Are ransomware gangs getting too greedy?

How much would you pay to prevent your company’s reputation being trashed by a data leak? If reports are accurate, the Royal Mail has baulked at paying the oddly precise £65.7m demanded by the LockBit hacking group that allegedly encrypted the company’s data. Are the ransomware gangs getting too greedy?

That companies big and small regularly pay off criminals to free their data is well known. Big firms won’t usually disclose how much they’ve paid, or that they’ve even paid a ransom at all – ransoms are often negotiated and paid through third-party security companies, who are then paid in turn for their services.

The ransomware attack on the Royal Mail has already been hugely damaging for the company. International deliveries were suspended entirely for weeks and still remain disrupted.

Logs leaked by the LockBit group, as reported in the Financial Times, appear to show that the Royal Mail was negotiating with the hackers, but that the company’s board refused to meet the high price being demanded.

That unusually specific £65.7m figure wasn’t plucked out of thin air. The hackers calculated it was 0.5% of the company’s annual revenues, a point that the hackers made during the leaked negotiations.

The Royal Mail, however, decided to play hardball. “Under no circumstances will we pay you the absurd amount of money you have demanded,” the Royal Mail’s negotiator told the hackers, according to the FT report. “This is an amount that could never be taken seriously by our board.”

Ending the payment cycle

If – and it remains a big if – companies are baulking at the inflated demands of ransomware groups, it would likely be a good thing. The ransomware model only works if enough victims are willing to pay up, and some experts have long argued that paying ransoms should be made illegal to thwart the trade.

However, security experts point out it’s a high-risk strategy when you refuse to meet the ransomware writers’ demands. “Ransom negotiations are extremely difficult as both sides have game plans and ulterior motives,” said Jake Moore, global cybersecurity advisor at ESET.

“Victim organisations are desperately looking to extend the timeframe before payments are demanded, whilst criminal groups aim to find the sweet spot in which a ransom amount is viable. However, as both sides often know how the other thinks, it can be a dangerous game to play on very thin ice. Without wanting to see any information released onto the dark web, simply negotiating can upset attackers into releasing stolen data.”

However, even if the ransomware model collapses, Moore fears the criminals will simply find another way to extort companies with their own data. “By not paying a ransom it has the power to overthrow the legacy threat of ransomware, by forcing attackers to target more specifically within organisations and carry on threatening the leaking of data rather than encrypting it,” he said.

More security content

Avatar photo
Barry Collins

Barry has 20 years of experience working on national newspapers, websites and magazines. He was editor of PC Pro and is co-editor and co-owner of He has published a number of articles on TechFinitive covering data, innovation and cybersecurity.