‘Why should we pay these criminals?’: the hidden world of ransomware negotiations

about 16 hours ago

They call it “stopping the bleeding”: the vital window to prevent an entire database from being ransacked by criminals or a production line grinding to a halt,When a call comes into the cybersecurity firm S-RM, headquartered on Whitechapel High Street in east London, a hacked business or institution may have just minutes to protect themselves,S-RM, which helped a high-profile retail client recover from a Scattered Spider cyber-attack has become a quiet, often word-of-mouth, success,Many of the company’s senior workers are multilingual and have a minimal online footprint, which reveals scant but impressive CVs suggestive of corporate or government intelligence-based careers,S-RM now claims the UK’s largest cyber-incident response team.

Its first-responder service is comprised of about 150 experts worldwide.It has clients who keep it on retainer, victims referred by insurers, and “walk-ins”: people who suddenly realise their business is under attack and call the first few results on their search engines.In the case of the Scattered Spider victim, which the Guardian understands was not Marks & Spencer or the Co-op – two retailers that were attacked in 2025 – a 30-minute Teams call with a retailer became “a 24-hour call with a rotating cast of experts”, says Ted Cowell, the director of S-RM’s cyber business arm.“On average we’re getting back to clients within six minutes.Which is critical because often the first hours of a cyber incident can be the biggest chance window to determine the outcome of a case and its impact,” he says.

“What can start as a network intrusion can then metastasise into a full-blown malware or ransomware scenario.”Cowell, a Cambridge-educated Russian speaker, says that getting a handle on the attack during a “reconnaissance” period can result in a radically different outcome, compared with a slow response.Criminals often need time after their first penetration of a businesses’ systems to work out what is of most value.This short spell of time can therefore allow experts to prevent the most operationally painful of attacks.“Exfiltration” – the theft of critical data – and encryption, whereby businesses can be locked out of their own systems, can be the most damaging.

“Sometimes we can stop it from going boom,” Cowell says.Teams focus on “stopping the bleeding” by limiting or cutting the attacker’s access to systems.This is what S-RM’s team was able to do with the Scattered Spider victim: stopping the detonation of malware across systems.Business is good as the cybercrime industry grows, but that comes with ethical challenges.S-RM and its industry peers have faced criticism for helping to facilitate the payment of ransoms to criminals who hijack businesses for money.

“Extortion support” is an important part of S-RM’s work,This means its specialists are in the room when ransoms are negotiated, sometimes doing the negotiation itself on behalf of a client,Cowell appears keen to avoid criticisms of feeding organised crime by helping businesses to pay ransoms, or by acting for insurers that sell policies covering ransom payments,“We’re instructed by the policyholder, by the insured,” he says,“Our ambition is to guide ‘no payment’ decisions wherever and whenever possible,” he continues, adding that businesses are increasingly taking that approach and not paying ransoms.

“Our role is to facilitate strategic thinking,” he says.“Give clients some structure to order their thoughts.They’ve probably not been in a situation like this before.“The businesses’ decision as to what they do is their own.We just offer the template of a crisis, how things play out based on our experience.

“Why should we pay these criminals?” is a challenge Cowell says his team puts to top staff at affected businesses.“One of the things that we often educate boards on is that ransomware is an organised criminal enterprise.”These nefarious groups have, he explains, “brands to uphold”.Established ransomware groups, typically speaking, will honour a settlement.S-RM also has an increasingly detailed picture of how these groups have behaved in previous negotiations.

The more established the group, the more likely they are to honour whatever settlement is agreed either by deleting stolen data or providing keys to decrypt critical files.S-RM offers a rundown of who’s who in terms of reliability, negotiating patterns, behaviours, even extending to sanctions concerns.The latter rarely applies, however.Trying to impose sanctions on state-linked groups is a game of “whack-a-mole”, Cowell says.If so-called “threat actors” do appear on sanctions lists they tend to disband and reform in a new guise.

The risk of putting money, albeit indirectly, into state-enemy hands is therefore another consideration for firms facing a cyber-attack,Still, businesses do sometimes decide to pay up,It can be rational for their company’s circumstances, and ultimately “it’s always their decision”, Cowell says,As the corporate moral code of paying ransoms matures, and decisions not to fund organised crime become more common, restoration and recovery services have become a bigger part of the cybersecurity response market,Increasingly it is a priority to just get systems back up and running as soon as possible with the forensic analysis of how someone got into a system becoming secondary.

In recent years, the UK government’s cyber-intelligence role has also shifted significantly.The National Cyber Security Centre “over the last four or five years has hugely transformed”, Cowell says.The NCSC has caught up with its Nordic equivalents and now proactively reaches out to victims, telling them they may be targeted based on intelligence.“It was more of an information taker,” asking the likes of S-RM for information, which they would willingly provide with client consent, Cowell says.“[Now] they are playing a more robust role, getting on the front foot and getting people together to facilitate information sharing.

We saw the impact of that with the Scattered Spider attacks.,” he adds.

businessSee all

DIY shops enjoy bumper year as UK property market slows

Retailers of home improvement products are having a glittering year on the London stock market, as cash-strapped UK consumers turn to DIY projects after being priced out of moving home or undertaking expensive renovations.Publicly listed retailers including the B&Q owner, Kingfisher, as well as Topps Tiles, Wickes and the sofa seller DFS are on track for double-digit percentage share price increases of as much as 56% this year.Kingfisher and Topps Tiles have posted share price increases of 26.5% and 13% respectively, their best annual gains since the pandemic, while a 23% year-to-date rise at DFS is its strongest year since 2019.Kingfisher, which also operates in France and Poland, has issued two profit upgrades since September on the back of the company’s strong performance in the UK

about 15 hours ago

Copper price on track for biggest rise in 15 years amid global shortage fears

Copper, the metal that underpins the fast-growing renewable energy industry, is on course for its biggest annual price rise in more than 15 years as traders react to fears of global shortages.As one of the main beneficiaries of the “electrification of everything”, copper has soared by more than 35% in value this year, spurred by US tariff uncertainty and concerns about mining disasters that could restrict supply.Analysts said copper had also joined silver and gold as a safe haven asset for investors wanting to hedge against the falling value of the dollar.Silver reached a record high on Monday, pushing the value of the Mexican mining company Fresnillo, which is listed on the London stock market, to a record high this month. The price of gold has jumped above $4,400 (£3,263) an ounce, up more than 70% since the beginning of January

about 17 hours ago

Nearly half of Americans believe their financial security is getting worse, poll finds

Twice as many Americans believe their financial security is getting worse than better, according to an exclusive new poll conducted for the Guardian, and they are increasingly blaming the White House.The poll, conducted by Harris, will be a further blow to Donald Trump’s efforts to fight off criticism of his handling of the economy and contains some worrying findings for the president.Nearly half (45%) of Americans said their financial security is getting worse compared to 20% who said it’s getting better.57% of Americans said the US economy is undergoing a recession, up 11% from a similar poll that was conducted in February.The US is not experiencing a recession, which is typically defined as two quarters of negative growth

about 18 hours ago

Influx of cheap Chinese imports could drive down UK inflation, economists say

The UK is poised for an influx of cheap Chinese imports that could bring down inflation amid the fallout from Donald Trump’s global trade war, leading economists have said.After figures showed China’s trade surplus surpassed $1tn (£750bn) despite Washington’s tariff policies hitting exports to the US, the Bank of England said the UK was among the nations emerging as alternative destinations for the goods.Stephen Millard, a deputy director at the National Institute of Economic and Social Research, said: “There is an expectation that given the high tariffs the US are imposing on China, that China will divert its trade elsewhere and one of those places will be the UK.”This month Catherine Mann, an external member of the Bank’s rate setting monetary policy committee, told MPs on the Treasury committee there were early signs of trade diversion affecting UK inflation.“Import prices have started to moderate on the back of sterling appreciation and some of the spillover of the diversion of Chinese products from the US tariff burdens to other places, including to our docks

about 19 hours ago

UK accounting body to halt remote exams amid AI cheating

The world’s largest accounting body is to stop students being allowed to take exams remotely to crack down on a rise in cheating on tests that underpin professional qualifications.The Association of Chartered Certified Accountants (ACCA), which has almost 260,000 members, has said that from March it will stop allowing students to take online exams in all but exceptional circumstances.“We’re seeing the sophistication of [cheating] systems outpacing what can be put in, [in] terms of safeguards,” Helen Brand, the chief executive of the ACCA, said in an interview with the Financial Times.Remote testing was introduced during the Covid pandemic to allow students to continue to be able to qualify at a time when lockdowns prevented in-person exam assessment.In 2022, the Financial Reporting Council (FRC), the UK’s accounting and auditing industry regulator, said that cheating in professional exams was a “live” issue at Britain’s biggest companies

about 22 hours ago

Help UK ceramics industry or ‘lose piece of national identity’, government told

Britain will lose a piece of its national identity if the country’s ceramics industry is allowed to descend further into crisis without state assistance, the government has been warned.Ceramics producers including the struggling potteries of Staffordshire have come under huge pressure owing to factors such as the UK’s sky-high energy costs, leading to job losses.In a report, unions and the Green Alliance thinktank urged the government to step in to support the centuries-old sector.“Tens of thousands of working-class jobs rely on the ceramics sector so we cannot afford to leave its future to chance. But so far we aren’t seeing enough action from a government grappling with the unique challenges the sector faces,” said Chris Hoofe of the GMB union

1 day ago

trendingSee all