Did you know that ransomware gangs are open to negotiation? If circumstances dictate you have to pay the ransom don't just roll over---negotiate a better deal. Here's how to go about it.

Whan Ransomware Strikes

A ransomware attack installs malware on your network. It encrypts your data and demands a cryptocurrency ransom to decrypt it. The most common attack vectors are still a phishing attack or exploiting a Remote Desktop Protocol connection, often by taking advantage of poor password management.

From the threat actors' point of view, ransomware is massively profitable and a relatively easy cyberattack to accomplish. According to a report by the European Union Agency for Cybersecurity (ENISA), 45 percent of victim organizations pay the ransom. It's no surprise then, that ransomware attacks are on the rise. The Bitdefender 2020 mid-year report states that global ransomware attacks increased year on year by 715 percent.

The advice given by the Federal Bureau of Investigation (FBI) is to not pay the ransom. Paying the ransom only encourages more ransomware attacks. If you have a robust disaster recovery system, a rehearsed incident plan, and your backups haven't been compromised you can restore your systems to their pre-attack state. Once, that is, you've determined how they gained access to your network and closed that vulnerability. But doing so may take days and possibly weeks.

When hospitals and other critical services and infrastructure are hit by ransomware they need to recover as fast as they can. The COVID-19 pandemic has raised the likelihood of hospitals and health care firms being targeted by ransomware. If you simply cannot endure any downtime or the recovery process is going to cost more than the ransom, paying the ransom might seem like the lesser of two evils.

The No More Ransom project was founded by Interpol and many partner organizations to provide decryptors for common ransomware. They may have a tool that will decrypt your encrypted data.

Ransomware attacks are increasingly accompanied by an exfiltration of company confidential or other sensitive information. The cybercriminals threaten to expose this information if you do not pay the ransom. Bear in mind, even if you pay the ransom you might not get your data back. The decryptor used by the threat actors may not work properly. If it does decrypt your data you're still likely to be infected with malware.

Some organizations are covered by cyberinsurance. That's fine as far as it goes, but there is evidence to suggest that if cybercriminals know that an organization has cyberinsurance they assume the ransom will be paid whether the organization has sufficient funds or not. It means the ransom limit is not set by the finances of the organization, but rather by the value of the cover provided by the insurance policy. They may inflate their ransom demands and may even preferentially target insured organizations.

Of course, the ideal scenario is to not get hit by ransomware. But if you do, and circumstances dictate that you must pay the ransom, you can negotiate with the cybercriminals.

Related: How to Prepare for and Fight a Ransomware Attack

A Mix of Trust and Desperation

Almost certainly you're not the best person to carry out the negotiations, and neither is anybody else at your organization. You're going to have enough on your plate identifying the point of ingress and patching the vulnerability and trying to keep the organization operating using whatever means you can. Perhaps staff can work from home. Perhaps you had a segmented network and some of your IT infrastructure and telecommunications equipment avoided infection.

You have to keep the board or C-suite updated, manage client and customer queries, execute actions that are required by your data protection legislation, handling PR, and many other actions that will be part of your incident response playbook. even if you didn't have all of that on your back, you'll still be better of engaging with experts to handle the negotiations.

Knowing how to proceed is predicated on understanding who and what you're dealing with. What ransomware strain was used against you. Can you identify the cybercriminals, and do you know what their track record is?

Some ransomware gangs are more reliable than others. They have decryption routines that work properly, and they actually restore your data. They don't subsequently return making further blackmail claims regarding exposing the data they exfiltrated. Other gangs are less so. If the decryptor hiccups and doesn't work, that's just tough on you.

Firms exist that can perform these negotiations for you, and use their expertise and experience to your advantage. Some organizations can justify keeping such a firm on a retainer, but many cannot. every organization can research cyberattack incident management companies in their vicinity that have a negotiation service. Most of them will offer a complete cyberattack incident response service, with negotiation included within that.

In most jurisdictions, you are required---or at least, strongly encouraged---to notify law enforcement and to report the attack. Your data privacy laws may require you to notify affected data subjects and to set up a means of updating them. You may need to report the incident to a data protection authority. And if you have cyberinsurance you should start talking to them as soon as possible. You need to know if they expect to provide cover for this incident or not. That's vital knowledge for the negotiations.

The Negotiations

Step One: Technical Details

Make sure you have identified the means of infection, and that you have closed that vulnerability so that it cannot be exploited again. Once you're confident that the threat actors have been locked out of your system you need to take stock. What exactly has been encrypted, what is the extent of the compromise?

