Whether through ransomware, data theft, a distributed denial of service attack (DDoS) attack or General Data Protection Regulation (GDPR)-based extortion, criminals demanding money from organizations in exchange for the return of data or to continue business operations continues to be a common occurrence. The best advice, of course, is not to pay, but as a last resort some organizations might feel the need to negotiate with cybercriminals during a cyberattack.Perhaps the backups have failed, maybe criminals have your most sensitive data, or the size of a threatened DDoS attack would overwhelm your systems. An older study from 2015 estimated as many as 30 percent of security professionals would be willing to negotiate to get their data back, but who should take the lead, and how should you go about negotiating?Corporate extortion and ransomware were listed as the \u201cmost significant risks to businesses\u201d by 72 percent of respondents in a global survey of 900 CIOs\u00a0by Logicalis, and Europol\u2019s 2018 Internet Organised Crime Threat Assessment found an increasing trend of cyber extortion, and predicted more in the future.What the data says about paying ransomsThe FBI, the UK\u2019s National Crime Agency, and most cyber security experts recommend never paying the ransom. Aside from the ethics of funding criminals, there are no guarantees that criminals will stick to their end of the bargain, and it could encourage further attempts at extortion. Depending on your industry, loculation and who you\u2019re paying, there could also be legal and regulatory repercussions.Despite this, many companies do pay the ransom. A study from CyberEdge Group\u00a0found around 40 percent of companies affected by ransom attacks paid, but only half actually got their data back. More than half of the 1,000 companies surveyed didn\u2019t pay but still managed to recover their data.Instead of paying, organizations should be ready for such attacks. Having a good backup and recovery system in place is the quickest and least painful way to recover after a ransom attack. Encrypting your sensitive data can make it less valuable if taken. DDoS protection can mitigate these attacks. Being GDPR compliant lessens the threat of criminals reporting you. Good user education around the dangers of phishing can help prevent criminals entering your network.If your best efforts to protect against ransom or other extortion demands have failed, then follow these best practices to prepare for and execute negotiations with criminals.1. Engage with the hackers quicklyEven if you have no intention of paying, negotiating can give an organization more time to verify claims, identify the source of a leak, perform triage, and attempt to decrypt or restore affected systems from backup. \u201cPayment is always the last resort but engaging with the hackers is something we suggest to clients immediately,\u201d says Bill Siegel, CEO of Coveware, a startup that provides negotiation services.Common negotiation methods or delay tactics include explaining there are no funds available, claiming senior management won\u2019t approve the transfer, or simply feigning confusion at how to source and make cryptocurrency payments.Payment is always the last resort but engaging with the hackers is something we suggest to clients immediatelyCommunication with criminals is often done over their preferred medium \u2014 typically encrypted email or encrypted chat services \u2014 and contact information is provided in the original demand. Of course, some ransom attacks are simply automated off-the-shelf \u201cspray and pray\u201d attacks with no means of communication beyond a bitcoin wallet address, but more sophisticated or targeted attacks will have communication channels. Some ransomware variants even have customer service agents. It\u2019s also important to note that unless your company has been targeted specifically, do not reveal your identity as it might encourage further targeting.\u201cMost of the time the communications are crossing time zones, language barriers and gaps in technical proficiency. Important details get lost in translation very easily if you don\u2019t know what to ask and how to interpret responses,\u201d says Siegel.2. Verify that the attacker has your data and can decrypt itVerification is important; being sure an attacker actually has the data they say they have stolen or has the ability to decrypt data you can\u2019t access is a key first step in any negotiation. According a new AlienVault report, 65 percent of those surveyed said they would be confident in verifying whether claims were true or false. Twenty-five percent, however, admitted they were not confident in their ability to ascertain whether data had been stolen or not.\u201cIt's so easy to rent a botnet and launch a DDoS attack,\u201d says Javvad Malik, security advocate at AlienVault. \u201cIf it's something like stolen data, in most cases hackers are happy to provide a sample. That's really useful because it allows you to zero in on what data was taken, what system that it's on, so that gives you something to focus in on. Look at those logs, do a deep dive and see if there's any indication that this is true or not.\u201dMany ransomware variants include a free decryptor tool as standard. In more targeted attacks, sending over an encrypted file \u2013 preferably one you know contains benign information \u2013 for attackers to return decrypted is a good way to verify claims and provide you with extra intel.3. Don\u2019t be afraid to haggle on priceCompanies sometimes make attempts to haggle down a price. Last year the CEO of South Korean web hosting site Nayana managed to negotiate a ransom price down from 550 Bitcoin to 397.6 Bitcoin; around $1 million at the time.\u201cThe attacker may stand firm on the fee at first, but we find the second or third communication is when the attacker considers decreasing the fee,\u201d says Cindy Murphy, president of digital forensics at Gillware Digital Forensics. \u201cSurprisingly, similar to retail or food service, if you ask to speak to the manager you\u2019ll likely make more headway in negotiations and recovering any compromised data.\u201dSurprisingly, similar to retail or food service, if you ask to speak to the manager you\u2019ll likely make more headway in negotiations and recovering any compromised data.4. Determine who should lead negotiations with cybercriminalsIn the AlienVault report, the CISO was the role most suited as the one to negotiate extortion or ransom demands. Head of the IT department and executive personnel came in second and third as ones to lead a negotiation.However, while the CISO might want to lead from a technical perspective, it\u2019s important to take a collaborative approach with key members of the organization in such a situation. \u201cI don\u2019t think any single person is capable of making the decision in a vacuum,\u201d says Coveware\u2019s Siegel. \u201cThe CISO understands the value of the data, the CFO understands the financial impact of the downtime and the costs of the ransom (which are typically a small fraction of the downtime costs), and the CEO understands how both impact that operability of the company internally and externally.