The changing role of a ransomware negotiator
Ransomware remains very much in the cyber spotlight. But the days of high-volume, indiscriminate attacks may be behind us. According to Comparitech, the U.S. had 335 publicly-reported ransomware attacks in 2022, which is half the number recorded in 2021. Similarly, ransom demands dropped from an average of $5.5 million in 2021 to $4.74 million in 2022. However, that statistic disguises a vital shift in focus. The business sector’s average rose from $8.4 million to $13.2 million in that same period. This indicates that hackers are taking a more targeted approach — concentrating their attacks on big organizations with more data they can sell or use to extort larger payments.
No wonder many enterprises are seeking outside help to combat the ransomware scourge. Common strategies include managed services and paying retainers to firms like GuidePoint Security to handle cyber incidents. Tony Cook, head of threat intelligence at GuidePoint Security, said the average incident retainer (IR) is about a year long. During that period, the company is on hand to deal with incidents or potential cybersecurity challenges.
Should you pay the ransom?
In some cases, this goes as far as becoming the ransomware negotiator for the client. He’s dealt with cybergangs such as Conti, LockBit, REvil and DarkSide in that role. Lockbit, he said, has been the dominant player in recent months.
“The usual question is whether to negotiate or not, but it is hard to give a simple yes or no,” said Cook. “If you’re going to be down for 10 days and you’re losing millions of dollars a day, you have to evaluate the risk and the damage potential.”
Part of the negotiation process is stringing things along so you have more time to determine your response. Cook said the responsiveness of cyber gangs varies heavily. Some will go back and forth with you on a minute-by-minute basis. Others are slower and respond via email. You might not hear back for a day or two.
They’ve often researched enough to know that the victim can pay the sum requested. Failure to do so can mean data is leaked, and perhaps the gang will launch further attacks, such as Distributed Denial of Service (DDoS), to turn up the heat.
Negotiation Tactics
Cook said the job of the ransomware negotiator varies from situation to situation. Sometimes you try to get across the idea that the hackers are dealing with a small company with limited means. Regardless of how it begins, it is important to establish an initial conversation between you and the threat actor directly. However, that is not always possible. Some groups know what they have, have a good idea of what you can pay, and want action immediately — or else.
In other cases, you can get them to share a little of what they think is of value. That enables the negotiator to determine the extent of the breach and advise the client on the potential risk. Based on such data, the decision on whether to pay or not becomes easier to make.
ChatGPT training built for everyone
“A few years ago, you could probably negotiate down, even some of the major groups, by 50% or more,” said Cook. “That’s not the case anymore. If the actor really wants you to pay an amount of money, they’re either not going to back down, or they might come down only 1% or 2%.”
If there is a little leeway on the ransom amount, the negotiator can at least buy the organization a few days by engaging in a dialogue. That allows victims enough time to get over their initial panic and to reach the best decision for their particular circumstances on how they wish to proceed.
A good reason to hire a negotiator or to have one on hand via an IR is that they know who the different gangs are and how they operate. They have threat actor profiles for each of them, how they negotiate, what the process has been, and whether there is a decrypter for that ransomware strain that is publicly known. If the latter is the case, that’s the end of the negotiation. Otherwise, a lot goes on in the background. It is vital to determine if good backups exist that are free of ransomware, the extent of the environment that has been compromised, how long it might take to get everything restored, and the business consequences of such a delay.
After the Event
Following the resolution of the immediate ransomware threat, there are a series of actions to undertake. These include a thorough review of the state of backups, determining how to protect backups from ransomware, deployment of extended detection and response (EDR) technologies, and evaluation of other safeguards that should be added to prevent attacks in the future.
A forensic investigation, too, should be initiated to determine precisely how the breach happened, which endpoints were penetrated in which order, and how the attack progressed. As part of this, steps need to be taken to root out any further malware that may have been hidden in exposed systems by the bad guys. The organization should also review its cyber insurance coverage.
“Ransomware has shown people how insecure they are; cyber insurance is just another way to move that risk to something else,” said Cook. “Some of our larger clients decided not to pay cyber insurance anymore, and instead, they set apart the money that they would have paid for cyber insurance to build up their own cyber-defense fund.”
ChatGPT training built for everyone
Be Prepared For Ransomware Incidents
Ransomware has become a fact of life. The best approach is to apply security best practices to prevent a breach in the first place. But ransomware investigators should be called in to assist in any interactions with cyber gangs when it does occur.
Learn more about Ransomware Negotiation from GuidePoint Security's Tony Cook on this episode of Cyber Work.
In this Series
- The changing role of a ransomware negotiator
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization