Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

You’ve Been Breached. Do You Need a Ransomware Negotiator?

August 26, 2021

CNN Business published a story about working with ransomware negotiators on July 13. This intrigued me as we sometimes work alongside those negotiators. They negotiate while we work to restore systems from backup. We were unaware that there were firms specializing in ransomware negotiations until early 2020 when we began to run into them as we were called in to get systems back up.

Interviewed were ransomware negotiators Tony Cook and Drew Schmitt of GuidePoint Security. The two have negotiated, thus far, 75 ransomware payments on behalf of organizations held hostage by cybercriminals. They have developed sophisticated profiles of many of the cybercriminal groups they’ve dealt with to assist them while bargaining.

Some threat actors, such as the Ryuk ransomware gang, known for making huge payment demands, struck so often that Cook said he started to believe he was dealing with the same person on multiple occasions.

“If you know how they typically operate, that helps tip the scales in your favor a little more,” said Schmitt. “There is a fair amount of strategy that happens before you get to the negotiation table.”

The FBI and cybersecurity experts strongly discourage paying off ransomware attackers, mostly because it encourages further attacks. “They know that you already made the decision to pay,” said Lior Div, founder and CEO of cybersecurity firm Cyber Reason, “and now it’s, like, to make another decision to pay is easy.”

In 2020, according to blockchain analytics firm Chainalysis, ransom payments, typically made in cryptocurrency, totaled the equivalent of $416 million, more than four times the 2019 level. And the firm has confirmed more than $200 million worth of payments to date in 2021.

A successful ransomware negotiation can mean the difference between paying hundreds of thousands of dollars and paying millions, Cook and Schmitt said.

“Sometimes you can only go down just $10,000,” said Cook. “It really depends on what the actor perceives that they have and the negotiation tactics to get things done.”

As soon as a victim decides to pay a ransom and reaches out to the attacker, the clock starts ticking. This often leads to the release of an organization’s purloined materials if the two sides can’t reach a deal.

Negotiations happen fast. Many ransomware groups communicate with their victims using online chat tools and instant messaging. The cybercriminals are incentivized to make the negotiation and payment process as quick and easy as possible to maximize profits.

Because so many cybercriminal groups work out of foreign countries, chatroom negotiations make heavy use of Google Translate, Schmitt said. Short one-word or one-sentence messages from the hackers in fractured English are the norm. The language barrier notwithstanding, many bargaining encounters are concluded within 10 to 15 exchanges.

That’s why it’s critical for hacked companies to quickly investigate their own systems before they finalize a ransom payment. Victims need to be able to credibly claim, “Whatever you think you have, it’s not worth that much money,” Cook said. Victims can’t say that unless they know what data has been exfiltrated.

That tactic won’t work if the attackers know that they have sensitive data like trade secrets or financials that a company can’t afford to have released publicly. Attackers have gotten smarter, realizing that companies were refusing to pay because they could restore data from backups, according to Div of Cyber Reason. So before encrypting the data, they look for sensitive information — “your customer list, intellectual property, nasty emails, whatever might embarrass you,” he said — and then threaten to publish it if the victim refuses to pay.

If that’s not enough, Div said attackers can contact a company’s customers (or, I might add, the press) to ratchet up the pressure on them to pay.

Cyberinsurance companies now contract with lawyers, technical and forensic experts and, yup, ransomware negotiators to help victims recover from a ransomware attack. And so a new industry was born.

Notice: The new RSS feed for Ride the Lightning is https://senseient.com/feed/?post_type=ride-the-lightning for those that wish to subscribe in a reader.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology