Topics:
A ransomware victim is always in an objectively terrible position.
They’ve been compromised. They’re locked out of critical systems. Data has likely been stolen—or at least they’re being extorted with the threat of a data leak.
Their one objective is recovery. Yet in one ear is law enforcement and the cybersecurity research community advising against paying ransoms into the criminal ecosystem in order to recover systems and data. In the other ear are business leaders and executives stressed over revenue and profits evaporating by the minute, the loss of productivity, and the intangible threat of harm to the company’s reputation.
More often than not, the reality is that victims will ultimately attempt to reach out to an attacker in order to recover their systems and data. This part of the process inevitably leads to a business relationship with a ransomware negotiator, someone seasoned in understanding the tactics, techniques, and procedures of a ransomware gang, how to hammer out a lower ransom in exchange for a decryptor and return of the lost data.
Rui Ataide, Managing Security Consultant at GuidePoint Security, joined the Nexus Podcast recently to discuss the nuances of ransomware negotiations, how negotiations work, and the ins and outs of interacting with ransomware gangs.
“The recovery side of things is the critical point and the decision,” Ataide said. “It ends up being a business decision. Can you recover from this quickly? How much is that going to cost you in terms of revenue, in terms of your operational costs?”
Ransomware negotiations take on several tactics, and involve several factions of the business beyond technical and security teams, including also legal, and even cybersecurity insurance providers.
The principal aim is to reduce the ransom demand to an acceptable level for the victim. Some negotiations—which take place over a secure channel provided by the attacker—also seek to extend payment deadlines, verify that data has been accessed and taken, and that a provided decryption key will in fact work. Ataide said most ransomware gangs are wary of protecting their reputations and for the most part provide working decryptors, but cautions that’s never a guarantee.
“So our goal is to help them as much as we can, advise them, explain to them the pros and cons of each of the decisions, and guide them through that process,” Ataide said. “There's a lot of numbers out there in terms of what are the sort of expected reductions that you can get on initial demands versus payment. There's also certain limits that sometimes companies are bound by, whether it's their cyber insurance premiums or amounts that they're allowed to spend, whether it's physically the money they have in the bank.”
Smaller organizations that are victimized by ransomware gangs are often in dire straits, and could face a devastating business decision to close up shop if the demands are out of reach.
“We deal with a lot of smaller organizations; that is the ultimate decision. How much money do I have and how much can I afford to get my business back on track versus having to eventually close up? It's the cost of recovery, or not being able to access their data that has a price to them, which is they'll have to eventually go out of business,” he explained.
All of this figures into internal discussions over whether to pay, and whether to engage with the attacker via a negotiator.
“We always advise that you engage. There's value in knowing what's going on,” Ataide said, adding that some companies do decide to negotiate on their own. “I don't know that we blatantly advise against people doing that on their own. We try to advise them on the risks of doing that, of not knowing all of the stages, not knowing what are the things that you need to do yourself to be successful, whatever that definition of successful is.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
