• United States



CSO Senior Writer

How ransomware negotiations work

Dec 29, 202114 mins

Here's what experienced negotiators say your organization should expect if it ever needs to pay a ransomware demand.

locked data / bitcoins
Credit: Metamorworks / Nature / Getty Images

Ransomware has been one of the most devastating malware threats that organizations have faced over the past few years, and there’s no sign that attackers will stop anytime soon. It’s just too profitable for them. Ransom demands have grown from tens of thousands of dollars to millions and even tens of millions because attackers have learned that many organizations are willing to pay.

Many factors and parties are involved in ransomware payment decisions, from CIOs and other executives to external counsel and insurance carriers, but the increasing need to make such payments has created a market for consultants and companies that specialize in ransomware negotiation and facilitating cryptocurrency payments.

What happens when ransomware hits?

In an ideal world a ransomware attack should trigger a well-rehearsed disaster recovery plan, but unfortunately many organizations are caught off guard. While large enterprises might have an incident response team and plan for dealing with cyberattacks, the procedures for dealing with various aspects specific to a ransomware attack—including the threat of a data leak, communicating externally with customers and regulators, and making the decision to negotiate with threat actors—are typically missing.

“Even in large publicly traded companies that do have IR plans, they don’t usually cover details related to ransomware,” Kurtis Minder, the CEO of threat intelligence and ransomware negotiation firm GroupSense, tells CSO. “Once we get to the process of decryption negotiation, of making that business decision, who should be involved, a lot of that is not documented. There’s no messaging or PR plan either. None of that exists for most companies that we get brought into, which is unfortunate.”

Even for companies that have practiced their IR plans and have procedures in place, it’s still sort of a blind panic when ransomware hits, according to Ian Schenkel, former vice president for EMEA at threat intelligence vendor Flashpoint and director of sales, EMEA, for VMRay. “We’re not just dealing with a piece of ransomware encrypting files and encrypting an entire network. What we’re seeing lately is sort of this second factor where they’re actually trying to extort more money out of you by saying: ‘If you don’t pay the ransom, we’ll leak all the information we have about your organization’.”

In other words, as more ransomware groups adopt this double-extortion technique by combining file encryption with data theft, a ransomware attack that is ultimately a denial of service also becomes a data breach that’s subject to various regulatory obligations depending on where in the world you are and what type of data was compromised. While in the past private companies didn’t have to publicly disclose ransomware attacks, they might increasingly be forced to because of this data breach component.

Two critical and time-sensitive actions need to be done when a ransomware attack hits:

  1. Identify how attackers got in, closing the hole, and kicking them off the network
  2. Understand what you’re dealing with, which means determining the ransomware variant, tying it to a threat actor, and establishing their credibility, especially if they also make data theft claims.

The first action requires an incident response team, either internal or external, while the second might require a company that specializes in threat intelligence.

Some large companies keep such firms on retainer, but many organizations don’t and often feel lost when facing a ransomware attack and end up losing precious time. In those cases, the better approach might be to bring in outside counsel with expertise in managing cyberattack responses. According to lawyers from international law firm Orrick who spoke to CSO, in around 75% of cases outside counsel gets called in first and starts the response process, which includes:

  • Notifying law enforcement
  • Engaging the forensic people
  • Running a briefing internally with the organization’s leadership
  • Covering the investigation by privilege
  • Assessing notifications to the outside world that might be needed
  • Helping the victim organization make contact with their insurance carrier to notify them about the attack and get approval for costs, including counsel, forensics, crisis communications, and anything else that’s required, including paying the ransom if that decision has been made.

Who decides if the ransom gets paid?

Discussions with the insurance provider should be opened early because, depending on what the policy says, they might have a bigger or smaller input on the selection of the IR vendor and other parties that are brought in to help with the incident. Insurance carriers usually have lists of approved vendors.

However, when it comes to deciding whether to pay the ransom or not, in the experience of the Orrick lawyers, companies make that decision on their own and then reach out to their insurance provider to see if they approve it. In some cases, the affected company might decide to pay regardless of whether their insurance covers a ransomware payment because the attack’s impact on its business is so bad that it can’t afford not paying. They hope to later recover the money or part of it from the insurance provider.

