In this week’s bulletin, Charlie discusses what to do in a negotiation situation with hackers, and looks at what we can learn from the situation with Royal Mail and their hackers.
This week, with two of my PlanB Consulting colleagues, I assessed the response of the crisis team of a large financial organisation. As part of my preparation, I was reading up on the latest on cyber and the gangs that are carrying out the attacks. I came across PWN Defend which has published the negotiation conversation which took place between Royal Mail and their hackers. In cyber incidents, only a very trusted few get to see how the negotiation unfolds. What is also interesting, is how it is a very human interaction, and you can see some of the emotions and thoughts of the negotiations and the hacker.
Below are a few of my personal thoughts:
- An early decision is whether to contact the hackers. As far as I am concerned, you only make contact if you might want to pay, or in the case of the SickKids hospital in Canada which was hacked on 18th December 2022, ask the ransomware gang for the key. You can play for time which might give you more time to prepare your response before they may leak your data, but it is likely that you will have to admit to the hack, and if you are not going to pay, you will start the recovery and rebuild of systems. If you think you might want to pay – about 65% do – then you can use the negotiation to reduce the amount you end up paying. My own personal view is to make an early decision as Norsk Hydro did, not to pay and not to negotiate, and then get on with the response.
- As Royal Mail did, you can ask the hacker to prove that the descriptor key works, and I think it is a good idea to ask for a full list of files they have, so that you can understand what they have got. This could be quicker than finding out through your own cyber forensics.
- You want a low-level IT person as a negotiator, preferably not the brightest and the most logical, if you want to play for time. Definitely not someone senior who is empowered to make a decision!
At the end of the website, PWN Defend published what they think the learning points of this conversation are:
- Make Contact
- Request for proof of data theft
- Request a full list of files/data
- Request for a sample (specific samples where sensitive data would be)
- Request for proof of ability to decrypt
- Advise Low Skilled/Low Authority in org
- Advise constant requirement for comms to go up to senior management (delay)
- Advise constraints on money
- Advise the threat actors have bad intelligence and that the impacted assets are part of a different org/subsidiary etc.
- Push for discounts/price reduction in relation to revenue
- Advise that it is a “big decision” and is with the board
- Keep updating the threat actors with progress, even if this is to just say “we are waiting for a board response”
- Set expectations of likely decision-making times