How ransomware negotiations work

Here's what experienced negotiators say your organization should expect if it ever needs to pay a ransomware demand.

1 2 Page 2
Page 2 of 2

However, before any transaction takes place, the threat actor must prove their ability to decrypt files. That's usually done on a sample set of data, but it doesn't mean there's no risk. In some cases the decryptor provided by the attackers might have bugs or might fail to work on certain systems or volumes or some data might be corrupted. Some companies specialize in reverse-engineering such decryptors and reimplementing them in a more efficient tool that only uses the decryption key provided by the attackers.

There might also be situations where attackers use different keys across different systems on the network, which is why it's important to have that forensics and threat intelligence component to understand the attacker and their modus operandi before approaching them.

Once the payment is made through the infrastructure supplied by or agreed with the negotiator, the full record of the communication, information collected about the threat actor, and information about the transaction is provided to the customer for record keeping and legal reasons.

Threats to leak data complicate negotiations and recovery

When dealing with a theft of data as part of the same attack, where the attackers also threaten to leak the data, things are a bit more complicated because there is no way to guarantee that the attackers have destroyed the stolen data. Security firm Coveware, which also specializes in ransomware response and negotiation, reported last year that they've seen many cases where victims who already paid the ransoms were extorted with the same data set later or where the data was leaked online anyway.

As more ransomware groups adopt this technique, ransomware incidents will have to be treated as data breaches and go through all the processes that are required in such cases. Victims might also have to consider paying a threat intelligence firm to monitor underground forums and marketplaces for their stolen data to stay ahead of where it might end up and how it might be used to take additional preventive actions.

Post-mortems identify lessons learned

Every incident will also have a post-mortem review among the various parties that were involved—the legal team, the IR and IT teams, the ransomware negotiation specialist—where all the information will be reviewed. The lessons learned from this process should be turned into a project to improve the organization's capabilities to block or slow down such attacks in the future.

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline