A Singapore-based logistics company was hit by a ransomware attack on a Monday morning. Within four hours, every file server, the ERP system, and the customer tracking portal were encrypted. The attacker demanded 15 Bitcoin, with a 72-hour deadline before the decryption key would be destroyed. The CEO asked the IT team and the legal counsel the same question: what are our options?
Most organisations are not prepared for that conversation. Ransomware incident response plans typically cover detection, containment, and recovery — but they rarely address the negotiation process, the legal obligations around payment, or the complex questions that arise when an attacker presents a deadline and your recovery timeline is measured in days, not hours.
In Singapore, the question of whether to pay is not purely a business decision. The Cybersecurity Act 2024 (as amended) places specific restrictions on ransomware payments, and CII operators face direct prohibitions for certain threat categories. For all other organisations, payment remains legal under Singapore law — but it is never simple, never without consequence, and never without significant legal and reputational risk.
CII Operator Alert: Under the Cybersecurity Act 2024 and its associated regulations, Critical Information Infrastructure operators face prohibitions on paying ransom demands where the threat has been designated as a Critical Technology Disruption (CTD) threat by the Commissioner of Cybersecurity. Before engaging in any negotiation or payment discussion, CII operators must confirm the applicable restrictions with their legal counsel and, where required, notify CSA. Non-compliance can result in regulatory penalties and personal liability for officers.
Why Singapore Companies End Up in Ransomware Negotiations
The decision to negotiate almost always follows a common sequence: the backup restoration has failed or is incomplete, the downtime cost is accelerating, and the business case for paying starts to look compelling relative to the cost of prolonged outage. Singapore organisations in this situation include mid-sized enterprises, family-owned businesses, and even government-linked companies that have underestimated the complexity of restoring from backups when those backups are themselves encrypted or compromised.
The negotiation phase begins when the attacker makes contact — typically through a note left on encrypted systems, an email sent to executives, or a message through a dark web portal that the ransomware group operates. At this point, the organisation is operating under extreme pressure, with a ticking clock, incomplete information, and a clear asymmetry in negotiating experience.
Engaging a professional ransomware negotiator before responding to the attacker is one of the most cost-effective decisions an organisation can make. Professional negotiators — typically incident response firms with specific experience in ransomware negotiations — understand attacker psychology, know the standard discount schedules, and can buy time without committing to payment. They also serve as a buffer between the emotional pressure inside the organisation and the calculated demands coming from the threat actor.
The Singapore Legal Framework Around Ransomware Payment
Singapore does not have a general legal prohibition on ransomware payments for private sector organisations. However, the Monetary Authority of Singapore (MAS) has issued guidance discouraging financial institutions from paying ransom, noting that payment funds future attacks and may constitute a violation of technology risk management obligations. MAS-regulated entities that pay ransomware demands may face regulatory scrutiny as part of their technology risk management assessments.
More significantly, the Cybersecurity Act 2024 introduced restrictions for CII operators around ransomware payment. Where a ransomware attack involves or targets a CTD-classified threat — meaning a threat to the critical technology infrastructure of a CII sector — the operator is prohibited from paying the ransom. This prohibition is absolute, and attempts to structure payments through intermediaries to circumvent this restriction would likely constitute a separate offence.
For all other organisations in Singapore, the position is: ransomware payment is not unlawful, but it does attract legal obligations. If the attack involves personal data under PDPA obligations, the breach notification requirements apply regardless of whether payment is made. If the attacker accesses systems that contain personal data of Singapore residents, the PDPC must be notified within three calendar days of the organisation becoming aware of the breach. Paying the ransom does not discharge that obligation.
How Ransomware Negotiations Actually Work
The standard negotiation timeline follows a predictable pattern. In the first 24 to 48 hours, the attacker's opening demand reflects the value they believe the target places on the encrypted data and the speed of their recovery requirement. This figure is almost always inflated — typically by 30 to 50 percent above what they expect to receive. The demand is calibrated to trigger panic, not to represent a realistic offer.
A professional negotiator will respond by demonstrating operational constraints — the organisation's inability to rapidly acquire cryptocurrency, legal restrictions on payment, or the existence of viable backups — without revealing specific details that the attacker could use to calibrate their leverage. The goal in the first round is to reduce the demand and buy time for recovery options to be assessed.
