A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 September 2021
For eight years, Kivu has been helping organisations respond to ransomware attacks which in many cases includes us negotiating with the attackers even before a decision has been taken on whether to pay the ransom. But how does that sit with the recent announcements from ransomware attackers that they will “kill the hostage” if you attempt to negotiate.
There are multiple reasons for starting negotiations immediately, often highly dependent on which ransomware attacker we’re dealing with. We might want to establish communications to preserve our options, even if we’re optimistic we can restore the data from other sources. In some attacks, inexperienced attackers are simply overwhelmed by the success of their actions. If you don’t at least make contact, you risk losing your place in line. Victims who delay in responding find that the attackers themselves were slow to get back to them (which exacerbated the business interruption losses) or, in worst case scenarios, find the attackers have taken their profits and closed their operations leaving encrypted victims with no means of recovery. Certainly, burning bridges and antagonising attackers was always counter-productive.
At the same time, if it is clear that there is no need to obtain decryption keys from the attacker or solicit a promise not to publish stolen data (for example because satisfactory backups exist or data exfiltration was prevented), then we would advise against any form of communication. Implying that you are interested in paying and then ghosting an attacker is simply provoking someone who has already attacked and nearly penetrated your network.
If it appeared that alternative roads to recovery were unlikely and that paying a ransom might be the only way to return to operations then, subject to our due diligence finding no issues violating OFAC rules or other regulatory regimes, we may begin negotiating with the attackers.
Which brings us to the first rule of extortion negotiation: Successful negotiation ends with a win for both sides. And a “win” for the victim is highly fact dependent. It may involve reducing the ransom amount or (equally important for some victims) confirming that the decryption keys will actually decrypt all of the affected network. Other demands may include having the attacker confirm how they got into the network or a promise they won’t publicise stolen data or even attack again. It’s crucial that the client understands what requests are reasonable and to be aligned on what it primarily wants from the negotiation.
To successfully advise a client on these points, you need to understand the second rule of extortion negotiation: To negotiate successfully, you need to know your opponent. Many attackers, particularly those demanding million dollar ransoms, carry out extensive recon within their victims’ networks to discover its financial and market position. The victim therefore needs similar information about the attacker to negotiate successfully, and a bona fide negotiator should have that information about the dozens of different ransomware attackers.
Which brings us to the latest twist and the latest threat from the attack group Ragnar Locker posted on the Dark Web:
“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile attempt and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie.”
Ragnar Locker is serious and calling out negotiation vendors by name. So shouldn’t you stop negotiating and just pay up / cross your fingers or not engage and try to resolve the ransomware attack without promises or decryption keys from the attackers?
London - Walbrook
+44 (0)20 7894 6930
+44 (0) 20 7894 6925
Hans Allnutt, Camilla Elliot
Jade Kowalski, Astrid Hardy
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Louise Gallagher, Katie Anderson
Patrick Hill, Hans Allnutt
Andrew Robinson, Summer Montague, Hermanto Moeljo
Patrick Hill, Brett Randles, Jonathan Meer
Christopher Air, Shanaka Wijetunge, Alexander Dimitrov
Vladimir Rostan d’ Ancezune, Jonathan Hopkins
Hans Allnutt, Patrick Hill
Aidan Healy, Alexander Dimitrov
Patrick Hill, Stuart Hunt
Hans Allnutt, Astrid Hardy