7 best practices for negotiating ransomware payments

Whether through ransomware, data theft, a distributed denial of service attack (DDoS) attack or General Data Protection Regulation (GDPR)-based extortion, criminals demanding money from organizations in exchange for the return of data or to continue business operations continues to be a common occurrence. The best advice, of course, is not to pay, but as a last resort some organizations might feel the need to negotiate with cybercriminals during a cyberattack.

Perhaps the backups have failed, maybe criminals have your most sensitive data, or the size of a threatened DDoS attack would overwhelm your systems. An older study from 2015 estimated as many as 30 percent of security professionals would be willing to negotiate to get their data back, but who should take the lead, and how should you go about negotiating?

Corporate extortion and ransomware were listed as the “most significant risks to businesses” by 72 percent of respondents in a global survey of 900 CIOs by Logicalis, and Europol’s 2018 Internet Organised Crime Threat Assessment found an increasing trend of cyber extortion, and predicted more in the future.

What the data says about paying ransoms

The FBI, the UK’s National Crime Agency, and most cyber security experts recommend never paying the ransom. Aside from the ethics of funding criminals, there are no guarantees that criminals will stick to their end of the bargain, and it could encourage further attempts at extortion. Depending on your industry, loculation and who you’re paying, there could also be legal and regulatory repercussions.

Despite this, many companies do pay the ransom. A study from CyberEdge Group found around 40 percent of companies affected by ransom attacks paid, but only half actually got their data back. More than half of the 1,000 companies surveyed didn’t pay but still managed to recover their data.

Instead of paying, organizations should be ready for such attacks. Having a good backup and recovery system in place is the quickest and least painful way to recover after a ransom attack. Encrypting your sensitive data can make it less valuable if taken. DDoS protection can mitigate these attacks. Being GDPR compliant lessens the threat of criminals reporting you. Good user education around the dangers of phishing can help prevent criminals entering your network.

If your best efforts to protect against ransom or other extortion demands have failed, then follow these best practices to prepare for and execute negotiations with criminals.

1. Engage with the hackers quickly

Even if you have no intention of paying, negotiating can give an organization more time to verify claims, identify the source of a leak, perform triage, and attempt to decrypt or restore affected systems from backup. “Payment is always the last resort but engaging with the hackers is something we suggest to clients immediately,” says Bill Siegel, CEO of Coveware, a startup that provides negotiation services.

Common negotiation methods or delay tactics include explaining there are no funds available, claiming senior management won’t approve the transfer, or simply feigning confusion at how to source and make cryptocurrency payments.

Communication with criminals is often done over their preferred medium — typically encrypted email or encrypted chat services — and contact information is provided in the original demand. Of course, some ransom attacks are simply automated off-the-shelf “spray and pray” attacks with no means of communication beyond a bitcoin wallet address, but more sophisticated or targeted attacks will have communication channels. Some ransomware variants even have customer service agents. It’s also important to note that unless your company has been targeted specifically, do not reveal your identity as it might encourage further targeting.

“Most of the time the communications are crossing time zones, language barriers and gaps in technical proficiency. Important details get lost in translation very easily if you don’t know what to ask and how to interpret responses,” says Siegel.

2. Verify that the attacker has your data and can decrypt it

Verification is important; being sure an attacker actually has the data they say they have stolen or has the ability to decrypt data you can’t access is a key first step in any negotiation. According a new AlienVault report, 65 percent of those surveyed said they would be confident in verifying whether claims were true or false. Twenty-five percent, however, admitted they were not confident in their ability to ascertain whether data had been stolen or not.

“It’s so easy to rent a botnet and launch a DDoS attack,” says Javvad Malik, security advocate at AlienVault. “If it’s something like stolen data, in most cases hackers are happy to provide a sample. That’s really useful because it allows you to zero in on what data was taken, what system that it’s on, so that gives you something to focus in on. Look at those logs, do a deep dive and see if there’s any indication that this is true or not.”

Many ransomware variants include a free decryptor tool as standard. In more targeted attacks, sending over an encrypted file – preferably one you know contains benign information – for attackers to return decrypted is a good way to verify claims and provide you with extra intel.

3. Don’t be afraid to haggle on price

Companies sometimes make attempts to haggle down a price. Last year the CEO of South Korean web hosting site Nayana managed to negotiate a ransom price down from 550 Bitcoin to 397.6 Bitcoin; around $1 million at the time.

“The attacker may stand firm on the fee at first, but we find the second or third communication is when the attacker considers decreasing the fee,” says Cindy Murphy, president of digital forensics at Gillware Digital Forensics. “Surprisingly, similar to retail or food service, if you ask to speak to the manager you’ll likely make more headway in negotiations and recovering any compromised data.”

4. Determine who should lead negotiations with cybercriminals

In the AlienVault report, the CISO was the role most suited as the one to negotiate extortion or ransom demands. Head of the IT department and executive personnel came in second and third as ones to lead a negotiation.

However, while the CISO might want to lead from a technical perspective, it’s important to take a collaborative approach with key members of the organization in such a situation. “I don’t think any single person is capable of making the decision in a vacuum,” says Coveware’s Siegel. “The CISO understands the value of the data, the CFO understands the financial impact of the downtime and the costs of the ransom (which are typically a small fraction of the downtime costs), and the CEO understands how both impact that operability of the company internally and externally.”

