Industry insights

The changing role of a ransomware negotiator

Drew Robb
August 24, 2023 by
Drew Robb

Ransomware remains very much in the cyber spotlight. But the days of high-volume, indiscriminate attacks may be behind us. According to Comparitech, the U.S. had 335 publicly-reported ransomware attacks in 2022, which is half the number recorded in 2021. Similarly, ransom demands dropped from an average of $5.5 million in 2021 to $4.74 million in 2022. However, that statistic disguises a vital shift in focus. The business sector’s average rose from $8.4 million to $13.2 million in that same period. This indicates that hackers are taking a more targeted approach — concentrating their attacks on big organizations with more data they can sell or use to extort larger payments.

No wonder many enterprises are seeking outside help to combat the ransomware scourge. Common strategies include managed services and paying retainers to firms like GuidePoint Security to handle cyber incidents. Tony Cook, head of threat intelligence at GuidePoint Security, said the average incident retainer (IR) is about a year long. During that period, the company is on hand to deal with incidents or potential cybersecurity challenges.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

In some cases, this goes as far as becoming the ransomware negotiator for the client. He’s dealt with cybergangs such as Conti, LockBit, REvil and DarkSide in that role. Lockbit, he said, has been the dominant player in recent months.

“The usual question is whether to negotiate or not, but it is hard to give a simple yes or no,” said Cook. “If you’re going to be down for 10 days and you’re losing millions of dollars a day, you have to evaluate the risk and the damage potential.”

Part of the negotiation process is stringing things along so you have more time to determine your response. Cook said the responsiveness of cyber gangs varies heavily. Some will go back and forth with you on a minute-by-minute basis. Others are slower and respond via email. You might not hear back for a day or two.

They’ve often researched enough to know that the victim can pay the sum requested. Failure to do so can mean data is leaked, and perhaps the gang will launch further attacks, such as Distributed Denial of Service (DDoS), to turn up the heat. 

Negotiation Tactics

Cook said the job of the ransomware negotiator varies from situation to situation. Sometimes you try to get across the idea that the hackers are dealing with a small company with limited means. Regardless of how it begins, it is important to establish an initial conversation between you and the threat actor directly. However, that is not always possible. Some groups know what they have, have a good idea of what you can pay, and want action immediately — or else.

In other cases, you can get them to share a little of what they think is of value. That enables the negotiator to determine the extent of the breach and advise the client on the potential risk. Based on such data, the decision on whether to pay or not becomes easier to make.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

“A few years ago, you could probably negotiate down, even some of the major groups, by 50% or more,” said Cook. “That’s not the case anymore. If the actor really wants you to pay an amount of money, they’re either not going to back down, or they might come down only 1% or 2%.”

If there is a little leeway on the ransom amount, the negotiator can at least buy the organization a few days by engaging in a dialogue. That allows victims enough time to get over their initial panic and to reach the best decision for their particular circumstances on how they wish to proceed.

A good reason to hire a negotiator or to have one on hand via an IR is that they know who the different gangs are and how they operate. They have threat actor profiles for each of them, how they negotiate, what the process has been, and whether there is a decrypter for that ransomware strain that is publicly known. If the latter is the case, that’s the end of the negotiation. Otherwise, a lot goes on in the background. It is vital to determine if good backups exist that are free of ransomware, the extent of the environment that has been compromised, how long it might take to get everything restored, and the business consequences of such a delay.

After the Event

Following the resolution of the immediate ransomware threat, there are a series of actions to undertake. These include a thorough review of the state of backups, determining how to protect backups from ransomware, deployment of extended detection and response (EDR) technologies, and evaluation of other safeguards that should be added to prevent attacks in the future.

A forensic investigation, too, should be initiated to determine precisely how the breach happened, which endpoints were penetrated in which order, and how the attack progressed. As part of this, steps need to be taken to root out any further malware that may have been hidden in exposed systems by the bad guys. The organization should also review its cyber insurance coverage.

“Ransomware has shown people how insecure they are; cyber insurance is just another way to move that risk to something else,” said Cook. “Some of our larger clients decided not to pay cyber insurance anymore, and instead, they set apart the money that they would have paid for cyber insurance to build up their own cyber-defense fund.” 

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

Be Prepared For Ransomware Incidents

Ransomware has become a fact of life. The best approach is to apply security best practices to prevent a breach in the first place. But ransomware investigators should be called in to assist in any interactions with cyber gangs when it does occur.

Learn more about Ransomware Negotiation from GuidePoint Security's Tony Cook on this episode of Cyber Work

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.