Ransomware negotiation: When cybersecurity meets crisis management

In this Help Net Security interview, Tim Morris, Chief Security Advisor at Tanium, discusses ransomware negotiation, how it typically unfolds, and how organizations should have a playbook that clearly outlines what to do, when to do it, who is notified, who will inform the board, who will talk to the press, etc.

Additionally, he discusses ransomware gangs, the role of cyber insurance, and how governments and regulatory bodies are responding to the ransomware threat.

In light of the increasing sophistication of ransomware attacks, can you discuss the dynamics of negotiating with ransomware gangs? How do these negotiations typically unfold, and what are the critical business considerations during these interactions?

Regarding ransomware attacks, the first step is to verify you were attacked and that your files are encrypted. Sometimes, the attacker may be bluffing, and calling them on that bluff or simply ignoring their demands may change the game entirely.

From there, the negotiation dynamics very much depend on the plan you have in place as part of your incident response strategy. Typically those involved at this process stage involve reps from the exec team, an incident response firm on retainer, outside and internal legal counsel, a cyber insurer, and internal/external comms/PR teams. Cyber insurance companies often work with a panel of third parties who will advise on next steps and in many cases, have dedicated individuals to handle negotiations.

The bottom line is that organizations should not wait for an attack to decide whether or not to pay. Instead, they should have a playbook that clearly outlines what to do when, who is notified, who will inform the board, who will talk to press, etc.

What are the legal and ethical considerations surrounding the decision to pay or not pay a ransom? How should organizations navigate these complexities?

If it was just a legal and ethical consideration, as a matter of principle, you should not pay, and law enforcement will agree with that approach. That said, sometimes, a ransomware payment comes down to a business decision rather than an ethical question. Doing the ethical thing may cost much more than just paying the ransomware.

That said, if an organization is prepared, there is absolutely no reason they should pay, as disaster recovery and business continuity plans should be in place from the start. After all, ransomware is simply another operations disruptor that businesses should plan to encounter, not if, but when.

Can you shed light on any emerging trends or tactics in ransomware attacks that organizations should be aware of? How is the threat landscape evolving?

Ransomware attacks are always growing more sophisticated, with attackers constantly evolving TTPs on how they get into an organization. With the rise of generative AI, we’ve seen a new tactic of poisoning large language models to breach an organization from the inside. There’s also been a spike in double encryption in recent months. Perhaps most interestingly, though, is the recent example of a ransomware gang that reported the company to the SEC after a successful breach for not following disclosure rules.

Regardless of changing tactics, the reality is that your response playbook should not be dependent on the attack itself or the regulatory landscape – they simply provide parameters for playbooks that are already built and tested.

How does cyber insurance play a role in an organization’s defense against ransomware attacks? Are there any pitfalls or limitations that organizations should be aware of?

Cyber insurance plays the role of risk mitigation, given you’re looking at a disruption of operations. Cyber insurers need to be part of your incident response plan and should be notified when a ransomware attack occurs, or an extortion demand is made. As far as limitations, as attacks have become more frequent and cyber insurance more mainstream, premiums have skyrocketed while coverage has shrunk.

Recent trends suggest that ransomware gangs are increasingly targeting SMBs. What makes these businesses particularly vulnerable to ransomware attacks, and what steps can they take to mitigate these risks?

It’s not just SMBs at risk, but also K-12, local and state municipalities, and healthcare organizations that are being increasingly targeted by ransomware attacks. This all stems from a lack of resources and staff to combat and respond to attacks in those industries. Further, SMBs often outsource IT to an MSP and MSSP, making them an even more attractive target for an attacker to make inroads into multiple organizations at once.

How are governments and regulatory bodies responding to the ransomware threat, and how do these responses impact businesses?

Major attacks tend to spike an increase in regulations, awareness, and education. For instance, the SEC disclosure rule came in response to a surge in ransomware attacks. Unfortunately, corporate entities just aren’t doing enough to self-regulate and protect themselves, consumers, and investors.

So, regulatory bodies and associations like CISA, CSRB, and the like have stepped in to help raise awareness and combat the continued ransomware epidemic. While this involvement has obviously contributed a great deal to raising ransomware to mainstream public awareness, it’s clear that more needs to be done across the private and public sectors alike.