Is Negotiation Your Best Strategy When It Comes To Ransomware?
Table Of Contents:
Rather than just paying a fee to get out of a ransomware predicament, could you negotiate your way out with the proper steps and skills? Dan Raywood looks at the stories and options.
The past year has seen a debate raging: should you pay a ransom to an attacker or not? Earlier this year, former UK National Cyber Security Centre head Ciaran Martin said in an editorial that ransom payments should be made illegal. Then Cybersecurity and Infrastructure Security Agency director Jen Easterly said she did not see a blanket ban on paying ransoms happening.
With or without a ban on paying ransoms, there is a massive challenge here: when infected with ransomware, the victim typically sees a screen with a demand for payment, the amount required to get the decryption key, and where to send the payment. If they are unlucky, there is sometimes a timer for when the payment is due, and this could lead to the deletion—or even leaking—of seized data.
Ransomware payments are quite the unknown factor. There are some we know about: CNA Financial paid $40 Million in 2021, while casino operator Caesars paid $15 million last year. In the UK, the 2023 Royal Mail attack saw attackers demand a payment of $80 million, which they determined to be 0.5% of the Royal Mail’s revenue.
Royal Mail dismissed the amount as “absurd”, saying that $80 million “is an amount that could never be taken seriously by our board.” This does cause some consideration of how many victims are paying a ransom – when it is not an absurd amount – to make the malware go away.
One of the issues here is that there are no actual numbers on who is paying what, and therefore no scale on what size payment can be a resolution.
No Choice But To Pay?
If you have no choice but to pay, you’re facing the prospect of negotiations. In this case, you’re working with criminals: you have no idea who they are, where they are from, or how well-organised they are.
The guidance does exist, and most of it encourages caution when speaking with the attackers, assessing what they have, and not giving up any more information.
Alex Papadopoulos, director of incident response and readiness at Secureworks, says the negotiation process is not just about the price but also about buying yourself time. It is worth negotiating to better understand the attacker’s position.
“What we read from other people’s reports is that they are usually open to negotiation because they realise that it’s not great for business if they have too hard a line; then they’re known as completely unreasonable,” he says.
Also, the negotiation process will allow the attacker and victim to learn more about each other. Papadopoulos says most ransomware attacks are opportunistic, and they don’t understand who the victim is until they have started talking to them.
“They haven’t put in the time and effort to conduct that research,” he says. “So, through the negotiation process, they want to understand more about you and, therefore, what you’re able to pay.”
This leads to negotiating the price: as we saw in the previously mentioned cases, if the attackers ask for too much, the victim will never pay. In other instances, attackers ask for too little. Papadopoulos tells a story of when some ransomware attackers made a demand for €8 million, and the victim immediately paid as the attacker had not realised the value of what they had seized and what they could have asked for.
Insurance Requirements
In fact, negotiation has become a requirement of insurance claims. Where once companies solely offered negotiation and payment exchange services, Papadopoulos says, “negotiation has become a requirement for many insurance companies.”
He explains that “many digital forensic and incident response (DFIR) providers have practically been forced to enter that slightly shady, slightly grey area” of negotiating with cybercriminals, saying companies need to have people who are ready to do that task.
This leads to the requirement for an effective and robust business continuity plan. If you are considering compliance with ISO 22301, then ensuring that you can overcome a ransomware attack and stay on the right side of legality should be a consideration.
Fixing a Hole
After the negotiation, you’re in the hands of the attacker to get the decryption key, restore the system and fix the holes where the attacker got in.
This leads to best practice options to prevent attackers from gaining access in the future, and ensuring compliance with a recognised framework is a step towards better overall security.
Manoj Bahtt, advisory board member of Club CISO, says there are specific controls that organisations should explore implementing to ensure that they are protected against ransomware, and in ISO 27001:2022, these are:
- Security awareness training
- Admin access on desktops
- Anti-virus/Intrusion Protection System
- Vulnerability/configuration management
- Data backups
Also, within NIST CSF 2.0, there are controls across the six categories that focus on protecting organisations from ransomware, and CIS version 8.0 – Control 8: Malware Defences suggests the following controls that can help protect organisations from ransomware:
- 8.2 Ensure anti-malware software and signatures are updated
- 8.4 Configure anti-malware scanning of removable media
- 8.5 Configure devices to not auto-run content
Bhatt said that despite there being no specific controls in frameworks to protect against ransomware as it is an attack vector, guidance is available to help you implement the proper protections in the first place and reduce the likelihood of an impact.
Ultimately, ransomware remains a significant problem for all businesses, but it could be worth considering if this is a way to free yourself. There is the issue of working with criminals, though, and a new sector is being formed to specifically aid practitioners in dealing with this situation.
Having the right protections in place, having an auditor confirm your level of security, and following a framework’s recommendations on best practices will go a long way toward ensuring you don’t have to do this shady work.