Experiencing Ransomware is Bad. Paying The Ransom is Even Worse.

Your company has been attacked with Ransomware, your backups are encrypted.  Or,  your backups are available, but the time to restore is longer than the company can afford to be non-operational.  The situation is bad, and it's about to get worse. 

In their 2020 Data Security Incident Response Report, Cleveland-based law firm BakerHostetler describes the surge in ransomware activity and indicates a dramatic increase in the amount of ransom demanded and actually paid.  The average ransom paid in 2019 was $302,539 (a ten-fold increase over 2018) and incredibly, the largest ransom they saw demanded in 2019 was $18.8 million. 

“Until you've experienced complete data loss in your business and your best option for recovery is to pay a ransom, it's difficult to make that call.” -James Wroten, CEO of Need Computer Help

Understandably, there are plenty who take the position they will never pay a ransom.  But as perfectly articulated by James Wroten, CEO of Need Computer Help, “until you've experienced complete data loss in your business and your best option for recovery is to pay a ransom, it's difficult to make that call.” 

The cost-benefit analysis has been performed and a decision has been made.  The ransom will be paid.   Now what?  Navigating a cybersecurity ransom payment process is as much an art as it is a science.  So, what do you do?  Although this is an exercise best handled by those with experience, there are some critical aspects you should consider.

Anonymize communications and don’t use victim-attributable email accounts to negotiate from.  You do not want the attackers owning an email thread with the victim’s domain in it.

More communications anonymization, don’t discuss the organization’s name.  Assume every sentence you type will be publicly displayed far and wide by the attackers on their “wall of shame”.  Even to the point of inviting journalists to view.  When possible, the attackers should not have any record of discussion inclusive of the company name.  Never acknowledge or attribute your communications with company specifics unless it is absolutely required to create progress.

Keep your emotions in check when negotiating the payment amount.   Being egotistical during ransomware negotiations over the amount of cryptocurrency to be paid will not result in a lower ransomware payment. If, during negotiations, the attacker gets confrontational to the point where forward progress is not being made, do not respond in kind.  Instead, firmly but quickly end the discussion by informing them that disrespectful communication is not tolerated. Be as matter of fact as possible, emotion has no place when negotiating over email or instant messenger.  Emotion will definitely get lost in translation and the conversation could easily end very badly.  

Never threaten.  If you are negotiating with a criminal for the key to data that only they have, threatening them with anything is generally fruitless. If they accuse you of threatening, firmly but clearly clarify that you didn’t.   

Don’t make decisions on the fly.  Rely on the company’s leadership team to make decisions, and then be the messenger for that body.  Do this even if you are both the CEO and the ransomware negotiator (not recommended). As a group, discuss the attacker’s demands and your ability to meet them, and as a group discuss what you feel is an appropriate response. Be resolved as a group before communicating back any response back to the attackers.

Discuss one issue at a time.  Don’t discuss multiple topics in a single communication with the attackers, it's better to stick with just one.  Discussing complex processes such as the ransom amount, proof of ability to decrypt, and bitcoin addresses in a single email can be confusing for all parties and can increase the risk of error in what is already a situation fraught with challenges.  Keep it simple, one issue per email or instant message communication. Approach your communications in this manner,  and you will have a clear historical record to rely on for reporting, if necessary.

Don’t pay before you confirm what you are buying actually works.  Demand and confirm “Proof of Capability”.  Most ransomware attacker teams can decrypt what they had originally encrypted.  They can prove this by having you send them random files (usually images only) and decrypting them for you.  Make sure you do this before you pay anything.  You want to be assured that your payment will result in decrypted data.

Don’t let someone else set the value of your data.  Don’t get trapped into the mental box of using the attacker’s initial demand amount as the base for your counter offer.  Regardless of what the attackers demand, perform your own assessment of the risks, the potential impacts, and the resources available to pay the ransom.  Make a reasonable offer and, if negotiation is necessary, use your number as the starting point.

How Ingalls Information Security Can Help

Ingalls Information Security understands the Ransomware threat.  Since 2010, we’ve been in war rooms and boardrooms, investigating computer networks targeted and attacked by criminals and nation-state sponsored hackers. This experience gives us a powerful edge in preventing and responding to cyberattacks. 

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more, please check out our Blogs Are You Prepared to Defend Against Ransomware? And Ransomware, To Pay or Not to Pay?  

Or contact us here.  One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.