microsoft, and conducted adversarial testing and AI-driven annotation at Google. Alexander brings a multilingual perspective to cybersecurity, having supported global NLP, red teaming, and prompt engineering efforts across multiple high-profile platforms.
He also serves as a mentor at Udacity for the German and U.S. markets, volunteers as a mentor at ADPList, and contributes regularly to AI security research, training, and community education efforts. Alexander actively supports global knowledge access through Translators without Borders and has translated courses in cybersecurity, AI, and data science for TEDx, Coursera, and Khan Academy.
With a background in IT management, business psychology, and cybersecurity, his current focus is on the intersection of responsible generative AI and cybersecurity.
