August 9, 2023

How to Handle Ransomware Negotiation

Organizations are looking into how to handle ransomware negotiation as cybersecurity professionals look to help businesses in need.

In a survey, 90% of respondents said their company would consider paying a ransom if it meant recovering data and business processes more quickly.

What is a typical ransomware negotiation process?

The threat actor might use an attack against your business to ‘drip-feed’ extorting data in a staggered way to maximize their gains. Consequently, the business might end up in a perpetual cycle of ransom. This is where we are called to investigate and protect against major ransomware, corporate espionage, financial theft and even nation-state campaigns.

To stay ahead of threat actors, cyber security professionals must invest in and enlist the help of third-party security experts who can evaluate your security stack and spot what you may not see. To effectively combat cybercrime, both helicopter and microscopic perspectives are necessary, as well as a proactive and adaptive mindset.

Acquire the right skills before engaging with threat actors.
To get the best outcome possible, you must be willing to negotiate and that means “playing the game.”
Find the source of vulnerability to avoid double and triple extortion.
We can determine the sophistication of the attack by understanding the tools, tactics, and procedures (TTPs) used by the attacker.

How can a ransomware negotiation service benefit you?

Businesses can gain a wealth of expertise under one roof with the help of a third-party incident response team.

Delaying a response to a ransom demand offers what benefits?

The threat actors today are companies with HR departments, payroll departments, and sales teams. Their reputation is as important to them as securing the ransom. They thrive on infamy. The nature of the attack itself can sometimes make paying the ransom inevitable. As an example, consider a cyber attack on industrial infrastructure, which has a physical impact as well.

Business has paid $449.1 million in ransom since the beginning of this year, according to a recent report. The tact of negotiation can uncover unknowns about the attacker, allow them to be appeased, and potentially reduce the total ransom – thereby deterring future attacks. A security breach is a threat that must be contained, data recovered, and any security gaps must be remedied.

After a ransomware attack, what should organizations do?

Create an offline channel for streamlined strategic team communication – Essentially a war room. In the age of cyberattacks, IT concerns must be brought to the board of directors, especially since missed regulatory steps could land the CEO in the docks.

Avoid knee-jerk reactions by remaining calm. Panic can cloud your judgment and cause you to panic. It is possible to respond to threat actors, thus making them more likely to make a successful ‘mark.’

Investigation, evaluation, and mapping of the crisis can be done by bringing in outside incident response expertise. The threat actor should not be engaged alone.

The backup environment should be segmented from the network and separated from it.

To prevent the spread of the attack, disconnect employees from email and the server. It would have been possible to reduce the scale of several supply chain attacks this way.

Find out where the attack is coming from by assessing your environment.

Avoid backdoor eradication and remediation at all costs. It might tip off the threat actor that someone is keeping an eye on them if mitigation activities are undertaken in this manner. To prevent further risk and detect any backdoors that might have been missed, make sure the remediation process is comprehensive, and support it with tailored monitoring efforts.

Are there any examples of organizations that have successfully mitigated the impact of ransomware attacks using ransomware negotiation services?

As a result of ransomware negotiations, companies are less likely to lose money, cybersecurity professionals have more time to uncover the threat, and ultimately ransoms can be reduced at an accelerated pace. Negotiators can use that to deter threat actors, minimise ransoms or avoid paying anything at all.

It is becoming more common for cyber security professionals to encounter cyberattacks where both the virtual and physical world is impacted, and a ransom must be paid.

In parallel with existing work streams, the company hired cyber security professionals to investigate and contain the threat while recovering and negotiating with the threat actors. To ensure our containment team was targeting the right domain, our negotiation experts-built trust and empathy with the threat actor.

The cyberattack origin was traced to a sister company within the group after they uncovered the entry point and lateral movement vectors of the attack. A supply chain attack is when external companies share systems for efficiency, but unknown to them, these systems can also be exploited and spread like wildfire by threat actors.

Our ‘secure island’ environment can be recovered by cyber security professionals, so the ransom isn’t required. Within two weeks of the initial compromise, we also remedied the vulnerabilities to prevent reoccurrences of the attack.

In what ways do law enforcement agencies collaborate with ransomware negotiators?

Law enforcement agencies are frequently consulted by ransomware negotiation teams. To understand the scope of the attack domain, refine the TTPS of the adversarial group and speed up the containment process, this effort is mainly focused on understanding the extent of the attack domain.

What to Expect from Ransomware Negotiations

Negotiating with ransomware attackers or paying the ransom is generally not recommended. As a result, further ransomware attacks may be encouraged. In addition to supporting the attackers’ criminal activity, paying the ransom puts your organization at risk of being targeted again.

Even if you pay the ransom, there is no guarantee that the attackers will provide the decryption key. To ensure that the risks and potential consequences of paying are properly considered, it is important to weigh the pros and cons carefully.

Cryptocurrencies and encrypted communication channels are often used for ransomware attacks and payments. Communication is usually conducted through an encrypted chat or email service provided by hackers. Talk to the adversary about additional communication channels and methods. In this situation, try to establish a mutually trusting communication line with the attackers.

Keep a record of all communications, including instructions for paying the ransom, if you decide to negotiate with the attackers and pay the ransom. Investigations into this attack may be aided by this information.

Decrypt several random files and ask the attackers to demonstrate the decryption key. By doing so, you can be sure you are dealing with the actual attackers and not a third party.

Find out what the attackers have done in the past and their behavior. It may help to increase your confidence in the negotiation if the attackers have been known to negotiate or provide the decryption key after receiving payment in the past. It may also give you leverage to negotiate a lower price.