Ransomware attack: Who are you going to call, Mike?

This week Charlies shares some key learning points on ransomware negotiation.

This week I am going to share with you what I learned from speaking to Mike Fowler, VP of Intelligence Services at GroupSense, a specialist cyber response company. One of the services they offer is ransomware negotiation and I thought in this bulletin I would share what a ransomware negotiation is and some key learning points from the many responses he has been involved in.

A while ago I was the Emergency Planning Manager for a large company, as they had many international travellers, travelling to all parts of the world. Part of my role was to make sure that we were ready to respond if staff were kidnapped. In my investigation of how to respond and when developing a response plan, I learned that you need to have on-call trained negotiators whose role is to negotiate between your organisation and the kidnappers. Using specialist negotiators gives you a lot better chance of, firstly getting back your staff member in one piece and alive, but also reducing the price of the ransom. The kidnappers were also much happier to work with a negotiator as they both knew the ‘rules of the game’ and the negotiator was unlikely to do anything that would threaten the kidnappers and cause them to kill their hostage. The role of negotiator required a specialist skill set and companies like Control Risks were then, the market leaders in providing this service.

Until very recently I had not heard about the role of ransomware negotiators. I came across the role as part of my research for my bulletin Cyber Ransoms – Should I Pay?. Wanting to learn more, I then approached GroupSense who provide the service, and had a conversation with Mike who talked me through the role and what he had learnt.

When we talk about ransomware attacks in this bulletin, we are talking about both the encryption of files, but also the exfiltration of data out of the organisation, which can be used to blackmail the data owner.

The following are what I think were the key points from our conversation:

1. The attackers who are conducting these attacks are usually well funded, informed and do their homework on the organisations they are going to attack. This is purely a business transaction for them, and they treat it like one. When they steal your data, they will review it, seek to identify the value of it and its value to you, as well as the damage to your organisation if it was to be made available. They will research the organisation to see how much they should set the ransom at. I was told about an organisation which had been attacked and the ransom was the exact amount the organisation had in their bank account when the attack occurred. They also need to create an element of trust in their victims, as if they don’t keep their word and do not delete data or provide an encryption key then nobody would pay and their business would be unviable. To add to the credibility of their attack they will often provide ‘proof of life’ so they will provide a sample of your data to prove they actually have your information. This is a business just like any other.
2. A cyber-attack is an attack on your organisation, so you are likely to take it as a personal attack. Mike said it is like someone looking at your baby and saying it is ugly. You have to treat an attack as purely a business negotiation of which the attacker has something you want, and the negotiation is about how much you are prepared to pay for it. Ransomware negotiators can help you be objective, keep emotion out of the situation and keep you focused on your negotiation aims.
3. During many cyber attacks, the attackers will gain access to your system and will stay in long enough to gain access to all areas, identify the value data, exfiltrate the data and then only once they have got what they want, use ransomware to lock you out of your systems on their way out. As they have investigated the organisation they are attacking, they will carry out the ransomware attack at the least convenient time for the company or when it will have the biggest impact. I don’t think it was chance that the ransomware attack on Travelex took place over New Year, when the company were most likely to have the least amount of IT people on-call or able to respond. Once they have your data, they can then implement a three-pronged strategy to extort money. Firstly, they can charge a fee for provision of the key to unlock the ransomware, they then can charge a fee not to make your data available on the dark web and they can also change your customers to make sure that the data you hold on them is not made available.
4. Attacks and negotiations are conducted in a speedy fashion over hours and days, not weeks and months like during a kidnap negotiation. They will not let you run the clock down, as their aim is to put you under pressure, not to give you thinking time. They want to get the negotiation over, get the money and move on to the next victim.

The decision on whether or not to pay needs to be very much a business decision and those making the decision need to look at the impact versus the cost and reputational damage of both paying and not paying a ransom. The decision will depend on the circumstances of the organisation. If the organisation has an excellent back up regime and their systems can be restored quickly, it is hard for the existing customers to leave and find an alternative supplier, and the reputational and commercial impact of data being released is low, then there will be a strong incentive not to pay. If the opposite is true, then in terms of the cost benefit it is probably more beneficial to pay. This decision should be discussed and exercised so that a measured decision can be made.

Where a ransomware negotiator can help is for you to better understand who you are dealing with and some of the risks and issues that you should consider in dealing with them. They can also help reduce the amount of ransom money paid and help you look objectively at your organisation’s response. You may get a negotiator as part of your cyber insurance or you should be aware of who you might use if it happened to you. I think the role of the negotiator should be written into your plans or playbooks and you should think through the pros and cons of paying a ransom in advance.