\u201d\u201cThe CSO\/CISO should lead from an investigations perspective purely from the fact they're probably best placed to actually ascertain the legitimacy of that claim,\u201d says AlienVault\u2019s Malik. \u201cThat's the big challenge; anyone could go up to any company and say, \u2018I've hacked you I'm going to release this information,\u2019 and for most companies it will be a very turbulent period where they have got to try and verify these claims.\u201dHowever, when it comes to actually negotiating with the criminals, the task might be better suited to someone who's a professional in the field \u2014 someone who can buy the organization time and understands the psychology and the motivations behind an attack. Someone untrained could make the situation worse, and the IT manager might not be the one with that particular skillset.\u201cYou may have to get creative,\u201d says Joan Pepin, CISO of Auth0. \u201cMaybe it\u2019s someone in finance, or if you\u2019re a large company, someone in your M&A [mergers and acquisitions] department. Involve your general counsel and law enforcement as well and try not to go into any negotiation alone.\u201dConsultancies, cyber-insurance providers, and incident response firms offer negotiating services as part of their ransomware protection offerings. They can offer dedicated negotiators, triage around the types of ransomware used (and whether it can be easily decrypted), or facilitate payment as a last resort. Aside from the specialist skills of negotiation, hiring an external party to talk to criminals enables discussions to be done a in neutral way by someone who isn\u2019t close to the situation.\u201cIn any negotiation, you need to be approachable, patient, calm and \u2018open\u2019 to the negotiation process,\u201d explains Chris Moses, senior operations manager at Blackstone Consultancy. \u201cYou also need to be rather unemotional or detached about it and although it might be quite emotional, you have to be a pragmatist."5. Have a plan to deal with all internal and external stakeholdersThere are times when negotiations come to an impasse and you\u2019re forced to pay. Be warned: Even if you pay to get your data back or prevent an unwanted situation, there are downsides.Uber received negative headlines after it was revealed the ride-hailing service paid $100,000 to hackers to get them to delete stolen data on 57 million customers and drivers and not publicize the breach. Uber\u2019s then-CSO Joe Sullivan left the company shortly after it admitted the breach, and governments across the world began investigations as a result of the cover-up.\u201cIf you feel like you can't go further with negotiation, come clean with your customers and shareholders,\u201d says AlienVault\u2019s Malik. \u201cAt least you release the information on your own terms, and you put in place those controls so you can give proactive advice and take control of the situation.\u201d\u201cBeing breached isn't a big deal these days; no one is really surprised,\u201d Malik adds. \u201cPeople are more appreciative of the response they get from the company. That's far more telling of how they value their customers than \u2018did they get breached or not\u2019.\u201dUltimately the best thing to do in preparation is have a business continuity plan \u2014 being fully prepared in knowing who should be involved and what they should be doing in such an event. Make sure members of the security, finance and legal teams are involved and prepared, know what actions to take first and what actions around compliance need to be taken when, and have a communications strategy if public statements need to be made.6. Know the laws and regulationsWhether you negotiate or not, payment is ill-advised. Inform law enforcement after an attack has occurred and remember there may compliance requirements around reporting such an incident. As well as the previously mentioned ethical arguments or paying criminals and the risk of not having data returned, there are also potential legal ramifications. Depending on who the assailants are, payment to a group may also be illegal if they have been classified as terrorists. The US Office of Foreign Assets Control (OFAC) also maintains a list of those under sanction and to whom payments are prohibited.7. Invest in security rather than stockpile bitcoinCyber-extortion attempts almost always demand payment via cryptocurrency, often bitcoin or more privacy-minded alternatives such as Monero. The Online Trust Alliance (OTA), an initiative from the Internet Society, advises organizations set up a bitcoin wallet to be \u201cprepared in the event ransom payment is deemed necessary,\u201d and an increasing number of companies seem to taking this approach. However, most security experts advise against this.\u201cCompanies stockpiling bitcoins is probably more an indicator that the company doesn't have faith in their security department,\u201d warns AlienVault\u2019s Malik. \u201cBecause that money is far better spent building resiliency into your operations, invest in more robust controls, having a backup onsite and so on.\u201dA 2017 Citrix survey found that 42 percent of UK companies had a stockpile of digital currencies ready in case of a ransomware attack, up from 33 percent of companies\u00a0the year before. A more recent Code42 study found 73 percent of CISOs and 60 percent of CEOs are stockpiling cryptocurrencies and found around eight in ten of those who stockpile cryptocurrencies have made payments to cybercriminals.\u201cIt\u2019s easy to see why a company might want to do this,\u201d says Mike Doran, senior security consultant with Optiv Security\u2019s Enterprise Incident Management team. \u201cIt allows them to pay a ransom quickly to speed the recovery of their data.\u201d He adds that as it relates to ransomware preparation, the decisions around stockpiling are driven by the security team, but from there it is a shared responsibility. The finance teams is responsible for purchasing and reporting and security teams need to take the reins from a security standpoint.While purchasing cryptocurrencies ahead of time can speed up payment and reduces the chance of being stung by fluctuating market prices, ransom money is likely better spent on preventative measures. \u201cHolding a stash of cryptocurrency dramatically increases enterprise risk because it makes you a high-priority target for hackers looking to steal untraceable cash piles. If the price skyrockets, it could become a material asset that publicly traded companies must report \u2013 making them a high-priority target for hackers,\u201d says Doran.