As ransomware attacks are becoming more targeted, tailored and sophisticated in nature, they may increasingly resemble a “cyber-hostage” situation. This makes the problem of proper management of the engagement process with the extortionist a key issue for the targeted company.

Some of the important aspects to consider:

Decision to negotiate with the attacker must be based on cost-benefit analysis. Responding to the extortion demand should not be a default option.

The ransomware situation is a game – know your options and payoffs, understand the adversary, think about potential escalation scenarios.

One needs to think about ransomware situation comprehensively and differentiate between the; technical aspect (i.e. the cyber-attack itself), handling of the engagement (i.e. deciding if to engage, deciding on negotiation strategy), dealing with the fallout (i.e. mitigating reputational risk, ensuring proper compliance, communicating with key stakeholders).

There may be good reasons to commence negotiations with the extortionist e.g.; to buy time to develop a response plan, to negotiate lower price, to gather more information about the attacker.

At the same time the criminals may use the engagement process to gain further leverage over the target, for instance by; taking advantage of the situation to find new pressure points/vulnerabilities, increasing the cost of breaking off the negotiations for the target.

The very content of the negotiations may be used by the malicious actor against the target, for instance by threatening to publicly release sensitive parts of the communication.

The malicious actor may also use variety of other tactics to increase pressure on the target e.g:

  • gradually leak select target’s data to the public
  • launch cyber-attacks against target’s asset
  • actively try to engage the media to cover the situation
  • threaten target’s employees with violence, including physical assaults

The targeted company should not hesitate and immediately terminate the engagement with the attacker if it considers further negotiations to be harmful.

Sources / inspiration:

How to Break Up with Your Extortionist: Tales from the Ransom Frontlines“, RSA Conference 2018, San Francisco.