Debilitating ransomware attacks struck a host of public and private entities this year, ranging from cities such as Baltimore to a large number of law firms. While those events grabbed headlines for encrypting data and locking entities out of systems, ransomware incidents have "sharply declined" since 2018, the FBI announced last month.

Despite the reported downturn, the FBI's press release still discouraged ransomware payments, noting it motivates hackers to continue targeting entities and payments don't ensure files will be decrypted. But in a real-life scenario, ransomware can paralyze any organization's workflow and easily stir panic that leads to rash decision-making.

To combat this threat, lawyers suggest leveraging outside counsel and a cybersecurity company during ransomware negotiations to serve as an informed intermediary between the hacker. Adams and Reese special counsel Roy Hadley Jr., who also assisted the city of Atlanta in the immediate response and aftermath of 2017's ransomware attack, said deploying a cyber expert and lawyer "takes some of the pressure off the company from making bad or hasty decisions."

Cybersecurity companies know how to obtain cryptocurrency that hackers usually demand, Hadley added. Plus, a ransomware response company will recognize well-known perpetrators and know their track record of providing encryption keys after receiving payments and the likelihood their encryption keys will work.

While law enforcement and an association of U.S. mayors discourage paying ransomware because it emboldens hackers, the decision is ultimately made by the company.

Bill Siegel, CEO and co-founder of ransomware response and recovery company Coveware Inc., noted a negotiation often hinges on if there aren't any backups of the files and if the files are important enough to a company to pay for.

"Time is the only way to signal that you don't really need it and that the business value of the data is actually low," Siegel added.

But when a hacker has encrypted essential data, Siegel said his company leverages an encrypted chat or email platform to negotiate payment with the hacker.

To be sure, impacted companies do have bargaining power while in the throes of a ransomware attack, Hadley noted. For example, if a hacker demands $10 million, the negotiator can counteroffer a smaller amount, stating the company can replace its data and system at a cheaper cost. Hadley likened the back-and-forth to a hostage negotiation, where negotiators "feel where those lines are in that negotiating process."

Still, Hadley warned, "The last thing you want to do here is something that makes the bad actor walk away and not get back the keys if the client isn't able to recover the data on their own."

Similarly, companies can leverage their counsel and outside vendor to agree to incremental payments for keys to decrypt data piecemeal. "That way before you pay the ransomware in full you'll know the purported perpetrator has the key to unlock the system," Hadley said.

He added that "sometimes, ransomware attacks can be purported by anyone on the dark web." In some cases, "they give you keys and they don't work, or they give you keys and the files are corrupted," he said.

After ensuring the keys don't have malware and successfully unlock encrypted data, the company's road to recovery isn't over.

"The bad guy got into your systems; those vulnerabilities are still there," noted Hadley. "Even if you pay the ransom, you have a lot of work to do."

That work includes improving the organization's cybersecurity against similar and alternative cyberattacks and meeting any regulatory requirements, too.

"In addition to an entity's system being shut down, the entity also has to determine if any personal, nonpublic information has been compromised, which would trigger disclosure to infected individuals," said Hill Ward Henderson shareholder and ransomware response counsel Robert Shimberg. "It may trigger disclosure to regulatory agencies."