Ransomware – When should you negotiate?

Published 30 September 2021

For eight years, Kivu has been helping organisations respond to ransomware attacks which in many cases includes us negotiating with the attackers even before a decision has been taken on whether to pay the ransom. But how does that sit with the recent announcements from ransomware attackers that they will “kill the hostage” if you attempt to negotiate.

There are multiple reasons for starting negotiations immediately, often highly dependent on which ransomware attacker we’re dealing with. We might want to establish communications to preserve our options, even if we’re optimistic we can restore the data from other sources. In some attacks, inexperienced attackers are simply overwhelmed by the success of their actions. If you don’t at least make contact, you risk losing your place in line. Victims who delay in responding find that the attackers themselves were slow to get back to them (which exacerbated the business interruption losses) or, in worst case scenarios, find the attackers have taken their profits and closed their operations leaving encrypted victims with no means of recovery. Certainly, burning bridges and antagonising attackers was always counter-productive.

At the same time, if it is clear that there is no need to obtain decryption keys from the attacker or solicit a promise not to publish stolen data (for example because satisfactory backups exist or data exfiltration was prevented), then we would advise against any form of communication. Implying that you are interested in paying and then ghosting an attacker is simply provoking someone who has already attacked and nearly penetrated your network.

If it appeared that alternative roads to recovery were unlikely and that paying a ransom might be the only way to return to operations then, subject to our due diligence finding no issues violating OFAC rules or other regulatory regimes, we may begin negotiating with the attackers.

Which brings us to the first rule of extortion negotiation: Successful negotiation ends with a win for both sides. And a “win” for the victim is highly fact dependent. It may involve reducing the ransom amount or (equally important for some victims) confirming that the decryption keys will actually decrypt all of the affected network. Other demands may include having the attacker confirm how they got into the network or a promise they won’t publicise stolen data or even attack again. It’s crucial that the client understands what requests are reasonable and to be aligned on what it primarily wants from the negotiation.

To successfully advise a client on these points, you need to understand the second rule of extortion negotiation: To negotiate successfully, you need to know your opponent. Many attackers, particularly those demanding million dollar ransoms, carry out extensive recon within their victims’ networks to discover its financial and market position. The victim therefore needs similar information about the attacker to negotiate successfully, and a bona fide negotiator should have that information about the dozens of different ransomware attackers.

Which brings us to the latest twist and the latest threat from the attack group Ragnar Locker posted on the Dark Web:

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile attempt and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie.”

Ragnar Locker is serious and calling out negotiation vendors by name. So shouldn’t you stop negotiating and just pay up / cross your fingers or not engage and try to resolve the ransomware attack without promises or decryption keys from the attackers?

1. Remember why some attackers are trying to scare victims away from using skilled negotiators. They are the experts who may persuade a victim not to pay (e.g. paying that attacker may be an OFAC violation or the decryption tools don’t work).
   
   
2. Remember “you need to know your opponent”. While Ragnar Locker is making the headlines with its cynical press releases, most ransomware attacks continue along traditional lines. They’re open to negotiation often with win-win outcomes (such as large reductions in the ransom demands from the Phobos and Babuk groups – at least before EvilCorp tried to evade OFAC sanctions by masquerading as Babuk attackers – the poster child example of “know your enemy”).
   
   
3. In ransomware cases involving threats to publish data (e.g. Conti, Sodinokibi/Revil, Lockbit), our advice to clients is that the damage has already been done. Even if you pay to avoid immediate publication and the adverse publicity (or even just being named on the “Wall of Shame”), your stolen data has almost certainly been sold by the attackers. Again, it goes back to ensuring that the client is clear about the goals of the negotiation. If it’s to win time while you get your legal, regulatory and public relations responses set up, that’s a potentially valid goal. But if you don’t know your enemy, and try it on the wrong ransomware team, expect a Ragnar Locker trip to corporate Valhalla.

Winston Krone, Chief Research Officer, Kivu Consulting