Getting the best possible outcome in ransomware negotiation

Though typically seen as a final measure, 90% of participants from a BigID survey revealed that their company would contemplate paying a ransom if it meant they could recover data and business processes, or recover them faster.

In this Help Net Security interview, Azeem Aleem, MD of UK and Northern Europe at Sygnia, unravels the complexities of ransomware negotiation and highlights the measures that organizations can take to protect themselves against cyber threats.

Can you walk us through a typical ransomware negotiation process? What kinds of strategies do professionals use to negotiate a lower ransom?

If your business is under attack, the threat actor can use it as an opportunity to ‘drip-feed,’ extortions, promising to release data in a staggered approach to ensure they get the most out of their attack. As a result, the business could end up in a perpetual cycle of ransom with the threat actor. This is where we are called to investigate and protect against major ransomware, corporate espionage, financial theft and even nation-state campaigns.

We always err on the side of prevention. We need to keep pace with threat actors and that means investing and enlisting the help of third party security experts who can review your security stack from the ground up and see what you may not be seeing. Tackling cybercrime requires a multitude of skills, including a predictive and adaptive mindset and both helicopter and microscopic perspectives to really ‘see’ the threat.

Before engaging with threat actors – enlist the right skills for the job. We hand pick the cream of the crop in talent from ranks of elite military technology units and the cyber industry such as ex-military intelligence officers, criminal psychologists, hostage-turned-ransomware hacking negotiators and more. It’s an incredibly unique team with honed skills in technological supremacy, digital combat, data analytics and business, to deliver military-grade security to organizations.

Be aware that you have more to lose – You need to be willing to negotiate and that means “playing the game” to get the best outcome possible. Success means paying little or no money while securing the stolen data. Our cyber threat negotiation experts will find the sources of vulnerabilities and use tactics to delay the ransom while extracting critical information for your investigations team to map to the specific behaviours of the threat actor. For example, our negotiators may assume a specific persona to build empathy and trust, creating a sense of friendship that helps to open up communication for a better deal.

Avoid double and triple extortion by finding the sources of vulnerability. The negotiation team will work to uncover the motives of the attacker, investigate the source, contain the threat, minimise the breach exposure time (BET) and then help to remediate and recover as a way to break the cycle of threats. Negotiators will assist in finding the ‘Black Swan’ that can assist the technical team to reveal the unknowns unknowns.

By understanding the tools, tactics, and procedures (TTPs) that the attacker is using, we can determine the level of sophistication of the attack. Sometimes the attacker nor their tools are that sophisticated but they have found an unknown vulnerability that they can continue to abuse.

What are the advantages of working with a ransomware negotiation service instead of handling negotiations internally within an organization?

A third-party highly skilled incident response team can offer businesses a plethora of expertise under one roof that may be missing from traditional in-house security teams. For example at Sygnia, we hand-pick the cream of the crop in talent from ranks of elite military technology units and the cyber industry such as ex-military intelligence officers, criminal psychologists, hostage-turned-ransomware hacking negotiators, and more. It’s an incredibly unique team with honed skills in technological supremacy, digital combat, data analytics, and business, to deliver military-grade security to organizations – in fact, one that nations quietly turn to for help.

Negotiators can delay a company’s response to a ransom demand. What benefits does this delay offer, and how can it impact the outcome of a ransomware attack?

Threat actors are now big businesses with HR, payroll and sales teams. They thrive on infamy and need to protect their reputation as much as they rely on securing the ransom. Unfortunately, in some cases, paying the ransom is inevitable because of the nature of the attack itself. For example, an attack on industrial infrastructure where there is not only a cyber but physical impact on lives.

A recent report highlighted how businesses have paid $449.1 million in ransom in the first six months of this year. Tactile negotiation will help to uncover the unknowns of the attacker, find ways to appease them and reduce the total ransom – in some cases potentially deterring future attacks. We are essentially buying time to contain the threat, recover data and remediate any gaps in security.

What should organizations do immediately following a ransomware attack to best position themselves for successful negotiations?

• Set up secure offline channel – Essentially a war room to streamline strategic team communication. Cyber-attacks are no longer an IT concern and must be brought to the board, particularly as the CEO could find himself if the docks if regulatory steps had been missed.
• Remain calm to avoid knee-jerk reactions. Fear can make you panic and cloud your judgment. You may attempt to respond to the threat actors, tipping them to a successful ‘mark.’
• Enlist external incidence response expertise to investigate, evaluate and map the crisis. Do not engage with the threat actor alone.
• Apply network segmentation and separate the backup environment from the network.
• Disconnect employees from email and the server to avoid spreading the attack. Many supply chain attacks could have been reduced in scale this way.
• Assess your environment to understand the source of the attack.
• Approach remediation and backdoor eradication with caution. Such mitigation activities might tip off the threat actor that someone is on to them. Ensure that the process you are undertaking is comprehensive, and support the remediation with tailored monitoring efforts in order to prevent further risk, and to detect any backdoors that might have been missed.

Can you share some examples of how organizations have successfully used ransomware negotiation services to mitigate the impact of ransomware attacks?

Our ransomware negotiation services limit the damage to a company, create time for us to be able to uncover the threat and ultimately reduce any ransoms, at an accelerated speed. Our investigations, offer us leverage that can deter the threat actor, minimise the ransom or best outcome – pay nothing at all.

We are seeing more OT attacks, where in some cases, both the virtual and physical world can be impacted and therefore necessary to pay a ransom. For example, Sygnia worked with a well-known global manufacturing company, which was part of a larger group of manufacturers, and had multiple OT production environments. The company had suffered an attack from the PYSA or Mespinoza Ransomware group, where they had encrypted the production floor services, leading to a halt in plant operations and client delivery. To a company of this size, any disruptions to day-to-day operations can cost an estimated $1.5 to $2 million.

The company could not afford to continue running at such losses and so Sygnia was enlisted to investigate and contain the threat while recovering and negotiating with the threat actors, in parallel with existing work streams. Our team of negotiation experts found ways to build trust and empathy with the threat actor – gaining a deeper understanding of the origin of the attack to help our containment team ensure they were targeting the right domain.

Once we had uncovered the entry point of the attack and found the lateral movement vectors, we were able to trace the origin of the attack to a sister company within the group. We see this time and time again in supply chain attacks where external companies share systems with each other for efficiency but unknown to them, also provide ways for threat actors to exploit and spread their attacks like wildfire.

Sygnia presented our findings and shared the exfiltrated data with both legal teams to be analysed. In this scenario, we were able to recover the environment from our ‘secure island’ and therefore did not have to pay the ransom. We also remediated the vulnerabilities to prevent a reoccurrence of the attack and help the manufacturer return to full plant operations within two weeks of the initial compromise.

Could you explain how ransomware negotiation services collaborate with law enforcement agencies and how this collaboration can benefit victim organizations?

In multiple cases, Sygnia’s negotiation team has worked extensively with law enforcement agencies. This is mainly towards understanding the extent of the attack domain, refining the TTPS of the adversarial group and buying back critical time to expedite the containment process.