Have you ever wondered how ransomware negotiations work? Here’s what the experts say an organization will experience, should they ever need to pay a ransomware ultimatum.

It’s no secret that Ransomware has fast become an organizations biggest security headache and it doesn’t look like the issue is about to go away. Cybercriminals are making too much money $$$ especially since demands have escalated form the tens of thousands to the tens of millions. Afterall businesses are willing to pay to stop the devasting malware threat so these guys cash in.

Many people are involved in the ransomware payment decision as CIO, other executives, insurance providers need to consider all the facts. But the increase in ransomware demand has created a need for specialized consultants and companies that are experts in negotiations and organising payments via cryptocurrency.

What happens when ransomware hits?

Unfortunately, many companies are caught off guard when a ransomware attack happens. That is to say, instead of triggering a well thought out disaster recovery plan most are unaware of their next step.

Furthermore, if a company does have an incident response team and plan typically important things are missing, such as:

  • threat of a data leak
  • communicating externally with customers and regulators
  • the decision to negotiate with threat actors and who’s involved

The CEO of threat intelligence and ransomware negotiation firm GroupSense, Kurtis Minders says that “even in large publicly traded companies that do have IR plans, they don’t usually cover details related to ransomware. Once he is brought into a negotiation Kurtis quickly discovers that many processes are not documented. For example, there’s no messaging or PR plan, no outline of who should be included in the decision.

The Vice President Ian Schenkel of EMEA at Flashpoint, another company that also offer a ransomware response service notes that even those companies that have practiced their IR plans and have procedures in place are still in a blind panic when ransomware hits.

More ransomware groups are adopting a double-extortion technique where not only are the criminals encrypting an entire network, but they are also trying to extort more money out of you by saying: ‘If you don’t pay the ransom, we’ll leak all the information we have about your organisation’.” In other words, they are combining file encryption with data theft. Ransomware a denial of service also becomes a data breach that’s subject to various regulatory obligations.

Due to a data breach private companies will be forced to publicly disclose when they suffer a ransomware attack.

When a ransomware attack hits two critical and time-sensitive actions need to be done:

  1. Identify how attackers got in, closing the hole, and kicking them off the network (required an incident response team)
  2. Understand what the business is dealing with, which means determining the ransomware variant, tying it to a threat actor, and establishing their credibility, especially if they also make data theft claims. (may require a company that specialises in threat intelligence)

For companies that don’t use external companies for their everyday IT they may feel totally out of their depth if they experience an attack. So, it makes sense that in this case they bring in expertise to manage their response.

In around 75 per cent of cases, according to lawyers from international law firm Orrick, outside counsel gets called in first. They then start the response process, which includes:

  • Notifying law enforcement
  • Engaging the forensic people
  • Running a briefing internally with the organisation’s leadership
  • Covering the investigation by privilege
  • Assessing notifications to customers and partners that might be needed
  • Helping the victim organisation make contact with their insurance carrier to notify them about the attack and get approval for costs, including counsel, forensics, crisis communications, and anything else that’s required, including paying the ransom if that decision has been made.

Who decides if the ransom gets paid?

Talks with your insurance should be started early because they may have a say in the selection of the IR vendor and other parties that are brought in to help with the incident. It will depend on your policy. Also, insurance generally have an approved vendor list.

According to Orrick lawyers are their experience, companies make that decision on their own. Once they’ve decided they then reach out to their insurance company to get the approval.

Some companies decide to pay regardless of whether their insurance covers the ransomware demand, due to the urgency of their situation. In other words, they can’t afford not to pay and feel the need to act now. Afterwards they can deal with their insurance company.

The people who are usually involves in the decision, the council that includes CIO, and the COO. And they take into consideration both the legality and risk in forming their decision.

The CIO and their team are in charge of the backup processes and the business continuity or disaster recovery plans. For example, the CIOs determine that backups exist and the number of systems impacted and the expected time for restoring.  On the other hand, the COO makes the decision based on how the affected data impacts operations. In other words, can the business operations can’t survive a long downtime?

