“The highest ransom demand was USD 15 million”
Cyberattacks are now professionally organized and have long since evolved into a global business model. In an interview with Florian Weyand from WirtschaftsWoche, Oliver Schneider, Managing Partner of RiskWorkers and Kidnap Response Consultant, discusses his experience from real-life ransomware cases. He provides insights into the structures behind the attacks, how negotiations unfold, and the challenges companies face in a crisis.
Cybercrime Operates Like a Franchise System
Many major ransomware attacks are not carried out by individual perpetrators, but by professionally organized networks. Oliver Schneider describes the model as “Ransomware as a Service”: A central organization provides the infrastructure, malware, and platform. The actual attackers operate like franchisees under the name of the respective ransomware group and receive a share of the proceeds. The perpetrators themselves are located all over the world – from Eastern Europe and West Africa to South America.
The Actual Attack Begins Long Before the Extortion
In many cases, the attackers initially gain access to the company network using stolen login credentials. They often remain undetected in the network for weeks or even months, analyze the infrastructure, search for backups, and copy sensitive data. Only once they have achieved their objectives do they encrypt the systems and leave their ransom demand.
There Is Often a Vast Gap Between the Demand and the Final Settlement
The amount demanded is based on the size and financial capacity of the company. The smallest payment Oliver Schneider has handled to date was USD 8,000, while the highest demand was USD 15 million. In practice, a settlement often amounts to between 10 and no more than 50 percent of the original demand, depending on the specific circumstances and the time pressure facing the company.
Cybercriminals Also Depend on Their Reputation
Although there are no guarantees, trust and reputation also play a role in the world of cybercrime. Professional ransomware groups depend on their business model continuing to function. The group involved is therefore carefully assessed before negotiations begin. According to Oliver Schneider’s experience, every case he has handled to date has resulted in a functioning decryptor and the stolen information not being published.
The full German article is available from WirtschaftsWoche (subscription required).
We support companies in preparing for cyberattacks and, in a crisis, in managing ransomware incidents in a structured manner – from the initial situation assessment through to negotiations. Further information and answers to frequently asked questions about ransomware and cyber extortion are available here.