The second phase involves technical verification. Sophisticated ransomware groups will provide a free decryption of a small number of files to demonstrate that their decryption key works. This verification step is non-negotiable regardless of whether the organisation intends to pay. If the organisation is considering payment, they should also request a detailed breakdown of what data was exfiltrated and when — this information is critical for the PDPA breach notification assessment.
The final phase involves price negotiation. Ransomware groups have established discount schedules. First-time buyers who signal that they intend to pay but need the price reduced typically receive a 20 to 30 percent reduction without significant additional pressure. Demonstrating inability to pay — backed by a formal legal opinion if available — can produce further reductions. However, professional negotiators counsel strongly against any commitments of payment before the organisation's board has formally authorised the expenditure and the legal and regulatory implications have been assessed.
What Singapore Companies Must Do Before a Ransomware Decision
The negotiation decision should never be made in isolation during an active incident. Every Singapore organisation should have a pre-established ransomware response position — agreed at board level before an attack occurs — that addresses the following:
- Insurance coverage review: Does your cyber insurance policy cover ransomware payments? Many policies exclude payment for CII-designated sectors or for attacks by designated threat groups. Confirm the coverage position before an incident, not during one.
- Regulatory obligation assessment: If you are a CII operator, MAS-regulated entity, or a company processing significant volumes of personal data under PDPA, understand your regulatory obligations before engaging with attackers about payment. CSA notification timelines apply, and engaging in payment discussions does not pause those obligations.
- Cryptocurrency access: Ransomware payments are made in cryptocurrency — typically Bitcoin or, increasingly, Monero for privacy. The process of acquiring the required amount of cryptocurrency can take days and may require involvement of regulated financial institutions. If you intend to maintain the option to pay, identify your acquisition pathway in advance. Singapore's evolving AML/CFT regulations mean that large cryptocurrency purchases require compliance documentation.
- Board authority: Ransomware payments can exceed SGD 1 million for enterprise targets. The board should pre-authorise a payment threshold that can be activated during an incident without requiring an emergency board meeting — which may not be achievable within a 72-hour attacker deadline.
- Legal counsel on standby: Engaging legal counsel with experience in technology incidents before an attack occurs ensures that privilege attaches to incident response communications from the outset. This protection matters if subsequent litigation or regulatory investigation follows the incident.
Be Prepared Before an Attack Happens
Ransomware response is not a firefighting exercise — it is a pre-planned operation with legal, financial, and reputational dimensions that extend well beyond IT recovery. Infinite Cybersecurity helps Singapore organisations build ransomware response plans that address the full scope: containment, recovery, negotiation options, regulatory notification obligations, and board-level decision protocols. We also provide direct incident response support when attacks occur, including engagement with legal counsel and coordination with cyber insurance providers.
The Decision Framework: Should We Pay?
For organisations that have exhausted their recovery options and face a deadline, the decision framework is not binary. The question is not simply "should we pay" but "under what conditions should we pay, and what obligations does that create?"
Payment may be justified when: the cost of prolonged downtime demonstrably exceeds the ransom demand, including direct revenue loss, contractual penalties for missed SLAs, and reputational damage; the organisation has confirmed that the decryption key is functional and the attacker is capable of restoring encrypted data; the legal and regulatory obligations associated with payment have been assessed and cleared; and the organisation has obtained independent verification that the attacker has not exfiltrated data that would trigger separate notification obligations.
Payment should be avoided or declined when: viable recovery options exist through backups or disaster recovery infrastructure; the attacker is a designated threat group under applicable sanctions regulations (Singapore adheres to UN sanctions frameworks and Singapore's Cybersecurity Act CTD designation); the attack falls within the CII payment prohibition framework; or the demand exceeds the organisation's financial capacity without clear business justification for the specific amount.
The worst outcome is not an attack — it is an organisation that pays a ransom, receives a non-functional decryption key, and has simultaneously failed to restore their systems and lost the evidence necessary to investigate how the attacker gained access. That outcome is preventable with the right preparation, the right advisors, and the right decision framework in place before the attack happens.
Prepare your ransomware response plan now. The moment an attacker appears is too late to build the framework you need.