An analysis of ransomware attack negotiation-data offers best practices.
Ransomware has become part of the cost of doing business, and driving down that cost can be the difference between recovery and catastrophe.
A data analysis from Fox-IT, part of NCC Group, offers some best practices for how to minimize the fallout of a ransomware attack, after creating a dataset of 700 ransomware negotiations which occurred between 2019 and 2020.
Once breached, the researchers explain the optimal response is none, but of course, that’s a luxury most victims can’t afford.
Fox-IT cybersecurity analyst Pepijn Hack and Zong-Yu Wu, a threat analyst with the company, explained that when negotiation is the only choice, there are strategies to affect the best possible outcome.
“There is a negative sentiment in our society towards paying or negotiating with criminals, and the legitimacy and ethics of it are also questionable to say the least,” the report said. “Nonetheless, we realize that a significant percentage of companies currently do end up paying the ransom demand.”
Ransomware Econ 101
Ransomware groups already know how much their victims can afford to pay, the data shows. Their business model depends on them knowing how potentially lucrative a target might be and how likely a company is to pay.
“First and the most importantly, the total profit is not only influenced by the amount of ransom they demand from the victim,” the researchers wrote. “It also depends on whether the victim decides to pay, and the costs of the operation.”
Costs to ransomware groups can include fees to launder extorted cryptocurrency, ransomware-as-a-service fees and commissions, and the cost of carrying out the attack itself, according to the report.
“The results show that the adversaries operating behind the dataset we collected knew how much ransom a victim is willing to pay before the negotiation had started,” the analysts explained. “Another interesting observation is that smaller companies generally pay more from a rate-of-return point of view. In other words, a smaller company pays less in absolute amount but higher in percentage of their revenue.”
How to Negotiate with Ransomware Groups
The clock starts as soon as you click on the link provided by the ransomware group, the researchers warn. So, it’s critical for the organization’s staff to pull together a cohesive plan before starting the countdown. What is the breach? What is the best outcome for the organization? Who is responsible for communicating internally and externally? These are all questions that are fundamental to answer before proceeding, according to the firm.
The researchers also advised anyone under attack to get the adversaries to switch communications to a secured channel immediately.
“The first thing any company should do is try to set up a different means of communication with the adversary and if they do not want to switch, they should realize their communication is not private,” the researchers added. “It happened multiple times that during a negotiation a chat got infiltrated by third parties who started interfering and disturbing the negotiation.”
The next tip might be tough, but the report warned that being rude or mistreating the threat actor isn’t in the organization’s best interests.
Be Professional, Ask for More Time
“We have seen multiple examples of companies getting frustrated and angry in conversations with threat actors resulting in chats being closed,” they wrote. “Look at the ransomware crisis as a business transaction. Hire outside help if needed but stay professional.”
The attacker will likely try to rush the victims and force them into acting quickly, the report said. Targets should ask for more time if they need it — in almost all situations examined by Fox-IT, attackers granted their request for a deadline extension.
“This can be helpful for several reasons. In the beginning of the process, you will need time to assess the situation and rule out any possibilities of restoring your data,” the report said. “Similarly, it can give you extra time to produce different strategies. If you decide to pay in the end, you will need to make arrangements to acquire the right cryptocurrency.”
Other strategies include offering a smaller amount than demanded soon, with a promise for later and more flat-out trying to convince the ransomware group there’s no money to pay.
The researchers also warned that a target shouldn’t tell anyone if there is cyberinsurance coverage.
“Although a company could still tell the adversary that the insurance company is not willing to pay, this limits the options for any negotiation severely,” the report said.
Other tips the report provides for those negotiating with a ransomware attacker are asking for a test file to be decrypted, proof files have deleted and a full explanation of how the attackers pulled off the breach.
Even with those assurances, there’s no way for a target to know their files won’t be leaked or sold, the researchers added.
“Even if they properly deleted your files, who’s to say any of the other people in the chain did not quickly make a copy of some interesting files for ‘personal usage.’”
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event!