Founder, For Crypt GmbH – The leading ransomware experts in Europe.
In his famous work The art of war, Sun Tzu wrote, “If you know your enemy and know yourself, you need not fear the result of a hundred battles.” I see this ancient wisdom perfectly sums up how companies should negotiate with ransomware hackers.
Understanding your own organization and the impact of a ransomware attack, along with information about the attackers, can help you decide how to negotiate or if you should negotiate at all. So how do you navigate a stressful ransom situation? Below are eight steps you can follow.
Step 1: Build a team
The first step in responding to ransomware is forming a team. You need a team leader who has an overview of the situation and can present data to decision makers. This may require coordination with the heads of different departments to correctly collect the data.
You also need team members who are qualified to perform a variety of tasks, from establishing secure communication channels to summarizing data for decision makers to actually paying a ransom.
If you engage a professional ransomware response team, designate team members to facilitate their work.
Step 2: Contact law enforcement
Before you start talking to the hackers, it is best to contact the police and report the breach. A designated team member must ensure the collection of the data necessary for the police report and for communication with the authorities.
Step 3: Set up secure communication
The hackers can watch you try to get insider information that they can use in the negotiation process. It is important to keep all communication related to the negotiations secure and encrypted.
Step 4: Damage assessment
It only makes sense to pay the ransom if the benefits outweigh the costs. That means you need to know things like:
• How much of the network has been breached?
• What types of data have been compromised?
• What are the costs associated with data breaches (ie patient data, customer data, trade secrets, etc.)
You also need to know how the encrypted data will affect your work.
• How does the loss of encrypted data affect business operations? How much does the malfunction cost?
• How long would it take to get back to normal by manually restoring or reconstructing the data?
• What does the damage look like in terms of customer relationship and brand image?
Hackers know this is a lot to consider. This is why they will probably try to put pressure on you – they don’t want you to have enough time to make good, informed decisions.
Step 5: Connect
If you can, it’s best not to pay the ransom, and most law enforcement agencies recommend doing so avoiding the if that is possible. However, if the cost of the attack is too high, it may be necessary to contact the hackers. There are also some things to keep in mind when making contact.
Be careful when talking to attackers.
Beware of hackers trying to trick you into giving up information that can be used against you. Keep calm and don’t give out sensitive information when you talk to them.
Check the data loss rate.
Before you start negotiating the ransom, make sure that the attackers are not bluffing. Don’t trust any of their claims and ask for proof. In some cases, they upload the files to a server where you can see them, in which case you know their threats are authentic.
Step 6: Assess the ransom demand
At this point you should know:
• The scope of the attack.
• How much downtime you experience if you don’t restore the data.
• How long it will take you to get back to normal if you restore the data.
• A rough estimate of the cost of not recovering the data.
If the cost of a ransom is less than the damage of not paying, it makes economic sense to pay the ransom.
Who are you dealing with?
After making contact with the hackers, it is critical to know which group you are dealing with. Some gangs are notorious for demanding multiple ransoms after promising not to leak any data. Others try to build a good “reputation” because they know it will make it easier to get paid.
Step 7: Make counteroffers
According to Cybernews, most ransoms can be negotiated by at least 20% and sometimes as much as 90%. Discounts of more than 50% are common in most negotiations. It is helpful to be aware of the typical range of ransom payments for organizations similar to yours so that you know roughly what the attackers can expect.
The same Cybernews article found that the average ransom paid by a small business is about 0.22% of its annual total revenue. This figure can be a starting point to give you an idea of the ransom amount to expect. However, the ransom may fluctuate depending on the nature of the attack and the attackers’ operational methods.
A common negotiation technique is to offer a smaller amount now or a larger amount later and claim the inability to pay. For example, a message to the hackers might read something like this:
“Our company currently does not have enough capital to pay that amount. However, we have $80,000, which we can pay now if you provide the decryption key and delete the data.”
At the same time, don’t insult the attacker’s intelligence by making ridiculous claims. Losing your credibility with the attackers can damage your bargaining position.
Step 8: Make the payment
Actual payment is not technically part of the negotiation, but payment methods can influence the negotiation. Some hackers offer discounts if you agree to pay them with an anonymous cryptocurrency such as Monero (XMR).
Keep calm and carry on
It is important to take a sober approach to ransomware negotiations. Panic won’t help. Don’t be afraid to ask for more time if the hackers threaten you, and don’t hesitate to consult experts or hire professionals if you feel overwhelmed.