The decision-making process usually involves the general counsel, the CIO, and the COO. The general counsel weighs the decision based on legality and risk. The CIO and their team are in charge of the backup processes and the business continuity or disaster recovery plans. The COO makes the decision based on how the affected data impacts operations. For example, the CIO can determine that backups exist, but the number of impacted systems is so great that restoring them will take a very long time and the COO can decide that the business operations can’t survive with a long downtime. Ultimately, it’s a business decision, so the CEO will often weigh in as well, or in many cases has to give the final approval to pay the ransom, according to the Orrick lawyers.

Before approving a ransomware payment, insurance carriers will ask various questions like the status of backups, whether they were destroyed during the attack, whether offsite backups exist, how many systems were impacted, or how long it will take to restore them. They will also likely investigate the threat actor to determine if they are on the Department of Treasury’s sanctions list and if they are they might decline payment because they have exceptions for that in their policies.

In October, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory reminding organizations that they face civil penalties if they violate sanctions when making ransomware payments. However, if the insurance provider declines coverage for a ransomware payment, it’s possible the organization might still decide to go ahead with it to save the business, but the next hurdle they’ll face is the decision by the payments facilitator.

Ransomware payments are made in cryptocurrencies, and companies don’t typically have crypto wallets and millions of dollars in cryptocurrencies laying around. They must rely on a third party with the infrastructure to make such payments. In light of the OFAC advisory, these third parties can also deny the payment if the threat group is on the sanctions list. Often the companies that specialize in ransomware negotiation are also the payment facilitators on behalf of the victim.

How does a ransomware negotiation work?

According to GroupSense’s Minder, before the attackers are approached using the method of communication they provided—usually some encrypted email service—it’s important for the IR team to make sure that the attack has been isolated and the attackers have been kicked off the network.

“Imagine if I’m negotiating with a threat actor and that threat actor still has access to the network. That’s a lot of leverage against us,” Minder says. “So, one of the things that we try to do right off the bat is working really closely with the IR team to determine if they were shut out and cannot get back in.”

The second part, according to Minder, is to get all the information about the attack that was collected by the IR team, including what data has been compromised, and determine the threat actor and their existing profile and past playbook. Knowing what ransoms they’ve asked for in the past, establishing their maturity, how many other organizations they’re likely to have on the hook at any given time is all valuable information that can dictate how to approach the negotiation.

If they have compromised 30 or 40 companies, that can change their behavior and they can be less patient when negotiating because they have many other options, Minder says.

Many hacker groups customize their ransom demands depending on the victim’s profile, usually going for some percentage of the organization’s estimated annual revenue if it’s a company. However, that can be grossly overestimated if obtained from unreliable sources or without more details about the business structure. For example, the victim’s parent company could be a multi-billion-dollar international conglomerate, but the actual victim could be a small business operation in a certain country. At the government level, there are significant differences between the financial resources of federal agencies and small municipalities that might not be directly apparent to the attackers.

According to Minder, the negotiators can have a discussion with the attackers to educate them about the actual financial circumstances of the victim, but it’s better to just objectively treat it as any business transaction and not rely on emotions, which is what a victim might be inclined to do if they attempt to negotiate on their own.

That said, all the communications that happen with the attackers are available to the victim organization through a secure portal in real time, and they can weigh in and make comments or suggestions.

In some cases the victim can restore some of their systems from backups, and that can be used as leverage in the negotiation, because the victim won’t be willing to pay the full ransom just to be able to decrypt the data on a few remaining systems. This is another reason why having the capabilities to detect attacks as soon as possible and having an IR plan in place to respond and limit the damage is very important.

“A huge thing that needs to be considered in the earlier stages, as you are identifying an ongoing attack or seeing ransomware being deployed across the environment, is to contain and isolate it as fast as possible,” Tim Bandos, CISO of data protection company Digital Guardian, tells CSO. “That comes down to scoping the incident and reviewing the logs and identifying where this thing has gone and where we can effectively cut it off. We’ve had that instance where we were able to stop it. It moved to 10 or 15 servers in a fleet of around 3,000.” In cases like that, the victim might not even have to pay the ransom because restoring 10 or 15 servers from backups will not take a lot of time, where in the case of thousands of systems, paying the ransom and decrypting the data might be quicker.