An insurance carrier will ask a series of questions before approving a ransomware payment. These questions such as:

  • the status of backups, whether they were destroyed during the attack, and whether offsite backups exist?
  • how many systems were impacted?
  • how long it will take to restore them?

The insurance company will also investigate the threat actor to determine if they are on the Department of Treasury’s sanctions list. It is possible due to the insurance policy type they will decline the payment; it really depends on the fine print.

The Treasury Department’s Office of Foreign Assets Control (OFAC) in October reminded businesses when making ransomware payments that they face civil penalties if they violate sanctions, issued an advisory.

The next thing to consider is a payment’s facilitator when the decision is to pay the ransom. Payments are made in cryptocurrencies, and typically businesses don’t have crypto wallets and are unfamiliar with payments in crypto. So, they must call in a third party with the crypto experience to make such payments. 

Meanwhile, the third parties may deny setting up the payment in light of the OFAC advisory’s sanctions list. Many of the payment facilitators are also specialise in ransomware negotiation on behalf of the victim.

How does a ransomware negotiation work?

After that the attackers are contacted — usually by some encrypted email service they’ve provided. Most importantly, for the IR team need to ensure that attack has been isolated and the criminals kicked off the network, according to GroupSense’s Minder.

Minder says “Imagine if I’m negotiating with a threat actor and that threat actor still has access to the network. That’s a lot of leverage against us. So, one of the things that we try to do right off the bat is working really closely with the IR team to determine if they were shut out and cannot get back in.”

Secondly, all the information needs to be collated about the attack by the IR team, including if any data has been compromised, and details about the threat actors’ profile and past.

The more information you have about the threat actor and their history, the better information you have in establishing their maturity and if they are working on another organisation at the same time. In other words, this information is vital in how you approach the negotiation.

For example, if they have 30 to 40 companies on the hook it may change how they deal with you. The more options they have the less patience they’ll have during negotiations, Minder says.

How do the hackers decide how much to demand? Well, some of them investigate a victim’s profile and suss out the annual revenue and ask a percentage. So, if they’ve got their information from an unreliable source their asking amount can be way over the top.

For instance, a victim could be a subsidiary of a large organisation that is a multi-billion-dollar international conglomerate. In other words, a small business operating locally with no access to the funds of the parent company.

At the government level, there are significant differences between the financial resources of federal agencies and small municipalities that might not be directly apparent to the attackers.

Meanwhile, the negotiators may want to educate the attackers on the state of the financials, but it is better just to act like it is a business deal, says Minder. The criminals are not known for their compassionate side and emotional pleas of the victims won’t work. So better for experienced negotiators to take over.

However, the communication lines are open for the victim with a secure portal in real time which they can weigh in, comment, or make suggestions.

Most importantly, victims can restore some of their systems from backups and use this as a bargaining tool in the negotiations. If the victim’s main system is working, why would they want to pay the full ransom demand? Since there is only data left on a few remaining systems.

That’s to say, make sure you have your IR plan and ensure you have mechanisms in place that can detect an attack as soon as possible. Limiting the damage is so important.

The CISO of data protection at the company Digital Guardian Tim Bandos advises, “that identifying an ongoing attack or seeing ransomware being deployed across the environment in the early stages and then contain and isolate it as fast as possible.”

He says that it comes down to scoping the incident and reviewing the logs and identifying where this thing has gone and where we can effectively cut it off. We’ve had that instance where we were able to stop it. It moved to 10 or 15 servers in a fleet of around 3,000.”

In other words, paying the ransom wasn’t needed as out of 3000 servers only 10 to 15 were hit so it won’t take much time to back these up. Whereas paying the ransom would be quicker if you’re having to backup 3000 of them.

Backups aren’t foolproof especially if the applications and their software stack are outdated. For example Bandos realised in the manufacturing sector a customer they were dealing with had an outdated Windows server version on their server. In other words, the system had to be rebuilt, meaning a lot of time. But the down time of the server was costing them thousands of dollars per hours. So they opted to pay the ransom.

