Gain exclusive insight from a real ransomware negotiator who shares authentic stories of network hostage situations and how he managed them.
Ransomware is an industry. As such, it has its own business logic: organizations pay money, in cryptocurrency, to regain control of their systems and data.
The industry landscape consists of around 10-20 core threat actors who initially develop ransomware malware. To distribute the malware, they work with affiliates and distributors who make extensive use of it phishing attacks to break the organization. Profits are distributed with about 70% allocated to affiliates and 10%-30% to these developers. The use of phishing makes online-based industries, such as gaming, finance, and insurance, very vulnerable.
In addition to its financial motivation, the ransomware industry is also influenced by geopolitical politics. For example, in June 2021, following ransomware attacks on the Colonial Pipeline and JBS, the Byden administration announced that ransomware was a threat to National Security. The administration then creates a list of critical infrastructure that is “forbidden” for attackers.
Following these steps, a number of threat actors decided to change course: declaring that they would not attack essential and basic organizations such as hospitals, power plants, and educational institutions. Months later, the FBI reported that they had attacked prominent ransomware group REvil:
The attack elicited a response from the Conti group, reflecting their ideological motives:
Managing ransomware events is similar to managing hostage situations. Therefore, to prepare for ransomware incidents, it is recommended that organizations use a similar crisis management structure. This structure is based on the following functions:
1. Crisis manager:
- Coordinate technology, business, and legal pathways.
- Technological pathways include forensics, investigation, containment, remediation and recovery, as well as professional dialogue. At this stage, the incident response organization and team assesses the scope of the event. For example, how deep is the attacker in the system, how much data is extracted, etc.
- Business lines include business continuity plans and media and PR. This is usually run after the scope of the event is clear. It is recommended to be as transparent and accurate as possible when issuing public statements.
- The legal route includes legal, regulatory, and compliance considerations. They keep track of what guidelines need to be adhered to and within what time frame. Sometimes, they will also be crisis managers.
- Crisis managers cannot be decision makers.
2. A decision-making group:
- The group or person who makes decisions based on the information provided by the crisis manager.
3. Law enforcement:
- It is recommended to define this relationship first. Breadth can be as minimal as just informing them and as deep as allowing them to manage the entire crisis.
According to Etay Maor, Senior Director Security Strategy at Catos Network“We are seeing more and more companies offering this ransomware service bundle. However, it is advisable to separate these roles to ensure the most professional response.”
The Role of the Professional Negotiator
Professional negotiation is the act of utilizing professional communications with hackers in various extortion situations. The role consists of four key elements:
1. Identify the scope of the event – Occurs within the first 24-48 hours. This includes understanding what was compromised, how deep the attacker is in the system, whether the action is a single, dual, or triple ransomware, whether the attack is financially motivated or whether it is a political or personal attack, etc.
In 90% of cases, the attack is financially motivated. If politically motivated, the information cannot be recovered, even after paying the ransom.
2. Create a threat actor profile – This includes understanding whether or not the group is known, their behavior patterns and their organizational structure. Understanding who the attacker is affects communication.
For example, by knowing the local time for an attacker, negotiators can identify where they are coming from. This can be used to improve negotiation terms, such as taking advantage of a holiday to ask for a discount.
3. Assess the “no-deal fee” – Reflect to decision makers and crisis managers what will happen if they do not pay the ransom.
4. Defining negotiation objectives – The question is not whether to pay or not. It’s a business decision. The goal of negotiation is to negotiate for information, for time and for better terms. At times, this can result in lower payouts, or even allow the company to recover on its own.
For example, one company could buy 13 days through negotiation, allowing them to recover their information and forgo paying the ransom altogether.
Paying or Not Paying?
Etay Maor commented, “Ransomware is not an IT problem, it’s a business problem.”The decision to pay or not is a business decision, influenced by many factors. Although the FBI’s official policy is not to pay, they do allow the company to do so, if the CEO decides.
For example, in one case an online gaming company lost more money than ransom demands every hour, their operations went down, influencing their decision to pay ransoms as quickly as possible while minimizing negotiation time. US lawmakers also did not ban ransomware payments. This shows how complicated this problem is.
Tips for Protecting against Ransomware Attacks
Ransomware is becoming more prominent, however organization can protect it. Ransomware relies on phishing attacks and unpatched services. Therefore, it is recommended that CEOs meet with their IT team regularly to ensure software and infrastructure is patched and updated and all critical information is backed up. This will significantly reduce the chances that ransomware can exploit vulnerabilities and penetrate systems.
To learn more about ransomware attacks and how they are managed in real-time, watch the entire masterclass here.