The ransomware negotiation playbook adds new chapters – Source: www.csoonline.com

When an organization is suddenly locked out of its own systems or has sensitive data stolen, it’s not just about losing access — it’s an existential threat to its entire operation.

Navigating a ransomware attack requires a cross-departmental response team, including legal counsel, cybersecurity experts, and organizational leadership.

The technical team’s role during a ransomware attack involves securing unaffected systems, identifying the ransomware strain, and beginning data recovery processes from backups, if available.

Meanwhile, the legal team evaluates the implications of engaging with the attackers, considering both the immediate and long-term legal ramifications, while coordinating with law enforcement agencies, regulators, and cyber insurers.

“When a ransomware attack hits, the initial response is critical,” Ian Nicholson, incident response head at Pentest People tells CSO. “The legal and technical teams must assess the damage. They identify the type of ransomware, the extent of the data breach, and the potential impact on the organization’s operations.”

One area where the full cross-departmental response team plays a key role is in answering the critical question: Should you pay the attacker’s ransom demand, and if so, how should those negotiations play out?

There’s a long-running debate about whether it’s ethical to pay attackers since this perpetuates the cycle of attacks. But this has to be measured against the imperative for restoring operations even if that means meeting the extortionate demands of criminals.

CSO spoke to several industry experts who urged victims not to engage with increasingly unreliable attackers much less meet their extortionate demands, while others in incident response still saw value in at least talking to cybercriminals. Following is an aggregate of their advice on ransomware negotiations, as both a dilemma and vital incident response practice.

Ransomware negotiation playbook

When engaging with threat actors, specialized negotiators, often from external companies such as incident response firms, take the lead in communicating with the attackers. Their primary goals are to gather intelligence, understand the attackers’ demands, and negotiate terms.

Professional negotiators can often achieve better outcomes than organizations trying to negotiate themselves because specialists have more expertise in dealing with ransomware groups.

“Engaging in negotiations can be beneficial for several reasons,” according to Pentest People’s Nicholson. “Firstly, it buys time for the business to implement other recovery measures or gather more information about the attackers. Secondly, it provides valuable intelligence on the attackers’ methods, intentions, and the data they have compromised.”

Time spent during ransomware negotiations gives cybersecurity experts more scope to identify vulnerabilities, stop the spread of the attack, and evaluate backup options — as well as offering an opportunity to gather intelligence about the attacker’s methods and intentions.

Engagement is typically done under the cover of anonymity — it is customary to create a persona, an employee of the company — and to communicate over encrypted channels specified by the attacker.

“Sometimes, during these exchanges, attackers inadvertently reveal information that helps security teams understand the scope of the breach or the type of data that was accessed,” Ramzy Ladah, a trial attorney, tells CSO. “This can be invaluable, both for managing the immediate crisis and for future prevention.”

Skilled negotiators can reduce ransom demands and verify that a decryption key works before finalizing a deal.

Incident response firm GuidePoint Security is tracking around 70 ransomware groups, mostly from Eastern Europe but some from Iran, North Korea, and China. Some will settle for 50% of the original asking price while others are more inflexible and will offer discounts up to only 20%, according to Mark Lance of GuidePoint Security.

Threat actors need to uphold a reputation for delivering on what they promise if victims pay — something that’s still the case to a large extent even in an environment where gangs frequently close down and rebrand, according to Lance.

The data leakage threat

Another aspect of ransomware negotiation is addressing the threat of data leakage. Attackers often use this as leverage, threatening to publish or sell sensitive information unless their demands are met.

Many ransomware groups now employ a double extortion tactic, threatening to leak stolen data unless their demands are met. “This adds significant pressure on the victim to comply with the attackers’ demands,” Nicholson notes.

Pentest People is noticing a trend of more attackers simply stealing and extorting the victim for the data without deploying any ransomware.

“The organization has to consider the potential fallout of having private data leaked,” according to trial attorney Ladah. “This could mean compliance violations, damage to reputation, and liability to third parties whose data might have been compromised.”

More recently some data leakage threats have become more personal.

Bernard Montel, EMEA technical director and security strategist at Tenable, tells CSO: “Hackers are not only exfiltrating company data, but they are targeting VIPs to exfiltrate specific information such as emails, personal data, financial information, etc., owned by high-profile individuals, in order to create pressure on them individually as well as the company.”

