Navigating the complexity of ransomware negotiations
Most ransomware attacks are opportunistic, and at the end of the day, cybercriminals do not discriminate. Nobody plans to fall victim, but the fact is any company with an internet presence, regardless of size, is at risk.
These incidents cause significant disruptions to companies’ ongoing operations, which can be greatly detrimental, especially to those in manufacturing, energy, and healthcare sectors. Left to the attacker’s discretion, companies can feel lost trying to piece together this high-stakes puzzle. When breached, companies can (and should!) leverage the expertise of teams trained to guide you through the situation.
The decision to pay out a ransomware gang is not quick and straight-forward, but rather multi-layered, and dependent on how each attack’s circumstances meet essential criteria of this “engagement protocol checklist”:
Ransom negotiation protocol checklist
First and foremost, before communications can begin, you need to determine if legal engagement with the threat actor is possible. How? An OFAC (Office of Foreign Assets Control) check must be run to see whether any data (i.e., IP addresses, language, system access, etc.) or metadata is associated with an entity that has been put on the U.S. Sanctions list. If the answer is yes, communication with and ransom payments to the attacker is prohibited.
It’s relatively rare for data from an attack to match an entity on the list because threat actors are using tools to mask their identities (i.e., VPNs, proxy connections, language translation, etc.). If you know where to dig, it’s not impossible to discover pieces of information to help unmask threat actors. For example, if a threat actor’s IP address says they are in the Netherlands, but upon reviewing the executable files they dropped on compromised systems you see they are written in Russian, this could reveal the attacker’s true location.
Once you’ve confirmed that legal engagement with the threat actor can proceed, you must weigh your answers to the following questions:
- Is my data backed up and accessible on the network?
- If not, can I rebuild the data from scratch?
- If the stolen data is shared publicly, how will this impact the company?
- Will my business survive if I don’t pay?
Every case is unique, and the final decision – whether to pay the ransom or not – is not always easy. For example, when targeting the manufacturing industry, attack groups take advantage of supply chain businesses because they know if they take out one part of the supply chain, the whole chain is impacted, creating even more urgency. These companies often can’t afford not to pay and restore their operations immediately – and, suddenly, negotiations move from weeks to mere hours.
Once you’ve gone through the checklist and arrived at the necessary decision to pay the attacker, the ransom note provides information on how to contact the attackers. It will typically contain a URL to a Tor website providing an encrypted chat or an email address that can be used to reach out to them.
Many threat actors are open to negotiation, but the process is riddled with intricacies. Depending on the threat group, it can vary considerably: it may take anywhere from a few days to a month if the attacker is slow to respond. Once the final amount is agreed upon, the purchasing of the necessary cryptocurrency and the sending of the ransom payment is best done through a third party.
But while it’s easy to assume the nightmare ends with completing the payment, that is unfortunately not always the case. It’s a best-case scenario when your data is returned, and system control is restored. But do you want to do this again? The answer is certainly no. Still, future ransomware attacks are possible, and you must implement essential cybersecurity tools and strategies to block them.
A common misconception is that vulnerable technology is strictly to blame for these attacks, but it’s often people (employees). The best defensive measures you can implement are: training all employees to spot phishing emails, implementing two-factor authentication across all supported systems, and investing in offline backups that are segmented and regularly tested, and not accessible from the corporate network.
By following these cybersecurity strategies and always staying up to-date on the latest recommendations, you will enhance your organization’s security posture and harden it against future breaches.