Tips for negotiating with cyber extortionists

Paying ransom to a cyber extortionist holding enterprise data hostage might seem like a poor idea in principle but sometimes it might the best, or even only, option for extricating your organization from a crisis.

Seventy percent of businesses hit in ransomware attacks have paid to resolve the problem, half of them over $10,000 and 20 percent over $40,000, a recent IBM survey of 600 corporate executives showed. Nearly six in 10 indicated they would be willing to pay a ransom to recover data.

If your organization happens to be among those willing to consider a ransom payment, it is a good idea to devise a strategy for negotiating with the attackers before the need for it actually arises.

Plan ahead

"All companies should have a general process and tabletop developed on a ransomware scenario," says Chris Pierson, chief security officer and general counsel at Viewpost, an online invoicing and electronic payments company.

The strategy should consider the financial, reputational, and operational impacts of being negatively impacted by ransomware. Any decision on whether or not to pay the ransom and how much should involve your organization's security, legal, financial, business, technology and public relations groups, Pierson says.

Depending on the scale of the potential harm, you will also likely need to bring in outside legal experts, external forensics, security, and PR teams.

"Hopefully these players have all been previously identified and been through tabletop scenarios," so you don't have to wing your way through the middle of an unfolding crisis, he says.

Be prepared for sticker shock

One mistake that organizations can make when preparing such plans is to assume that ransomware attacks will continue to be relatively low-dollar value extortion scams where often it is easier--and cheaper--to make the problem go away by paying a few bitcoins.

Cybercriminals who manage to get their hands on your trade secrets, intellectual property or indeed any data vital to keeping your business running could easily scale their demands into the hundreds of thousands of dollars. And sometimes, they can get more leverage by threatening to expose the data, or sell it to rivals than simply encrypting it.

Matt Kesner, CIO at Fenwick & West LLP says his law firm has considered the potential implications of a major ransomware infection and what it would do in the event of one. While there is no real consensus yet on the right course of action, the firm has taken some preparatory steps all the same.

For example, it has established a relationship with a financial institution that deals in bitcoin, the currency of choice for cyber extortionists. "We have also established an amount that senior management is comfortable having the CIO or CSO spend without further authorization in the event of a successful ransomware attack," Kesner said. "Above that amount would require that we obtain additional authority at the time of the demand."

Figure out the cost of no action

One of the keys to successful negotiation when hackers are holding your data ransom is to have a precise idea of how much it would cost you if you do not comply with the demand, says Moty Cristal, CEO of NEST Negotiation Strategies, an Israeli firm that offers specialized negotiation services for a variety of hostage scenarios.

When evaluating your best alternative to a negotiated agreement (BATNA) consider the potential damage the attackers could do to your data, services, infrastructure and reputation if you do not submit to their demands, Cristal says.

Unlike a real-world hostage situation where you have a fairly reasonable idea of whom you are negotiating with, cyber extortionists can be anyone, anywhere. "They could be sitting in a loft or an apartment in Russia, or Belarus or China or India. They see no risk or threat and the chances you will get them to make mistakes are remote," Cristal says.

When negotiating with extortionists there's no guarantee that they haven't already copied your data or sold it to someone else or that they will decrypt it as promised. Sometimes, decisions on whether to make a payment will come down to a judgment call, Cristal said.

Communications with the extortionists should focus on gaining as much intelligence as possible on the group, malware used, motives, and other digital fingerprinting evidence, Pierson says. "In addition, the victims will want to receive some proof of life that their data can be decrypted."

Don't let IT lead crisis response

When negotiating with cyber extortionists try not to think of it as solely a technology or a security issue and don't have an IT-lead team handle the crisis, Cristal said.

"Crisis response has to be a broad effort. It should never be lead by the head of IT," he says. "To put it bluntly, their butt is on the grill and their decision making will likely always be biased to cover their ass."

It is important also not to let personal egos and finger-pointing get in the way of rational decision making. There's nothing like a full-fledged data hostage crisis to expose the fault lines in an organization's collaborative decision making ability, Cristal says.

He pointed to one negotiation in which Nest was involved, where an executive at a financial services company refused to sign-off on a 500-bitcoin ransom until the extortionists agreed to describe the amount as payment for a penetration test, rather than a ransom.

"We got a nice letter from them saying what they had done was a penetration test," and the executive then paid the amount, Cristal said. "The stumbling block was his ego."

Stakeholders from the entire company from the C-suite down need to be involved in the negotiation process, says Andrew Hay, chief information security officer at storage company DataGravity.

"While the IT team primarily thinks of a breach from a technology perspective, C-level executives are thinking about it from a business perspective," Hay says. "You must merge these two different views to develop a cohesive response strategy."

Never disrespect the cyber extortionist

For the same reason that you never really know who the extortionists are, don’t disrespect them. If you decide not to negotiate with an attacker it is better to communicate that decision as professionally as you can.

"There's no Yelp or Angie's List for ransomware attackers," Hay notes wryly. So there's no simple way to determine the attackers abilities.

Because it's hard to know exactly what data or access the attackers might have on you, or their potential to cause future harm, treat them courteously, Cristal explains.

Rather than abruptly cutting off communications it is better to explain your decision in a respectful manner. Communicate with the attacker that you got legal advice not to pay the ransom," he says. "Be extremely professional in the way you communicate and try not be emotionally impacted by the incident."