By Sherri Davidoff   /   May 8th, 2019

Ransomware Negotiation: Dos and Don'ts

“I’m just negotiating a ransomware payment, hang on,” Karen Sprenger, LMG’s COO, said politely over lunch. Over the past few years this has become a common occurrence: when she’s involved in a tricky ransomware negotiation, it can be all-consuming, requiring her attention at all hours. I poked my salad with a fork as she intently typed a message on her phone to the criminals.

Criminals are getting very good at monetizing their access to your network. They target an organization, lock up all the data, and then demand money in exchange for releasing it— sometimes hundreds of thousands of dollars. Hopefully, you can restore your data from backups or bypass the encryption, but in many cases the bad guys deliberately find and destroy backups, and their ransomware uses state-of-the-art encryption.

What happens when you decide to pay the ransom? How do you get your data back, while dealing with unethical, and sometimes unpredictable, opponents?  I interviewed Karen, who has years of experience negotiating ransom payments. She shared her tips for getting the best outcome, and also pointed out common mistakes to avoid.

  • Require ‘proof of life.’ How do you know that the criminals can actually decrypt your data if you pay? The darknet markets have been flooded with new ransomware products, some of which are poorly designed and can accidentally destroy your data. In other cases, disorganized criminals may not actually have your key or know how to use it. It has become standard practice for professional negotiators to ask for “proof of life,” and require the criminals to decrypt a test file, in order to prove that they can. Karen cautions against using this as an opportunity to trick the criminals into decrypting a very important file, such as your company’s Quickbooks database: criminals are savvy enough to figure that out, and may get angry.
  • Treat a ransomware negotiation like a business deal. Act calm, reasonable and logical. For the criminals, it IS a business deal, and approaching it this way makes it more likely that you will get the best possible outcome for your organization. For example, Karen often offers to make a lower payment, but quickly: “I can get X amount approved and have the money to you by tomorrow,” making it clear that a larger ransomware payment will take longer. Criminals are often willing to accept a lower amount if they trust that they will get their money faster.
  • Don’t pretend to be somebody else or otherwise try to trick the attackers. These days, criminals often explore your network for weeks or even months before they install ransomware and hold you hostage. During this time, they learn about your organization. Karen shared one case in which the criminals demanded a $200,000 ransomware payment. The company responded that they could only afford to pay $60,000. The criminals clapped back immediately: “Not according to your financials.” Trying to trick the attacker frequently makes a ransomware negotiation more difficult. In another case, the company’s IT administrator pretended to be a high school student, and claimed that he could only afford a ransom of a few hundred dollars. The criminals knew that this was a lie. “They seem to have little patience for ‘game playing,'” Karen says. “If they see that type of behavior will just write you off and move on to the next potential payer without responding to you.”
  • Don’t expect classic rules of hostage negotiation to apply when it comes to ransomware. Unlike human hostage situations, criminals do not have to feed, house or monitor a live person. “In many cases, the attackers have hundreds, if not thousands of potential payments coming in,” says Karen. “It’s rare that they track any individual case, particularly when the ransom is low.” She adds that it’s important to reach out proactively and quickly in cases involving a ransomware negotiation. “There is always the risk that the attackers move on to a different attack model, ransomware strain, other victims, etc. and delete old decryption keys as they find new victims, meaning that they will lose the ability to decrypt your data if you wait too long.”
  • Don’t make unrealistic promises. It sounds funny, but a certain level of mutual trust is required in a ransomware negotiation. If you make a promise to the criminals— such as wiring them money by a certain date— stick to it. Otherwise, they may choose to stop responding, or even respond punitively by publishing your data. This was illustrated in a very public case involving an orthopedic clinic. According to DataBreaches.net, “At various points, [the clinic] indicated that it was willing to pay some ransom, but needed to work out a payment system. Later, they indicated they were willing to do a wire transfer. At other points, they didn’t respond by deadlines [the criminals] had given them, infuriating the hackers… some of the public leaks of …patient information were in direct response to [the clinic] failing to follow through on what it had told the hackers it would do.”
  • Take a team approach. Both you and the criminals have a mutual interest in a successful outcome. Use words like “we” in your conversation with the criminals to reinforce this sentiment.
  • Get a professional involved. Handling a ransomware negotiation is tricky, to say the least. If you are held hostage, pull in an experienced ransomware negotiator to help.

To recap:

  • DO require “proof of life”
  • DO treat the ransomware negotiation like a business deal.
  • DO take a team approach.
  • DON’T pretend to be somebody else or otherwise trick the attackers.
  • DON’T expect classic rules of hostage negotiation to apply when it comes to ransomware.
  • DON’T make unrealistic promises
  • DO hire a professional ransomware negotiator

Thanks for reading part one of our four-part series on ransomware – stay tuned for our second article in this series. For more information about responding to ransomware, see LMG’s ransomware decryption safety tips.

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity. As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.

CONTACT US