There are a few things to do to ensure this situation doesn’t happen to you, such as:

  • test the restoration process for backups and create system images with all the software a system needs to function properly.
  • have detection capabilities in place and
  • endpoint software that can detect and block file encryption routines and isolate systems from the network quickly is also very valuable.

Meanwhile there is a silver lining as both Minder and Flashpoint’s Schenkel agree that ransomware groups will negotiate, and in the end most ransom demands are a small percentage of the original asking amount. And that’s because the ransomware gangs are under pressure, too.

If negotiations drag on it enables the IR team to go to work and restore the system themselves. As well as that the attackers know that only about 20 -30% of victims pay the ransom. That’s to say, attacks need to move fast to cash in.

Schenkel says, “As much as we say how bad threat actors are, they’re still just people trying to sell something, so they will have a starting price” The threat actors are in business, but they are “always open to negotiations,” says Schenkel.

Most importantly before any monies are paid out to the threat actors, they must prove they can decrypt files. So, they generally do this on a sample set of data. But don’t assume this sample doesn’t pose any risk because in some situations, the decryptor supplied have bugs or data maybe appear corrupted in certain systems.

Specialist companies can reverse-engineer these decryptors, then they re-implement them. It enables them to use the decryption key supplied by the threat actors.

In some cases, the attackers use different keys in different systems in the network. Certainly, that’s another reason for doing a proper investigation and getting forensics and threat intelligence involved. Working out the groups modus operandi before approaching them in vital.

Once the negotiator has agreed to the amount and payment has been made all the information needs to be collected and kept together records such as:

  • communications
  • history about the threat actor
  • transactions

This information needs to be kept for record and legal reasons and possibly for your insurance company.

Threats to leak data complicate negotiations and recovery

If you’re dealing with the double threat scenario and the attackers have also threatened to your data, it’s a bit more of a concern. Why? Because once the threat actors have stolen your data how do you know they have destroyed it? You don’t. Remember the data can include end-user data.

Well, you don’t unless some time later the same threat group tries to extort more money out of you, or the data has been leaked online anyway. Coveware, the security firm that specialises in negotiations and response to ransomware reported last year this was actually happening.

As the double threat technique increases in popularity amongst the ransomware groups, threats will need to be treated as data breaches. In this case they’ll have to go through all the required processes as well as considering paying a threat intelligence firm to monitor for the stolen data on underground forums and marketplaces.

Furthermore, some ransomware gangs are going for the triple threat extortion tactics. For instance, Grief a well-known ransomware group have warned if victims go to the police or and hire ransomware negotiators and even data recovery experts, the decryption key will be destroyed.

To clarify, Grief who are tied to Evil Corp is on the US sanctions list of the Department of Treasury, so they are a very well-known ransomware group. And if the victim contacts police, negotiators, data experts, or even their insurance company the group know there is less of a chance they’ll get paid. Victims may face civil penalties and their insurer may not cover the ransom demand.

In other words, Evil Corp or Grief want to discourage victims from contacting third parties. And it’s not the only ransomware group that have done the triple threat. But other groups are using it for different reasons such as:

ransom negotiation logs are sometimes leaked and show up in media articles or on Twitter. 

Brett Callow, a threat analyst at Emsisoft says that “the fact that threat actors do not want their victims to contact law enforcement is a very strong indication that they should.”

” in some cases Law enforcement agencies can provide victims with valuable assistance and, even help them recover their data without need to pay the ransom.”

From September the  OFAC advisory a letter from the Department if the Treasury in Washington has placed more importance on contacting law enforcement especially in response for breaking the sanctions.

Post-mortems identify lessons learned

To ensure the organisations future capacity to block or slow down future attacks it is important to have a post-mortem review. This is where various parties come together and discuss the incident. It’s where the legal team, the IR and IT Team, ransomware specialist and negotiators will come together and review all the information and talk about the lessons learned. In other words, turn it into a project with an action plan.  

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?