Mark Lance’s phone rings when a company’s data is being held hostage. Often, the perpetrators are demanding a ransom to return sensitive information.
“The largest demand for one of our victims was $70 million,” said Lance, a ransomware negotiator with Virginia-based Guidepoint Security.
Failure to pay is under the threat that the company’s information will be made public.
“The earlier we get engaged, the better,” Lance told The Epoch Times.
“In most circumstances ... a client has already recognized that they’ve been a victim—they’ve been informed via ransom notes,” he said.
“We help people recognize that even if there’s no intent on paying a ransom, there’s a tremendous amount of value in engaging the cybercriminals, because ... you can still do things like delay the inevitable release of their information, which will allow for more time for the forensics and incident response work stream to make sure that they are patched.”
Cyberattacks, usually involving ransomware, are being perpetrated against corporations and state-owned agencies in the United States every day.
That includes the ransom payment itself, the recovery costs, and various indirect costs such as reputational damage.
Lance, who has worked in cybersecurity for 25 years, said that when he is called in at the early stage of an attack, the victim is usually still performing a business impact analysis.
“They’re not necessarily sure what has fully transpired or has occurred within their environment, to know what they potentially need to do as next steps,” he said.
By “environment,” Lance means all the hardware, software, and networks that support an organization’s operating systems.
He said a ransomware negotiator can manage expectations and give the victim an idea of their options.
Lance said he can buy valuable time, and also allow the victim to work with legal counsel to determine what sort of disclosure they are going to have to make to the public, to stockholders, to the Securities and Exchange Commission, and other regulators.
He said the threat actors also have to provide some sort of evidence that they have accessed the victim’s data and will have to provide a file tree, which is a map of directories leading to the files they have accessed.
“We can gather and glean information from those communications that can be shared, that they might not have otherwise. But yeah, the earlier [we are brought in], the better,” Lance said.
He said at an early stage that he tries to figure out what the client wants from the communication with the ransomware gang and then tries to “develop a strategy around that.”
Lance said the initial strategy might be simply to delay while they find out more about the attack and how serious it is in terms of consequences.
He said the victim might later decide that they are willing to make a ransom payment.
Cyber Ransom Notes
Most often, the ransom note is left as a message on an individual system, according to Lance. The note will usually advise the victim not to try to touch any of the IT systems and to download a Tor browser, go to a website on the darknet, and initiate communications with the ransomware attackers.
“You still have access to the system in most circumstances, but you don’t have access to all of the files on the system, and there’s a ransom note that has essentially popped up that says, ‘hey, you’ve been impacted by this group and this ransomware,’” he said.
“But we have seen outliers where they’re printing out copies of ransom notes on local printers within a corporate environment. We’ve seen where they are emailing the senior leadership and executive team from an internal email address.”
Lance said some ransomware gangs even call on the phone and say, “Hey, have your senior leadership and IT teams reach out to us because you guys have been ransomed, and we haven’t heard from you yet.”
He said ransomware attackers often begin by making absurd demands, and there is usually a haggling process.
“In most circumstances, the initial demand is not where the final ransom amount ends. There are certain groups that we know we’re able to get significant reductions in the ransom amount, from millions of dollars down to hundreds of thousands. There are other groups that will only do slight deviations from the initial ransom demand,” Lance said.
“The big thing is that, if you get them on the hook, where they feel like they’re going to make some sort of monetary gains and value from this, in most circumstances, they’re going to be willing to negotiate because they want to get paid.”
Lance said most of the ransom transactions are carried out in Bitcoin.
‘It’s a Business Decision’
Lance said victims of ransomware attacks have to factor in a lot of things before deciding whether to pay.He said there had been instances where it was going to take a client two weeks to get access to their backup systems, because they were in cold storage, and it was costing them $1 million per day.
“So over the span of two weeks, that’s $14 million, but they could pay the ransom of $2 million and start recovering after four to five days. And so it was a business decision for them; that was more cost effective,” Lance said.
He said some clients are more worried about data being stolen by threat actors and being put up on the deep web or the dark web.
“These criminal organizations are still retaining that information, even though they’re telling you they’re deleting it,” Lance said. “And so we’ve seen where they'll pay the ransom strictly for data suppression, to ensure that information isn’t publicly posted.”
71 Active Ransomware Groups
“You’ve got your smaller, less mature, less sophisticated groups, which are more into your smash-and-grabs and making volume-based, or frequency-based, monetary gain,” Lance said.
“Then you’ve got the ... whale hunters. They’re the more developed groups that are asking for $10 million per ransomware engagement.”
The Guidepoint report notes that the “ransomware ecosystem continues to normalize despite the departures of old and new ‘leaders,’ including LockBit and AlphV in 2024 and, more recently, RansomHub in 2025.”
“In their stead, longstanding but previously ’second tier' RaaS [Ransomware-as-a-service] groups, including Qilin, Akira, and Play, have become the most benefitting from the absorption of experienced displaced affiliates,” the report reads.
Lance said all cyberattack groups have an affiliate system, where they offer ransomware as a service to their affiliates but expect them to follow certain rules and work to a certain standard.
He said ransomware groups are heavily reputation-based, and they knew that if they promised to delete data after the payment of a ransom, and then it appeared on a data leak site, it would affect their reputation.
“These cybercriminal organizations have a brand and a reputation to uphold,” Lance said. “So say, somebody pays Akira, and Akira doesn’t get them access to decryption tools that work successfully or, for some reason, they still leak them on their data leak site.
“Well, then they have the reputation of ‘don’t pay Akira because they don’t do what they say after you pay them anyway.’ So they get this negative reputation, and all of a sudden, people are stopping paying Akira, and then, guess what. That’s bad business. They’re not monetizing their efforts.”
Most ransomware groups are located in Eastern Europe, according to Lance.
“There are exceptions to that rule ... but the majority of the groups are there,” he said.
