Charlie highlights the best advice from a great podcast all about ransomware. Read on to learn all about the best practices when it comes to negotiation.
At lunchtime, I try to go out for a walk to get some exercise and fresh air, otherwise, I find that I can go for days without leaving the house. During this walk, I always try to make the best use of my time and not spend all of it working, by listening to a podcast of something ‘worthy’. I have a list of things to listen to and on the list was a podcast on Gov Info Security entitled ‘Ransomware: Best Practises for Negotiating a Ransom Payment’ by Zong-Yu Wu and Pepijn Hack, who both work for Fox-IT. In this bulletin, I will be sharing what I thought is good advice within it.
Taking a moral stand, I fundamentally believe that it is wrong to pay a ransom after a ransomware attack, working on the principle it is wrong to make extortion payments and if nobody paid them then the crime wouldn’t happen. To this end, it reminds me of the spate of hostage and hijacks which took place in the 70s and 80s. When the hijackers' demands were given, more hijacks happened. As soon as the answer became, if you hijack our people we will not concede to your demands, and we will send in the special forces to shoot you - the scourge very quickly ended. If a hostage or two died then this was ‘unfortunate’ but it was the price governments had to accept if they were to stop the hijackers.
Although it is fine to take this stance, I and many others agree that sometimes a ransom has to be paid. Organisations often have no choice but to pay the ransom demanded, especially if there is no other way to recover the operations of their organisation. If we accept this reality and our organisation might have no choice but to pay, then we should make sure that we are prepared to conduct a negotiation…
Here are the tips that Zong-Yu and Pepijn outlined in their podcast:
1. Be respectful
Being targeted by a criminal and an attempt to extort money from your organisation can be a very emotional event, “how dare they do this to us” can be an overriding emotion. I have heard from a number of people commentating on ransomware negotiations that you must take emotion out of the negotiation. This can be done by ensuring that the people doing it are in the right frame of mind, or by the use of a professional external negotiator. The ransomware gang holds most of the cards, they have something you desperately want, and so if you “p*ss them off” they may walk away or up the price. In the podcast, Zong-Yu and Pepijn commented, “we have seen multiple examples of companies getting frustrated and angry in conversations with threat actors resulting in chats being closed”.
2. Don’t be afraid to ask for more time
Often during the negotiation, gangs will try and pressure you into making a quick decision. They want you to be on the ‘back foot’ not thinking clearly. This is why they will say things along the lines of, "if you don’t pay quickly the money will be doubled" or they may threaten to leak your documents, make use of a countdown timer, and often attack during public holidays. The criminals want your money, and if they think they will be more likely to get it if you ask for more time to either agree or sign off internally or to actually get hold of the money, then this can buy you some more time. This gives you more thinking time to develop your strategy, investigate the extent of the ransomware attack, start the recovery and rebuild.
3. Promise to pay a small amount now or a larger amount later
Make an offer of what you can pay now, saying it will take you time to get a hold of the full amount of money they are asking for. For the ransomware gangs, this is a business, and so they might just take the money as they will get it right away and then they are able to move on to their next target.
4. Convince the adversary you cannot pay the high ransom amount
Give them reasons why you cannot afford the ransom, for example, COVID, market downturn etc. can be used to convince them that they are demanding too much, also make them an offer they might accept. You have to remember that they may have access to your files and may know exactly how much money your organisation can afford. I was informed of a ransom demand of £905,000 which was exactly the amount the organisation had in their bank account. As part of the ransom demand, the ransom gangs will also do their research on your organisation so they will know what you can afford and will set their demand at a reasonable amount. The amount will be ‘painful by plausible’.
5. If possible, do not tell anyone you have cyber insurance
If the attacker knows you have cyber insurance, they will know that as part of the policy the insurance company may pay the ransom instead. Therefore, they will not compromise on the demand because they know the company won’t have to pay it. I think this is excellent advice! As attackers will know they are likely to get their money, they can ratchet up the pressure knowing very likely they will get paid a substantial amount.
6. Negotiate in private
When the initial ransom is demanded the attackers will give you a means of contacting them so that you can negotiate to pay the ransom. Often the link is open and they use the same link for all negotiations. If you have the link, it is possible for third parties to also watch the negotiation, some of the research in the Fox-It podcast comes from watching other people's negotiations. In the podcast, they talked about cases where third parties have joined in and tried to get involved in the negotiation. If you want your negotiation to be in private then make sure you ask the attackers to use a secure link or not their normal portal.
7. Get proof of decryption of files
Ask the attacker to prove that the key you are negotiating for will actually decrypt your files as you don’t want to pay for something that doesn’t work.
8. Be prepared for your files to be leaked
If you pay for your files to be destroyed and not leaked, then there is always the possibility that they are leaked anyway, are passed on, or sold to a third party who leaks them. I think you need to have the communications ready so that if they are leaked then you are able to quickly inform those who are affected, and have a comprehensive list of what has been lost ready. The good thing about having more time between your files being stolen and the leak is that they are valued less, therefore have less of an impact.
9. Use threat intelligence to understand your adversary
This is my own point from another podcast. Understand the threat landscape before you have an incident. By understanding the main adversities out there, their modus operandi, reputation and tactics during negotiations, means that if they attack you have an understanding of your ‘enemy’ and will know how they’ll react, what might work and what won’t. Some of this research can be done in advance, you need to speak to whatever organisation that will help you respond after a ransomware attack. Make sure that they have good threat intelligence on the main adversaries and if they don’t, then you know how this information can be found.
In listening to this podcast it seems that if there is the possibility organisations might have to pay a ransom, they should be prepared to conduct a ransom negotiation. Some of the factors are the same as any negotiation, each party has something the other wants and it is a matter of coming to a mutually agreeable solution. But, there are added nuisances here in that you’re dealing with criminals, you can't sue them if they don’t stick to their side of an agreement, and the stakes for your organisation may be huge. A ransomware negotiation should be practised through exercises so that if the worst happens you are prepared!
If you found this to be highly informative you may also be interested in reading 'Ransomware attack: Who are you going to call, Mike?'