Five key approaches organizations should take during ransomware negotiations with extorters to improve the outcome were outlined by Pepijn Hack, cybersecurity analyst of Fox-TT, part of NCC Group, in a session at Black Hat Europe 2021.
Hack observed that when a successful ransomware attack occurs and payment demand issued, the attackers immediately have the upper hand in the negotiations that follow. This is firstly because they already have knowledge of their victim through research undertaken before the attack, helping them understand if they are likely to pay and how much they can afford. Secondly, they will have experienced numerous ransomware negotiations in the past, but it is likely the first time the victim is in that situation.
Presenting research carried out with a colleague at Fox-TT, Hack outlined what the attackers will consider during a ransom negotiation. These are the final ransom price, whether the victim will pay or not, the cost and risk to themselves and how many attacks are successfully carried out.
A comparison of two ransomware groups was then made via data collected between late 2019 and early 2021. For the first group, records of 681 negotiations were observed. For the second group, there were 105 negotiations. Across both, a similar amount (roughly 15%) of the victims paid the ransom. However, the average ransom amount paid was much lower in the first group than in the second, with the latter focusing on bigger companies and issuing higher demands. This suggests focusing on fewer but higher-value targets is a more fruitful approach for attackers.
Another interesting finding from this analysis was that “two companies with the same revenue, regardless of what the initial ransom demand was, the payment was quite similar.” This is interesting to note as it shows threat actors have “adopted an optimization strategy,” whereby they calculate “how much the victim is willing to pay in the end,” according to Hack.
“Adversaries have the advantage, but they still are only human, and we can take advantage of that”Pepijn Hack
Despite organizations in this position being in a dire situation, Hack said there are several actions they can take to improve their situation, whether they plan to pay or aim to buy time. It should be remembered that “adversaries have the advantage, but they still are only human, and we can take advantage of that.” Using insights gained from research into numerous ransomware negotiations, Hack offered five strategies organizations should employ in negotiations. Be respectful – while Hack acknowledged this might sound strange given your company has been hacked, he emphasized that staying polite and respectful during communications with the attackers is much more likely to lead to better outcomes. “One thing we saw was that when victims got angry or frustrated with the adversary, chats would get closed – good luck getting your files back then,” he stated. “Look at this like a business transaction,” added Hack. Ask for more time – Hack warned that attackers will try and pressure you into making quick decisions, which will be more likely to lead to bad outcomes for the victims. However, “in almost all cases, they were willing to extend the timer if you were still negotiating.” This can give victims more opportunity to assess their options, for example, if they are waiting to see if they can get backups for the stolen data. Promise to pay a small amount now or a larger amount later – Hack re-emphasized like cyber-attackers are people, and like all humans, “are not that good at delaying gratification.” Additionally, the adversaries are likely to want to conclude the negotiation as quickly as possible. Therefore, victims should try and take advantage of this mentality during negotiations. For example, if they have decided they have no choice but to pay, the victim can make it clear they can pay a much lower price now, and there would be a delay for a higher payment. Convince the adversary you cannot reach the ransom amount – Hack gave one example of a negotiation he analyzed as part of the research, in which the victim stated that the maximum they could pay was $500,000 (from a $13m demand). In the end, this was all they ended up paying, which was a far lower cost. This approach can even work for larger companies, with Hack revealing a Fortune 500 firm received a decryption key despite paying a far lower sum than was originally asked. Do not tell anyone you had cyber-insurance – “If the adversaries find out you have cyber-insurance, your negotiation is going to get a lot more difficult,” said Hack. He showed communications from attackers where they stated they knew the victim could pay a large amount because they had cyber insurance. As this information can often be obtained from stolen files, Hack advised: “keep the fact you have cyber-insurance secret, keep the files off your network. You might even want to go as far as making an agreement with your insurance company that they also keep it a secret on their end.”
Concluding, Hack reiterated that companies will always be on the back foot in ransomware negotiations. Nevertheless, there still are approaches that can be taken to mitigate the damage of the attack. “Depending on what your goal is during the negotiation – you want to stall for time while bringing up your backups, or you have decided the only way forward is to pay – there’s a different strategy you can use.”
He added it is crucial to provide this advice for organizations because, sadly, “ransomware is not going anywhere, it’s way too valuable a business.”