Ransomware Response Process: How Companies Navigate Negotiations and Payments

Recently, I came across a fascinating podcast episode from Dark Reading titled "Meet the Ransomware Negotiators" (https://www.darkreading.com/cyberattacks-data-breaches/meet-the-ransomware-negotiators). This eye-opening discussion featuring experienced negotiators Ed Dubrovsky CISSP OSCP PMP MBA MSc of CYPFER and Joseph Tarraf of Surefire Cyber provided rare insights into the complex and often opaque world of ransomware negotiations. Inspired by their candid sharing of experiences and expertise, I felt compelled to write this blog post to help shed light on this critical aspect of cybersecurity incident response.

Ransomware attacks have become an unfortunate reality for organizations across the globe. While prevention is ideal, many companies find themselves facing the difficult decision of whether to pay a ransom to regain access to their systems and data. In this post, we'll explore the complex process of ransomware negotiation, drawing insights from experienced negotiators Ed Dubrovsky of CYPFER and Joe Tarraf of Surefire Cyber.

The Ransomware Response Process

When a company falls victim to a ransomware attack, the response process typically involves several key steps:

1. Initial Assessment: The company evaluates the extent of the attack, systems affected, and potential data loss.
2. Engaging Experts: Most organizations lack in-house expertise to handle ransomware negotiations, so they bring in specialized negotiators.
3. Developing a Strategy: Negotiators work with the company to establish objectives and a negotiation approach.
4. Communication with Threat Actors: Negotiators initiate contact with the attackers, often through specialized dark web portals or encrypted messaging apps.
5. Intelligence Gathering: Throughout the process, negotiators attempt to gather information about the attack and stolen data.
6. Decision Making: Based on the negotiation progress and company's situation, a decision is made whether to pay the ransom or pursue alternative recovery methods.

The Decision to Pay

The choice to pay a ransom is never taken lightly. Factors influencing this decision include:

• Availability and reliability of backups
• Criticality of affected systems and data
• Potential for data exposure
• Financial impact of prolonged downtime
• Legal and regulatory considerations

Joe Tarraf explains that negotiations are typically driven by one or more of three objectives:

1. Obtaining a decryption tool when backups are inadequate
2. Gathering intelligence about stolen data
3. Buying time to assess the situation and explore options

The Negotiation Process

Ransomware negotiation is a delicate balance of strategy, psychology, and technical expertise. Key aspects of the process include:

1. Establishing Communication: Negotiators use various channels to contact threat actors, including email, dark web portals, and encrypted messaging apps.
2. Persona Management: Negotiators often adopt specific personas to engage with attackers. Ed Dubrovsky emphasizes the importance of this approach: "Every single time it's a persona and I have to be very, very careful... to make me sound every time like a different person."
3. Intelligence Gathering: Negotiators attempt to profile the threat actors and understand their motivations. Joe Tarraf notes, "Knowing who you're dealing with helps you tailor your strategy, your tone of conversation to the actor at hand."
4. Price Negotiation: Skilled negotiators work to bring ransom demands down to realistic levels. Ed Dubrovsky explains: "If I know that my client can pay, let's say $10,000, I'm not going to start the negotiation at $10,000. So I have to get to a point where I essentially get them to a reality that is much closer to what my client can feasibly actually pay."
5. Verifying Threat Actor Capabilities: Negotiators often request proof that the attackers can actually decrypt data or have accessed specific information.

The Shadow Process

While ransomware negotiations have become more common, they still operate in a somewhat shadowy realm. This is due to several factors:

1. Legal and Ethical Considerations: Paying ransoms can be controversial and may even be illegal in some jurisdictions.
2. Reputational Concerns: Companies often prefer to keep ransomware incidents and negotiations private to protect their reputation.
3. Operational Security: Negotiators must protect their methods and identities to maintain effectiveness across multiple cases.
4. Evolving Threat Landscape: The tactics and motivations of ransomware groups are constantly changing, requiring negotiators to adapt their approaches.

Conclusion

Ransomware negotiation is a complex and high-stakes process that requires specialized expertise. As Ed Dubrovsky advises, "I do not recommend anybody to negotiate on their own behalf ever." Companies facing ransomware attacks should engage experienced professionals who understand the technical, psychological, and legal aspects of these negotiations.

By shedding light on this often-hidden process, we can better understand the challenges organizations face in responding to ransomware attacks and the critical role that skilled negotiators play in mitigating their impact.