Is it the entire IT estate, one subnetwork, several servers, or all of your servers? If your network hasn't been encrypted in its entirety you will have an opening gambit. Why should you pay the entire ransom if the entire network wasn't encrypted? But you must be absolutely positive that the cybercriminals are locked out. If they can still access your network and find out there were areas that did not get encrypted they'll reconnect and encrypt the devices they missed.

The way to communicate with the perpetrators is usually described in the ransom message. Typically it is a portal that you log into to exchange messages. Verify that you can access this, but don't open discussions yet. You can ask a question such as are you in the right place, or another innocent query. It shows the cybercriminals you are following their orders thus far without giving anything away.

Step Two: Research and Reconnaissance

Someone must identify the strain of ransomware. This is why an outside incident response company makes sense. They have the skills and expertise to do this. They'll use that information together with other clues such as the type of ransom note, the attack vector and method of infection, the type of message portal they use to communicate to you, and details from other ransomware cases to identify the threat actors. This attribution step is very important.

Knowing the identity of the ransomware gang enables the response team to refer to records of other ransomware attacks by these perpetrators. They'll be able to see whether this ransomware gang typically provides decryptors that work and whether they have historically honored their agreement not to subsequently blackmail the victim for more money by threatening to release the exfiltrated data.

Importantly, they may be able to find out what ransoms this gang has demanded in previous attacks and what the final negotiated figure was. Ransoms can be picked out of the air and be a standard opening demand, or they may be determined by the threat actors looking at the turnover of the victim organization. These assessments can be wildly skewed. Sometimes they look at the worth of a holding group instead of the actual business that has been encrypted.

"We need our data back, we're willing to pay, but your valuation is wrong and we simply don't have those funds," is a reasonable first step in the negotiations.

Step Three: Negotiate

To the ransomware gang, this is just a business transaction. It isn't personal. An external negotiator will be able to remain more neutral than internal representatives of the organization. Getting emotional won't be productive.

As with all high-figure business transactions, negotiation is expected. Naturally, the cybercriminals want to have everything wrapped up as fast as possible. Protracted negotiations put their detection by law enforcement more likely. But you can't just stall. If they decide it is too risky to continue they'll walk away and you'll be left with an encrypted network. But if the victim simply cannot meet the ransom demands the ransomware gang will have to lower their expectations. Some ransom is better than no ransom, after all.

Make sure you ask for and obtain a demonstration that the decryptor functions correctly. You need to see that it successfully decrypts a selection of files of different types from different servers and subnetworks. This is not unreasonable, and the cybercriminals should be able to do this very easily.

It's only fair that you have proof that you're going to get what you're paying for. It's the equivalent of asking for evidence that human hostages are still alive before the ransom is paid.

Step Four: Payment

When a settlement has been agreed upon, the ransom is paid. This will be in a cryptocurrency. Bitcoin is a favorite because it is easy for the first-time cryptocurrency user to obtain. Be aware that this step may take days. It might be prudent to obtain a small amount of Bitcoin as a precaution against requiring them in the future. It will take the time required to obtain a digital wallet and to establish your credentials as a Bitcoin user off the critical path of the ransomware incident.

A transcript of the communications, the negotiations, the agreement, and acknowledgment of the payment is exported from the portal and made available to the victim organization. This transcript is often required for the insurance company or other legal or contractual reasons.

If data was exfiltrated before the network was encrypted, you've got nothing but the word of the cybercriminals that they will delete the data and not use it in the future for blackmail. It's not much, but there is the hope that the cybercriminals understand that if they do renege on such deals future victims will be less inclined to pay the ransom---or as much ransom---if the ransomware gang has a record of not upholding their side of the agreement.

The loss of data in this way will count as a data breach and will likely need to be reported to your data protection authority. Under certain legislation, such as the General Data Protection Regulation, the ransomware attack itself counts as a data breach because you have lost control of the data.

Step Five: Post-Mortem

You've got no time to sit back and lick your wounds.

As a minimum you should:

• Conduct penetration testing and vulnerability testing as soon as you can. Make sure you act on the results. Use the test outcomes to guide your remedial activities.
• If you have cyberinsurance you need to progress the issue with your insurance company.
• Handle official communications. Have you informed everyone you need to, including law enforcement and data protection authorities? You need to send an official statement to your trading partners, clients, and affected data subjects. Summarise the events of the attack and how it was concluded. Be certain to include a section describing what you have done to prevent a recurrence.

Now Plan for Next Time

What was it that prevented you from switching over to a disaster recovery system, or purging and restoring backups so that you didn't need to pay the ransom?

Investigate these and other business continuity options. You'll probably find that they're cheaper than your ransom was, that they reduce your insurance premium, they and make compliance to data protection legislation easier.