This negotiation pressure technique is appearing in more ransomware attacks, along with an approach of wiping instead of encrypting data, according to Montel.

The sanctions tightrope

Throughout this negotiation process, the legal team ensures that all actions comply with relevant laws and regulations, especially if the attackers are linked to sanctioned entities, including ransomware groups linked to Russia.

Recently, there’s been more government scrutiny around paying ransoms, especially when the attacker is tied to a sanctioned entity.

For example, the US Department of Treasury’s Office of Foreign Assets Control has issued advisories indicating that paying ransoms to sanctioned individuals or groups can lead to severe legal repercussions, including substantial fines and potential criminal charges.

No such charges have ever been brought, according to industry experts quizzed by CSO, but the risk nonetheless exists.

“If a victim organization ends up negotiating with a group that’s been flagged by government agencies, it opens up the risk of penalties and legal action against the victim itself,” according to Ladah. “In these cases, the organization’s legal team must liaise with law enforcement right away.”

Ladah continues: “Doing so can sometimes provide a degree of legal protection or, at the very least, create a paper trail that shows the organization acted in good faith and under advisement. It’s not a get-out-of-jail-free card, but it can help mitigate some of the legal risks.”

Elsewhere, Australia’s Cyber Security (Ransomware Payments) Regulations 2023 require ransom payments to be reported to authorities within 72 hours. Similar regulations are likely to follow in Europe, where authorities are taking an increasingly dim view of ransomware payments.

Sarah Pearce, a partner at global law firm Hunton Andrews Kurth, warns: “Generally speaking, law enforcement in the UK/EU does not encourage the payment of ransom demands and the UK NCSC [National Cyber Security Centre] website for example, identifies some key risks.”

Paying for a decryption key is “unlikely to result in an immediate return to business as usual, particularly for large organisations,” the UK’s NCSC warns.

“Running a decryption key across complex networks can take time. If a victim organisation has access to both backups and a decryptor, it may prove quicker to use backups,” the UK government cyber-assurance agency adds.

The UK Cyber Security and Resilience Bill proposed by the new government is said to include provisions mandating increased incident reporting to give government better data on cyberattacks, including where a company has been held to ransom, Pearce adds.

Europe has already introduced mandatory reporting obligations for ransomware incidents, at least in the case of larger organizations or providers of critical services. For example, the EU’s Network and Information Security Directive, now NIS2, mandates the prompt reporting of cyber incidents, including ransomware attacks, to regulatory authorities.

Evolving ransomware negotiation landscape

How ransomware negotiations work in practice was illustrated during a presentation by threat analysts from Fox-IT (part of NCC Group) at Black Hat Europe 2021.

Alejandro Rivas-Vásquez, global head of digital forensics and incident response at global cybersecurity company NCC Group, tells CSO that the ransomware negotiation playbook has changed in the three years since that presentation, largely to the detriment of victimized organizations.

“Since 2021, ransomware negotiations have evolved significantly,” according to Rivas-Vásquez. “Global efforts to limit payments and increase cyber incident reporting have limited the negotiating power of victim organizations.”

The rise of double (encryption and data leak threat) and triple extortion (involving potential DDoS attacks) tactics complicates the negotiation process.

The result is attackers not only encrypt data but also threaten to leak sensitive information or pressure third parties, forcing organizations to balance reputational risks with operational disruptions.

“Trust in negotiations is eroding,” Rivas-Vásquez tells CSO. “Enforcement actions against major ransomware-as-a-service operations revealed that many attackers failed to delete stolen data even after ransoms were paid.”

Many countries are promoting international cooperation and intelligence sharing as well as applying scrutiny to third-party cryptocurrency payments agents.

“With governments cracking down on payments, rising distrust in attackers’ promises, and increased maturity in corporate responses, paying ransoms has become a less viable and riskier option for many organizations,” Rivas-Vásquez concluded.

Put bluntly: Paying ransoms may encourage further attacks and doesn’t guarantee data recovery.

Websites such as No-More-Ransom offer a lifeline to businesses that have suffered a ransomware attack, but prevention and hardening systems and procedures is beforehand always preferable to dealing with the heightened risk of a potential breach.

“Incident response and preparedness can play a key role in recovery from an incident such as a ransomware attack,” Pentest People’s Nicholson says. “By detailing and testing responses, organizations can better understand what their specific pain points are and fill any security gaps to reduce the risk.”