“The CSO/CISO should lead from an investigations perspective purely from the fact they’re probably best placed to actually ascertain the legitimacy of that claim,” says AlienVault’s Malik. “That’s the big challenge; anyone could go up to any company and say, ‘I’ve hacked you I’m going to release this information,’ and for most companies it will be a very turbulent period where they have got to try and verify these claims.”

However, when it comes to actually negotiating with the criminals, the task might be better suited to someone who’s a professional in the field — someone who can buy the organization time and understands the psychology and the motivations behind an attack. Someone untrained could make the situation worse, and the IT manager might not be the one with that particular skillset.

“You may have to get creative,” says Joan Pepin, CISO of Auth0. “Maybe it’s someone in finance, or if you’re a large company, someone in your M&A [mergers and acquisitions] department. Involve your general counsel and law enforcement as well and try not to go into any negotiation alone.”

Consultancies, cyber-insurance providers, and incident response firms offer negotiating services as part of their ransomware protection offerings. They can offer dedicated negotiators, triage around the types of ransomware used (and whether it can be easily decrypted), or facilitate payment as a last resort. Aside from the specialist skills of negotiation, hiring an external party to talk to criminals enables discussions to be done a in neutral way by someone who isn’t close to the situation.

“In any negotiation, you need to be approachable, patient, calm and ‘open’ to the negotiation process,” explains Chris Moses, senior operations manager at Blackstone Consultancy. “You also need to be rather unemotional or detached about it and although it might be quite emotional, you have to be a pragmatist.”

5. Have a plan to deal with all internal and external stakeholders

There are times when negotiations come to an impasse and you’re forced to pay. Be warned: Even if you pay to get your data back or prevent an unwanted situation, there are downsides.

Uber received negative headlines after it was revealed the ride-hailing service paid $100,000 to hackers to get them to delete stolen data on 57 million customers and drivers and not publicize the breach. Uber’s then-CSO Joe Sullivan left the company shortly after it admitted the breach, and governments across the world began investigations as a result of the cover-up.

“If you feel like you can’t go further with negotiation, come clean with your customers and shareholders,” says AlienVault’s Malik. “At least you release the information on your own terms, and you put in place those controls so you can give proactive advice and take control of the situation.”

“Being breached isn’t a big deal these days; no one is really surprised,” Malik adds. “People are more appreciative of the response they get from the company. That’s far more telling of how they value their customers than ‘did they get breached or not’.”

Ultimately the best thing to do in preparation is have a business continuity plan — being fully prepared in knowing who should be involved and what they should be doing in such an event. Make sure members of the security, finance and legal teams are involved and prepared, know what actions to take first and what actions around compliance need to be taken when, and have a communications strategy if public statements need to be made.

6. Know the laws and regulations

Whether you negotiate or not, payment is ill-advised. Inform law enforcement after an attack has occurred and remember there may compliance requirements around reporting such an incident. As well as the previously mentioned ethical arguments or paying criminals and the risk of not having data returned, there are also potential legal ramifications. Depending on who the assailants are, payment to a group may also be illegal if they have been classified as terrorists. The US Office of Foreign Assets Control (OFAC) also maintains a list of those under sanction and to whom payments are prohibited.

7. Invest in security rather than stockpile bitcoin

Cyber-extortion attempts almost always demand payment via cryptocurrency, often bitcoin or more privacy-minded alternatives such as Monero. The Online Trust Alliance (OTA), an initiative from the Internet Society, advises organizations set up a bitcoin wallet to be “prepared in the event ransom payment is deemed necessary,” and an increasing number of companies seem to taking this approach. However, most security experts advise against this.

“Companies stockpiling bitcoins is probably more an indicator that the company doesn’t have faith in their security department,” warns AlienVault’s Malik. “Because that money is far better spent building resiliency into your operations, invest in more robust controls, having a backup onsite and so on.”

A 2017 Citrix survey found that 42 percent of UK companies had a stockpile of digital currencies ready in case of a ransomware attack, up from 33 percent of companies the year before. A more recent Code42 study found 73 percent of CISOs and 60 percent of CEOs are stockpiling cryptocurrencies and found around eight in ten of those who stockpile cryptocurrencies have made payments to cybercriminals.

“It’s easy to see why a company might want to do this,” says Mike Doran, senior security consultant with Optiv Security’s Enterprise Incident Management team. “It allows them to pay a ransom quickly to speed the recovery of their data.” He adds that as it relates to ransomware preparation, the decisions around stockpiling are driven by the security team, but from there it is a shared responsibility. The finance teams is responsible for purchasing and reporting and security teams need to take the reins from a security standpoint.

While purchasing cryptocurrencies ahead of time can speed up payment and reduces the chance of being stung by fluctuating market prices, ransom money is likely better spent on preventative measures. “Holding a stash of cryptocurrency dramatically increases enterprise risk because it makes you a high-priority target for hackers looking to steal untraceable cash piles. If the price skyrockets, it could become a material asset that publicly traded companies must report – making them a high-priority target for hackers,” says Doran.