Aa

Negotiating a ransomware incident is similar to a tennis game. Each player hits the ball to the other’s court as a well calculated move according to pre-defined strategy. Both parties are well aware of the situation and have a common goal, to bring the incident to a successful conclusion, as far as they are concerned, while maximizing the favorable conditions for each party.

However, sometimes there are external factors that are beyond the control of either party and that affects the event in a way that could not be planned in advance.

In a recent event managed by @CIPTEAM, the negotiations with the threat actor, which in this case, due to his characteristics, were not conducted on dedicated chat platforms but using an anonymous email service and Telegram platforms, began according to the procedure. Contact was made with the threat actor, rapport and trust were established and the process of verifying the threat actor’s intentions and capabilities in terms of returning the victim to functionality began. After an exchange of several messages, the connection was suddenly cut off. The email account used by the threat actor was blocked and the connection has been disconnected.

A quick check revealed that at exactly the same time, an article was published on a specialized online news platform describing the threat actor, who is a new player on the ransomware scene. The article described the method of operation in use by the specific threat actor. The email address used by the threat actor was also revealed in the article. Following the publication, the provider of the anonymous e-mail service blocked the account. The threat actor himself had temporarily limited his use of other means of communication.

The victim was literally in a limbo. Threatened by the possibility of losing the option to effectively negotiate the return of his business vitality.

This was one of many examples of the influence of external, unplanned factors on the conduct of negotiations in a ransomware incident.

In this case too, the situation was resolved by flexibility and creativity. @CIPTeam performed a technological scan aimed at locating additional means of communication in use of the specific threat actor and succeeded in doing so.

The communication with the threat actor was reestablished, negotiations resumed, and the incident brought to a successful resolution. Out-of-the-box thinking, technological creativity, and establishing rapport are critical elements in promoting a favorable resolution of a ransomware incident.