As ransomware attacks have increased in intensity over the last few years, so too has the demand for ransom negotiators. Working on behalf of their customers, these skilled specialists aim to prevent the incident from escalating, whilst enabling a controlled dialogue between the victim and threat actor in order to bring the matter to a controlled conclusion. Ransom negotiators specialise in communicating with threat actors who have breached company systems and are attempting to extort businesses for financial gain. They typically refuse to release decryption keys or threaten to leak or sell any data they’ve stolen if they’re not paid a lump sum before a specified deadline.

“Negotiators are crucial in helping companies devise a negotiation strategy to assist executives to make an informed decision,” says Dan Saunders, Quorum Cyber’s Director of Incident Response in EMEA. “The objectives are often to buy time, inform decisions, and collect intelligence, which may partly help us identify and attribute who is behind the cyber-attack.”

Dan’s team uses a variety of tactics during negotiations. “We engage with the criminals but that doesn’t mean our customers will always pay the ransom,” he explains.

Such negotiations, which can take place over numerous end-to-end encrypted communications channels, can last anywhere from just a few days to several weeks.

To pay or not to pay

It’s up to the customer, whose data has been compromised, to make the decision about whether to pay the agreed ransom fee, pay a lower amount or not to pay at all. Bitcoin remains criminals’ preferred method of payment.

Before then, Dan’s team needs to consider all the relevant government laws and industry regulations when giving information to the customer.

However, even if the customer decides to make a payment, it doesn’t mean that the criminals will stick to their end of the deal. They have been known to release the data on the dark web regardless.

Dan explains that when businesses find the ransom note, they need to decide whether to keep quiet or engage with the threat actor. “It’s a business decision. In the last year only 30% of negotiations handled by Quorum Cyber on behalf of the victim organisations resulted in a financial settlement between the victim and threat actor. Engagement has several benefits for the victim, including gaining some level of control over an escalating situation and buying time.”

Whether a ransom is paid or not depends on a number of criteria:

• The perceived value of the data
• Whether the data has been encrypted
• If the data has been backed up
• Business interruption costs
• The law in particular sanctions
• If the data has implications for national security
• The reputation of the threat actor.

Understanding the criminals’ tactics

Once a negotiation is underway, Dan explains, the threat actor often reduces the initial demand, sometimes to conclude the deal more quickly. Criminals have even been known to check what cyber insurance the victim organisation has, if any, before threatening to publicise the incident to increase pressure on the business.

When navigating a ransomware attack, he says it’s vital to understand who the threat actor is, their track record, their tactics, recognise any patterns of behaviour, what actions and decisions they’re likely to take, and the likelihood of them leaking data even after they’ve been paid a ransom. The time taken for the threat actor to communicate and make decisions is useful information, too. It’s possible that the negotiating team has encountered the criminals before. Either way, it can use all of this intelligence to achieve a better outcome for the victim organisation.

Quorum Cyber has built up a deep understanding of the behavioural patterns and decision timelines of a wide range of criminals around the globe.

Dan shares some advice for any organisation that finds itself in a ransom negotiation:

• Evaluate, justify, and record decision making
• Obtain actionable intelligence to make informed decisions
• Manage expectations internally and externally
• Understand your regulatory obligations.

Find out more about how to secure your organisation

Contact us if you want to talk about your cyber security needs. If you ever believe you’re under attack or have recently experienced a cyber-attack, our team is ready to help you right away – just call our Emergency Helpline.