Even if backups exist, there might be difficulties in restoring an affected system because the applications and their software stacks are outdated. Bandos encountered that situation with a customer in the manufacturing sector that had data backups, but also had a server running an internal application made for them on an outdated Windows server version, so that system would have had to be completely rebuilt. Downtime of that server was costing the company $10,000 per hour, so they paid the ransom.

It’s important to also test the restoration process for backups and create system images with all the software a system needs to function properly. Having detection capabilities in place and endpoint software that can detect and block file encryption routines and isolate systems from the network quickly is also very valuable.

Both Minder and Flashpoint’s Schenkel said that ransomware groups are generally willing to negotiate, and in the majority of cases the ransoms that end up being paid by victims are a small percentage of the original amount that they ask. That’s because the attackers are under time pressure, too. The longer the discussion drags on, the more time the victim’s IR team has to restore systems. On top of that, according to Schenkel, data shows that only between 25% and 30% of ransoms are being paid and the attackers are aware of this.

“As much as we say how bad threat actors are, they’re still just people trying to sell something, so they will have a starting price,” Schenkel says. “Sometimes that’s 10% of revenue, sometimes as high as 20% of revenue, but that’s a starting point. They are always open to negotiation and being ‘reasonable,’ if that’s even the right word because there’s nothing reasonable in that situation at all.”

However, before any transaction takes place, the threat actor must prove their ability to decrypt files. That’s usually done on a sample set of data, but it doesn’t mean there’s no risk. In some cases the decryptor provided by the attackers might have bugs or might fail to work on certain systems or volumes or some data might be corrupted. Some companies specialize in reverse-engineering such decryptors and reimplementing them in a more efficient tool that only uses the decryption key provided by the attackers.

There might also be situations where attackers use different keys across different systems on the network, which is why it’s important to have that forensics and threat intelligence component to understand the attacker and their modus operandi before approaching them.

Once the payment is made through the infrastructure supplied by or agreed with the negotiator, the full record of the communication, information collected about the threat actor, and information about the transaction is provided to the customer for record keeping and legal reasons.

Threats to leak data complicate negotiations and recovery

When dealing with a theft of data as part of the same attack, where the attackers also threaten to leak the data, things are a bit more complicated because there is no way to guarantee that the attackers have destroyed the stolen data. Security firm Coveware, which also specializes in ransomware response and negotiation, reported last year that they’ve seen many cases where victims who already paid the ransoms were extorted with the same data set later or where the data was leaked online anyway.

As more ransomware groups adopt this technique, ransomware incidents will have to be treated as data breaches and go through all the processes that are required in such cases. Victims might also have to consider paying a threat intelligence firm to monitor underground forums and marketplaces for their stolen data to stay ahead of where it might end up and how it might be used to take additional preventive actions.

Some ransomware gangs have taken it even further employing triple extortion tactics. Grief, a ransomware group previously known for the DoppelPaymer ransomware, has warned victims that if they contact law enforcement or engage professional ransomware negotiators or data recovery experts they will destroy the decryption key. 

The Grief ransomware is tied to Evil Corp, a group that was put on the sanctions list by the US Department of Treasury. If law enforcement or ransomware negotiators are contacted, there’s a very high chance the victim will learn who they’re dealing with and they will be much less likely to pay the ransom because they could face civil penalties and their insurer might not cover the payment. Evil Corp has clear incentives to discourage victims from contacting third parties, but it’s not the only ransomware group that has recently taken this stance. Other groups are upset because ransom negotiation logs are sometimes leaked and show up in media articles or on Twitter. 

“The fact that threat actors do not want their victims to contact law enforcement is a very strong indication that they should,” Brett Callow, a threat analyst at Emsisoft told CSO. “Law enforcement agencies can provide victims with valuable assistance and, in some cases, even help them recover their data without need to pay the ransom.”

An updated OFAC advisory from September puts even more emphasis on contacting law enforcement, presenting it as one of the primary mitigating factors when considering enforcement response for breaking the sanctions.

Post-mortems identify lessons learned

Every incident will also have a post-mortem review among the various parties that were involved—the legal team, the IR and IT teams, the ransomware negotiation specialist—where all the information will be reviewed. The lessons learned from this process should be turned into a project to improve the organization’s capabilities to block or slow down such attacks in the future.

Editor’s note: This article, originally published on February 15, 2021, has been updated to include information on triple-threat ransomware.