There are few things that are worse for a security professional than having to negotiate with ransomware extortionists. First, it means they suffered a serious compromise and likely a data breach. Second, there’s no guarantee, even after paying up, that the encrypted data will be returned to its good state. Finally, if the organization finds it must pay the ransom to reasonably function, or even stay in business, in certain circumstances paying the ransom may itself be a criminal act.
Still, it’s a situation many CISOs unfortunately find themselves. And it’s always a thorny process. There’s the inherent lack of trust, due to the very nature of the situation. And the stakes are typically high, with critical data in jeopardy or essential systems made unavailable.
There are many things to consider in order to have a successful negotiation, many of those elements involve legal and ethical concerns. To help readers navigate through the thorns of a ransomware negotiation, we reached out to attorney Mark Rasch, who has more than 30 years’ experience in cybersecurity and data privacy, including years with the U.S. Department of Justice, where he created the DOJ Computer Crime Unit and Cyber-Forensics practice, and prosecuted many early criminal hackers.
Mark has also developed and taught courses in law, cybersecurity, cyber-forensics, digital investigation, data compliance, incident response, privacy and media law at various academic institutions across the country including Harvard Law School, George Washington University law school and school of engineering, University of Maryland, Massachusetts Institute of Technology, American University law school and school of public policy, Georgetown University, James Madison University, Stanford University and George Mason University.
Thank you for taking the time to speak with us, Mark. Let’s jump right in. How do organizations decide if they are going to negotiate and pay a ransom?
The first is to understand that negotiating and paying are two very different things. You go through the decision-making process around whether you should, and can, pay. And then you decide how much of it you are going to pay.
The short answer as to whether an organization would be willing to pay is to look at whether the cost of paying is less than the cost of recovering. The ransomware groups target companies that have critical time dependencies. For instance, financial services being down for even a day has imminent harm, same with critical infrastructure and healthcare delivery. Being down for a short time can cause immediate harm. Your backup and restoration processes may also be corrupted.
Then there are the legal and ethical questions. To whom are the funds going? What will the funds be used for? Are they going to provide material support to crime? Aiding and abetting criminal activity? Is it material support to terrorism?
One of the things that I recommend companies do if they're going to be paying ransomware is to check if the funds will be going to a prohibited wallet. Be sure to check that. Second, there are companies that do threat analysis on cryptocurrency wallets and help to identify where those wallets are and how they use them. That is useful due diligence on the wallets.
Ransomware not only comes with a wallet, but also a communication channel, usually IRC. That channel and the language used and the nature of the malware can all help to give you an indication of where the ransomware is coming from.
What about when one has brought in law enforcement?
Whenever you are dealing with law enforcement, especially the FBI, and you have decided it’s in your best interest to pay, it can be useful to tell them your intent. Explain, ‘Look, we are in a bind and unless you tell us otherwise, we are going to pay.’ It will be very difficult to prosecute a company in that situation.
What comes next, I imagine, is negotiating how much you are going to pay?
There are many things you have to have figured out ahead of time before you can successfully negotiate. Who is going to do the negotiations? How are we going to make payment? Then there’s whether or not you can pay? However, there are increasing state and federal laws that are prohibiting government agencies and financial services companies from paying ransom. There will be more laws like this coming.
What about being ready to pay in cryptocurrency?
At a minimum, you need some cryptocurrency, and sometimes you need a lot of cryptocurrency. And if you don’t have access to cryptocurrency, you need to be able to convert sovereign currency into crypto. A lot of companies don’t think in their incident response plan, ‘Hey, I have to have a crypto wallet and I need a million dollars nearby that I can liquidate quickly.’ They just don’t have it.
Second, before you even deal with anybody in a ransomware situation, you want to have that threat intelligence we spoke about wrapped around your ransomware response to the greatest extent possible. You want to know everything about the nature of the situation and the actors as you can.
How do organizations get that level of intelligence? They often don’t have that level of expertise on staff.
They’re likely not going to have access to that expertise on staff, unless they are a major organization. They’ll need to work with an organization that has a solid understanding of these organizations, and has a deep dive into the dark web. This would be someone who has penetrated hacker organizations, and who knows who the principal actors are and their motivations.
Ideally, your investigator will be having open discussions with the threat actors. Remember, every engagement with the threat actor is another point at which you might be able to determine who they are and what their motivations are. One of the reasons you want to negotiate is because each act of the negotiation process reveals additional information about the treat actor involved.
What do victim organizations do to make sure they get their data back?
Two things. One is to negotiate technical support, in case the keys don’t work. Second is to setup an escrow account. If the keys don’t work, at least you have the interests aligned in the deal because the payment is still sitting in escrow.
They have an interest once you've made the payment of making sure that the key works.
For law enforcement purposes, you also want to pick a very unique payment. There are millions of transactions on the blockchain for $3,000, $5,000, $8,000, but if you make the number more unique, such as $3000.18, if is much easier to track that transaction.
I understand there’s a lot more to these negotiations than we can cover in a short blog, and I know you just started working on a book on the subject. Can you share a little about the book idea and why you are writing it?
I’m working on a book for the American Bar Association which will be a “Lawyer’s Guide to Ransomware Response.” The goal is to educate both in-house general counsel and outside counsel about what to do before, during and after a ransomware attack. This includes ensuring that companies have appropriate contracts in place for data protection and incident response with third party and cloud vendors and suppliers, that they have adequate data backup and archival, that they have business continuity and disaster recovery plans, and that they have the right kind of insurance that covers both the theft (breach) of data, but also covers data recovery when the data is simply inaccessible (but not destroyed).
It also addresses many of the legal issues associated with data forensics, force majeure, companies being excused from contract performance because of a ransomware attack, and issues related to investigation and payment like money laundering, aiding and abetting, criminal facilitation, sanctions regimes and OFAC compliance, federal and state money transfer agent laws, and similar laws that relate to the payment or non-payment of ransom. Hopefully, it will be a detailed, step-by-step guide with forms and contract language that will assist lawyers when their clients or they are responding to or preparing for ransomware attacks.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.