From the book
From the book
From the book
Negotiation Tips
In ransomware cases, as in real-life hostage negotiations, you may need to come to an agreement with the extortionists regarding payment. Certain tactics can help increase your chances of a positive outcome. For example:
- Demand "proof of data." Before paying for a decryption key or tool to recover your data, make sure that the extortionists can actually deliver. Particularly in high-dollar cases, you can request that the ransomers send samples of decrypted files to ensure that they can actually fulfil their end of whatever deal you strike.
- Act calmly, reasonably, and logically. Criminals are more likely to successfully negotiate with you if you build trust during your conversations and approach the discussion as a straightforward business deal rather than an emotionally charged situation.
- Don't make unrealistic promises. If you're not sure that you can pay or the dollar amount is genuinely too high, be straightforward. When criminals get annoyed by unmet expectations, they are more likely to retaliate or abandon the negotiation entirely.
- Take a team approach. As odd as it sounds, your organization and the extortionist have a mutual interest in reaching agreement. Leverage this in your conversations. Security consultant Hussam Al Abed recommends, "Use the word 'we' to encourage your captors to think of you as sharing mutual concerns. You do have a common interest in the outcome of this situation."16
At the same time, certain classic rules of hostage negotiation need to be rethought when it comes to ransomware. Unlike real-life hostage situations, the criminals behind ransomware do not have possession of a physical human being who needs to be fed, monitored, and kept alive in order to maintain leverage. Instead, perpetrators of ransomware can take over dozens of organizations and maintain their control with little ongoing effort.
The result is that cybercriminals have less incentive to close deals; they can store decryption keys for months or years if needed—or delete them on a whim. Consultants trained in real-life hostage negotiation tactics may be surprised to find themselves at a disadvantage in ransomware cases. Common wisdom is to reject the extortionists' first offer—a tactic that can backfire when dealing with cookie-cutter ransomware, where criminals may focus their time on easy money and ignore more complex discussions.
In addition, ransom notes often include a deadline after which files are automatically deleted or the ransom payment goes up. Victims that exceed this deadline due to negotiation attempts may find that they are unable to recover certain files as a result, or they end up paying a higher ransom due to the delay.
Should You Pay the Ransom?
When a victim is hit with a cyber extortion attack, often the most pressing question is, "Should I pay?" The answer is different for denial versus exposure extortion. In denial ransomware, where the organization's data is inaccessible, this is a legitimate question that needs to be evaluated. Obviously, paying criminals is never a victim's preferred choice. Unfortunately, paying the ransom does sometimes make sense for victims of denial ransomware. The attackers have incentive to provide the key—otherwise, people would stop paying them. Once the organization has its data back, it can implement security procedures that will dramatically reduce the risk of a future attack.
In exposure cyber extortion, paying the ransom is never a winning strategy. Once criminals possess your data, you cannot trust them to delete it (and they may have already sold or shared it). What's more, paying the ransom signals to the criminals that you are susceptible to extortion, increasing the odds that you will be targeted in the future. There is nothing to stop the criminals from attempting to extort you over and over with the same stolen data. Some organizations may choose to pay an exposure ransom in an effort to demonstrate a good-faith effort at minimizing harm to data subjects. While this may work for a specific situation, it is certainly not guaranteed. In all types of extortion, every ransom paid funds the extortionists' business model and therefore incentivizes crime.