How ransomware negotiations work

Here's what experienced negotiators say your organization should expect if it ever needs to pay a ransomware demand.

1 2 Page 2
Page 2 of 2

However, before any transaction takes place, the threat actor must prove their ability to decrypt files. That's usually done on a sample set of data, but it doesn't mean there's no risk. In some cases the decryptor provided by the attackers might have bugs or might fail to work on certain systems or volumes or some data might be corrupted. Some companies specialize in reverse-engineering such decryptors and reimplementing them in a more efficient tool that only uses the decryption key provided by the attackers.

There might also be situations where attackers use different keys across different systems on the network, which is why it's important to have that forensics and threat intelligence component to understand the attacker and their modus operandi before approaching them.

Once the payment is made through the infrastructure supplied by or agreed with the negotiator, the full record of the communication, information collected about the threat actor, and information about the transaction is provided to the customer for record keeping and legal reasons.

Threats to leak data complicate negotiations and recovery

When dealing with a theft of data as part of the same attack, where the attackers also threaten to leak the data, things are a bit more complicated because there is no way to guarantee that the attackers have destroyed the stolen data. Security firm Coveware, which also specializes in ransomware response and negotiation, reported last year that they've seen many cases where victims who already paid the ransoms were extorted with the same data set later or where the data was leaked online anyway.

As more ransomware groups adopt this technique, ransomware incidents will have to be treated as data breaches and go through all the processes that are required in such cases. Victims might also have to consider paying a threat intelligence firm to monitor underground forums and marketplaces for their stolen data to stay ahead of where it might end up and how it might be used to take additional preventive actions.

Some ransomware gangs have taken it even further employing triple extortion tactics. Grief, a ransomware group previously known for the DoppelPaymer ransomware, has warned victims that if they contact law enforcement or engage professional ransomware negotiators or data recovery experts they will destroy the decryption key. 

The Grief ransomware is tied to Evil Corp, a group that was put on the sanctions list by the US Department of Treasury. If law enforcement or ransomware negotiators are contacted, there's a very high chance the victim will learn who they're dealing with and they will be much less likely to pay the ransom because they could face civil penalties and their insurer might not cover the payment. Evil Corp has clear incentives to discourage victims from contacting third parties, but it's not the only ransomware group that has recently taken this stance. Other groups are upset because ransom negotiation logs are sometimes leaked and show up in media articles or on Twitter. 

"The fact that threat actors do not want their victims to contact law enforcement is a very strong indication that they should," Brett Callow, a threat analyst at Emsisoft told CSO. "Law enforcement agencies can provide victims with valuable assistance and, in some cases, even help them recover their data without need to pay the ransom."

An updated OFAC advisory from September puts even more emphasis on contacting law enforcement, presenting it as one of the primary mitigating factors when considering enforcement response for breaking the sanctions.

Post-mortems identify lessons learned

Every incident will also have a post-mortem review among the various parties that were involved—the legal team, the IR and IT teams, the ransomware negotiation specialist—where all the information will be reviewed. The lessons learned from this process should be turned into a project to improve the organization's capabilities to block or slow down such attacks in the future.

Editor's note: This article, originally published on February 15, 2021, has been updated to include information on triple-threat ransomware.

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.