The dos and don’ts of ransomware negotiations

Malware News
1

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization.

The initial actions to take in the event of a ransomware attack

  • Disconnect the affected devices from the network as soon as possible. This can help to prevent the ransomware from spreading to other computers or devices.
  • Determine what data has been affected and assess the extent of the damage.
  • Determine the specific type of ransomware virus that has infected your devices to understand how this malware operates and what steps you need to take to remove it.
  • It is important to notify all employees about the ransomware attack and instruct them not to click on any suspicious links or open any suspicious attachments.
  • Consider reporting the attack. This can help to increase awareness of the attack and may also help to prevent future attacks. Please note that in some regions, business owners are required by law to report an attack.

Do not rush into a decision. Take the time to carefully evaluate your options and the potential consequences of each of them before deciding whether to pay the ransom or explore other solutions.

Paying the ransom is not the only option. Consider exploring other solutions, such as restoring your data from backups. If you do not have backups, cybersecurity experts may be able to help you recover your data since many ransomware strains were decrypted and keys are publicly available.

Strategies cybercrooks employ to obtain funds from victims swiftly

Cyber extortionists use various tactics beyond just encrypting data. They also use post-exploitation blackmail methods to coerce victims into paying them. Very often, cybercriminals use several extortion tactics simultaneously. Some examples of these tactics include:

  • Steal and disclose

Cyber extortionists not only encrypt victims' data but also often steal it. If the ransom is not paid, the stolen files may be made publicly available on special leak websites, which can cause severe damage to the victim's reputation and make them more likely to give in to the attackers' demands.

  • Destroy keys if a negotiation company intervenes

Some ransomware authors have threatened to delete the private keys necessary for decrypting victims' data if they seek the help of a professional third party to negotiate on their behalf.

  •  Launch a DDoS attack

Ransomware attackers often threaten to flood the victim's website with a large volume of traffic in an effort to put it down and intimidate the targeted company into paying the ransom faster.

  • Cause printers to behave abnormally

Some hackers were able to take control of the printers and print ransom notes directly in front of partners and customers. This provides a high level of visibility for the attack, as it is difficult for people to ignore the ransom notes being printed.

  • Use Facebook ads for malicious purposes

Criminals have been known to use advertising to gain attention for their attacks. In one instance, ransomware developers used Facebook ads to shame their victim by highlighting the organization's weak defenses.

  • Stir up anxiety among customers

Ransomware authors may send intimidating emails to the customers of major companies whose data was compromised. The emails threaten to leak the recipients' data unless the affected organization pays the ransom. The attackers encourage the recipients to pressure the affected companies to make the payment quickly.

Do not try to handle the situation on your own

Although ransomware is a trend in the world of cyber-attacks, hackers are not always successful in obtaining the ransom. They constantly have to develop new methods to replenish their arsenal of extortion techniques.

To make life as difficult as possible for hackers, the main thing to do is not to try to act alone. There are well-established mechanisms to counter extortionists.

Do seek professional assistance from others, even if it means losing some or all of your data. There are plenty of organizations and resources that can provide professional assistance and guidance. Some potential options include:

  • Cybersecurity experts: These professionals can provide specialized expertise and assistance with recovering your data, as well as advice on how to prevent future attacks.
  • Computer emergency response teams: Many countries and regions have organizations known as CERTs that assist with responding to and recovering from cyber incidents, including ransomware attacks.
  • Ransomware recovery services: Some companies specialize in helping organizations recover from ransomware attacks and can provide a range of services, including data recovery, threat assessment, and ransomware negotiation.
  • Law enforcement: In many cases, it may be appropriate to involve law enforcement agencies. They can help with investigations, help recover data, identify and prosecute the attackers.

It is essential to carefully research and evaluate any resources or services you consider using. Seek advice from multiple sources to find the best way out.

Before negotiations

It is generally not recommended to negotiate with ransomware attackers or pay the ransom. Doing so can encourage further ransomware attacks. Paying the ransom not only supports the attackers' criminal activity but also puts your organization at risk of being targeted again.

Keep in mind that there is no guarantee that the attackers will actually provide the decryption key - even if you do pay the ransom. Therefore, it is important to weigh the risks and potential consequences carefully before deciding to pay.

Ransomware attacks and payments are often carried out anonymously, using encrypted communication channels and cryptocurrency. Hackers usually provide an encrypted chat or email service for communication. Try to negotiate additional channels and means of communication with the adversary. Try to establish a line of communication with the attackers that involves mutual trust (as much as possible in this situation.)

If you decide to negotiate with the attackers and pay the ransom, it is important to keep a record of all communications, including any instructions for paying the ransom. This information may be helpful for law enforcement and cybersecurity experts who are investigating the attack.

Ask the attackers to demonstrate the decryption key and show that it actually works by decrypting several random files. This can help you ensure that you are dealing with the actual attackers and not a third party.

Research the attackers and their past behavior. If the attackers have been known to negotiate or provide the decryption key after receiving payment in the past, this may help to increase your confidence in the negotiation and may also give you leverage to negotiate a lower amount.

Tips for negotiating with the attackers

If you have exhausted all other options and have determined that paying the ransom is the only way to recover your data, here are a few tips for negotiating with the hackers:

  1. The attackers may try to pressure you by threatening to destroy or leak data, but it is important not to let this influence your decision. Do not show any signs of desperation or urgency. Remain calm and composed all the time.
  2. Do not reveal whether or not you have cyber insurance.
  3. Do not offer to pay the entire ransom upfront. Instead, consider offering to pay a small portion of the ransom upfront, with the remainder to be paid after the decryption key has been provided and you have successfully decrypted all data.
  4. Consider offering to pay the ransom in a cryptocurrency that you already have and is less commonly used or even less easily traced. This can make it more difficult for the attackers to convert the ransom into actual money and may make them more willing to negotiate a lower amount.
  5. Consider offering to publicize the attack and the ransom negotiation in order to put pressure on the attackers. This can make it more difficult for the attackers to extort other victims in the future and may make them more willing to negotiate a lower ransom amount.
  6. If the attackers have already agreed to negotiate the ransom amount and have lowered the price, you may try to push for a further reduction by continuing to negotiate and offering a lower amount. However, keep in mind that the attackers are likely to have a minimum amount that they are willing to accept, and it may not be possible to push them to lower the price further.

Be prepared to walk away from the negotiation if the attackers are unwilling to compromise or if the terms they offer are unacceptable, even if it entails losing your data.

How to prevent ransomware attacks

It is always good to focus on preventative measures to avoid falling victim to ransomware in the first place. Here are some tips in this regard:

  1. Implement a robust cybersecurity policy that includes regular software updates and the use of security software.
  2. Educate your employees about the risks of ransomware and how to protect against it, such as not opening attachments or clicking on links from unfamiliar sources.
  3. Take care of backups and implement a disaster recovery plan to ensure that you can restore your data if it becomes encrypted.
  4. Use strong, unique passwords and employ MFA where possible.
  5. Consider purchasing cybersecurity insurance to protect your company against financial losses resulting from a ransomware attack.

Article Link: The dos and don’ts of ransomware negotiations | AT&T Cybersecurity