BradEgeland.com
  • Welcome
  • Blog
  • Expertise
  • Resume
  • Software / Service Reviews
  • Contact
  • Videos
  • Books / White Papers
  • Mentoring Contact Form
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

The Reality of Ransomware Negotiations

9/10/2021

0 Comments

 
What ransomware negotiations look likeFear can overwhelm the decision of whether to pay a ransom. But in negotiations, companies have to take a backseat.

Negotiating a ransom down to $0 is possible.

When COVID-19 began to put serious pressure on healthcare organizations, cybercriminals took advantage, especially ransomware gangs. But in at least one instance, a victim healthcare organization was able to level with their attackers.

"The threat actor basically said, 'Hey, we're actually really sorry about that. We're not trying to hit healthcare organizations, we're just going to give you a decrypter," said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, who has been partnering with third parties since 2019 to negotiate ransom payment.

"One of the most notable experiences I've had is having that free issuing of the decryptor."
 
Drew Schmitt
Principal threat intelligence analyst at GuidePoint Security


Some ransomware groups are "not necessarily just doing what they're doing to watch the world burn. There are varying levels of how some groups feel about their operations," he said. "One of the most notable experiences I've had is having that free issuing of the decryptor."
Not all organizations are as lucky and not all cybercriminals have a moral compass.

Fear lies at the root of the decision of whether to pay a ransom. When considering whether to pay, companies want to know how quickly operations can resume while uncovering the hole that allowed the ransomware in. As for the negotiation, companies have to take a backseat.
"The victim organization is involved very little in the direct negotiations. You don't want the emotions coming through in the negotiations and involving the client directly almost always results in that," said Jake Williams, co-founder and CTO at BreachQuest.

The ransom negotiator business took off in tandem with the rise of ransomware, starting around 2018. As negotiations become a more routine component of incident response, "I don't think it will be its own business for long," said Williams.

Tick tock

When a company onboards negotiators, they hand the reins to professionals with ransomware group experience. There is a sense of familiarity and anecdotes that allow negotiators to adapt to who they're talking to.

The first thing ransomware negotiators do is ensure a secondary backup to communication with the criminals as the actors might disable their email accounts, said Williams.

Historically, ransomware actors would provide the email address for their victims to contact. Now, ransomware actors share a link with instructions on how to interact with them. Once initial contact has been made, negotiations can start.

"Once you reach out and engage the threat actor, that's going to be kind of when your proverbial clock starts," said Schmitt. "That's when they know that you're aware of the situation, you've reached out to them, and they're going to kind of have this timeline in their head of how long this negotiation process should take."

If a company is able to determine what was encrypted or breached during an attack, the negotiator will ask the actor for sample data or screenshots to get a sense of the depth of the infection.

This is the most important role the victim company will play in the negotiation process because "there is no reason to pay if recovering encrypted data has no value. Only the victim company can forecast or ascribe what the value is," said Bill Siegel, co-founder and CEO of Coveware.

Negotiators, at the end of the day, do not make decisions on behalf of the company, Schmitt said. They are there to provide guidance to the victim company, insurance provider, or counsel based on previous interactions with the threat group.

Threat group relations

If a company determines the value of the hacked data could cause harm to the business and there are no effective solutions, fear can return. Payment will feel like the only option, so negotiations proceed.

This is where "we get a temperature check for how amenable the threat actor is to negotiating down the price. We have threat intelligence on groups and know the typical ransom demand movement and timelines for that," said Williams.

Negotiations are seldom linear, though negotiators try to keep the process within a few days of when a ransom note goes live. If a company is tempted to take longer or be more specific in their counteroffers, "it's our experience that that's when a threat actor starts to get a little bit more annoyed with the processor," and even aggressive, said Schmitt. The actors might retaliate and call the whole deal off, revoke the decryption keys, or publish the stolen data.

"Another reason we try to keep it shorter is because we want their attention during that time," especially when the interactions are based on a real-time chat platform, he said. Ransomware actors might lose interest in negotiations lasting longer than a few days and become less communicative.

"At this point, everybody's aware of how busy a lot of these groups are," said Schmitt. "I mean, they have a lot of victims that they're hitting on on a very consistent basis."

The Conti ransomware group, for example, will usually have multiple negotiations going simultaneously. "They're interacting with the client, and not necessarily us. So there's still a little bit more of that veil or obfuscation as to who they're actually talking to," he said.

When the final amount is agreed upon by both parties, they involve a certified money services business (MSB) for the logistics of the payment. The MSB must confirm the group is not sanctioned by the Treasury Department's Office of Foreign Assets Control (OFAC), to secure cryptocurrency and complete the transaction.

Insurance companies become involved when the negotiation and payment processes are complete. "They just process claims when the entire process is over," said Siegel.

Customer service check

Ransomware groups pride themselves on their reputation and customer service, relationships between criminal gangs and negotiators do develop. "We have worked with the same ransomware groups on multiple occasions and we rely on our MSB payment partners to ensure their due diligence negates the chance of paying a sanctioned group," said Williams.

However, ransomware groups that employ affiliates can complicate the negotiator-threat group relationship. Affiliates can go rogue, which gangs would have to answer to. Ransomware group SunCrypt claims healthcare organizations are not one of its preferred targets. But last year SunCrypt operators had to clarify a hack on University Hospital in New Jersey was due to a new affiliate.

Though ransomware groups' customer service tends to be accommodating, trusting criminals is not a perfect science. Industry has seen ransomware groups make false promises before — like when Maze operators claimed its ransomware stopped short of "socially significant services," including "hospitals, cancer centers, maternity hospitals and other socially vital objects" in December 2016, but the group proceeded to target healthcare organizations involved in COVID-19 response in 2020.

A similar empty promise was made by the DarkSide gang. In October, DarkSide operators claimed to donate $10,000 in bitcoin to charities. "No matter how bad you think our work is, we are pleased to know that we helped change someone's life," DarkSide operators said, according to Emsisoft research. It's illegal for charities to collect funds illegally obtained anyway, Emsisoft clarified. DarkSide also has a blacklist of targets; affiliates cannot target hospitals, nursing homes, morgues, funeral homes, schools, non-profits, and so forth.

Regardless of who targeted who and why, affiliates are typically not involved in the actual negotiations, according to Schmitt.

Negotiators have profiles of known threat actors, which includes how those actors prefer to negotiate. These profiles can dictate which negotiation strategies are effective when using anecdotal evidence they're based on.

Read More in Strategy

InfoSec teams under pressure to compromise security for productivity: report
Sep 09, 2021

Behind the Firewall: What to do if your vendor has a security incident
Sep 03, 2021

IT-OT crossover relitigates who is responsible for ICS security
Sep 02, 2021

What cyber insurance CEOs want to see from customers
Aug 31, 2021

Why a ban on ransom payments will not work
Aug 27, 2021

Companies are investing in security operations but limited by talent gaps
Aug 25, 2021

Why most companies don't understand speed is vital to cybersecurity
Aug 24, 2021

In the event of a cyber incident, think like a lawyer
Aug 17, 2021

Want to see more stories in Strategy?

When negotiators work with groups using affiliates, they might ask the gang if it was one individual working out of line that caused the attack. But even if the group claims it was an individual act, "we of course can't confirm any of that," said Williams. "If we don't have reputational data on the group, it's hard to send significant sums of cryptocurrency with no means to recover it if you don't know you're getting a decryption key.">

Negotiators have to build trust with cybercriminals, unreliable as that sounds. Trust goes beyond a company's chances of receiving a decryption key because the key may not work as promised.

If we don't have reputational data on the group, it's hard to send significant sums of cryptocurrency with no means to recover it if you don't know you're getting a decryption key."
 
Jake Williams
Co-founder and CTO at BreachQuest


"I've seen [encryption programs] encrypt entire file systems — 100 gigabyte file systems — in about five minutes. The decryption of that same file system took about 36 hours," with some files still missing, said Tyler Hudak, practice lead of incident response at TrustedSec, during a July webcast hosted by NinjaRMM. Costs will accrue despite paying a ransom.

Almost half of organizations that paid a ransom regained access to their data, however, at least some of it was returned corrupted, according to a Cybereason survey of more than 1,200 information security professionals conducted in April. Fifteen percent of respondents said they had no issue with their returned data.

Williams tests the decryption program in a "safe environment" prior to paying, though it's an optional step, he said. "Most malware developers are not software engineers, so there's always a risk that sloppy encryption was performed because the software is buggy."

Recommended Reading:
CYBERSECURITY DIVE: What to consider before paying a ransom

Published Sept. 9, 2021 in Cybersecurity Dive
Samantha Schwartz - Reporter

0 Comments



Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, cybersecurity enthusiast, consultant and author.  He has written more than 8,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    Picture
    Picture
    Picture
    Picture
    Picture
    Picture

    RSS Feed

    Archives

    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.