What does a ransomware negotiator do during an attack? The instinctive answer would be “Negotiate with the threat actor” or “Get the ransom as low as possible.” Well yes. That too, but actually there is much more a corporation fallen to a ransomware attack can get from a professional negotiator who is closely familiar with the ways of ransomware, its perpetrators, their motivations, and tactics.
The urgent phase of a ransomware incident could be best described as a chaotic hall of mirrors when things don’t always seem to make sense and the course of action is more often than not unclear. The negotiator will be the one to offer the executive team advice on the most suitable approach to the challenges faced, plot the course of action and be responsible for threat-actor communications.
The first order of battle would be to conduct an in-depth debrief of the victim and receive the available evidence, for example the ransomware note, the timeline of events and the actions taken by the victim up to this point. With this information, and based on the negotiator’s knowledge and experience, some sense could be brought to the environment of chaos and uncertainty. This will serve to identify, classify, and scope the incident. Not all ransomware attacks are the same and certainly not all threat-actors or ransomware organizations are identical or even share the same motivations, tactics, or means and methods of operation. The result is a preliminary sketch of what will be the roadmap to risk analysis, its management and eventually lead the way to preventing the incident from developing into a crisis and to its resolution.
Based on these preliminary conclusions the negotiator will advise of the pros and cons of communicating with the threat-actor. Every attack and every threat-actor are different but in most cases the advantages of conducting threat-actor communications outweigh the disadvantages. And no, the fact the victim communicates with the threat-actor does not mean he is willing to pay the ransom. Not at all.
So, what is there to gain from engaging the threat-actor? A lot! The threat-actor is a human being (up to this point I haven’t encountered a bot negotiating on behalf of an assailant) Through the process of communications we are able to build an understanding of the attacker, verify his claimed identity and lay a fundamental assessment of its trustworthiness. Today, most ransomware criminals engage in what is called double (and sometimes triple) extortion. The ransomware notes received will claim the hackers have encrypted and stolen the victim’s data. But can we know it for a fact? Would this knowledge help us in the process of risk assessment and management? It clearly would. And there are no other means to know this with the level of certainty provided by directly engaging the threat-actor.
Also, by communicating we are able to leverage the factor of time in our favor and regain some control of the course of events. Refraining from engaging the threat-actor we are abandoning the battlefield to the mercy of the assailant, leaving him in the darkness, not knowing if its threats were received and therefore prone to escalate by publishing the fact of the attack and even bits of the data stolen. This would certainly have a negative effect on the victim’s stand, reputation, and legal exposure. Most victims wouldn’t like that.
In a recent incident we were retained to negotiate on behalf a multi-national financial corporation, the ransom note claimed (as it always does) the victim’s servers were encrypted, and the invaluable information was stolen. The understanding was that the encryption is less of an issue as the victim’s assessment was, he has viable backups that were not reached by the assailant. Data exposure was a different ball game. It was a significant threat to the victim’s image, reputation, financials and even survival. As the CEO phrased it, the exposure of the data was critical to existential. Knowing that, we rated our top priority to ascertain whether the threat-actor holds the victim’s data, what type of data is held hostage and is it in a state endangering the client if released. Employing negotiations techniques and hands-on intelligence gathering and analysis experience were able to assess, with a high level of certainty, that the threat-actor did not hold viable client data due to a technical mishap during the data exfiltration phase of the attack. One can imagine the sense of relief. The victims could now leverage the time factor to make sure he could in fact restore from backups while not giving the assailant excuses to escalate. The incident was successfully closed without paying the ransom.
In other cases, where the victim sees no other option than to pay the ransom a professional negotiator will be able to leverage available data to significantly lower the demands to a level the victims could live with. A professional ransomware negotiator does much more than “negotiate”. He supports the victim’s crisis management team, collects, and analyses threat-actor intelligence, offers insights to threat-actor motivations and tactics, presents the victims the potential gains and consequences of different courses of action leading him along the roadmap to incident resolution, and yes, he also negotiates.