Cyber security and threat analysts from Fox-IT (part of NCC Group) have shone a light on the mechanics of ransomware negotiations to help organisations improve the outcome of an attack.
Concepts were presented by Pepijn Hack and Zong-Yu Wu at Black Hat Europe 2021 and expanded upon in a detailed NCC Group blog posting shortly after. The data comes from research of over 700 attacker-victim negotiations between 2019 and 2020 and a paper that explores three main topics. These are:
- How adversaries use economic models to maximise their profits
- What this indicates about the position of the victim during the negotiation phase
- Strategies ransomware victims can leverage to even the playing field
“This empirical research suggests that the ecosystem of ransomware has been developed into a sophisticated business,” the researchers wrote. “Each ransomware gang has created their own negotiation and pricing strategies meant to maximise their profit.”
Ransomware groups in driving seat of negotiations
The dataset focused primarily on two different ransomware strains. The first was collected in 2019 when adversaries were relatively inexperienced and ransom demands were lower. It consisted of 681 negotiations between victims and ransomware group. The second dataset, consisting of 30 negotiations, was collected in late 2020 and early 2021, when attacks became a major threat to companies worldwide.
Analysis revealed that the maturity of ransomware operations has improved. Underground groups are calculating the cost of an attack and implementing ransom pricing strategies based on multiple variables about victim organisations, including the number of infected devices/servers, employees, estimated revenue, and potential impact of media exposure.
In doing so, attackers can accurately predict how much victims are likely to pay before they even enter negotiations. Once they do, victim organisations are immediately put on the back-foot.
“Normally, in a negotiation, each player holds their cards in their own hands. The ransomware actor knows the cost of their business and how much they need to make to break even. Meanwhile, the victim makes an estimation of the remediation cost,” the blog read.
This creates a situation where a victim must traverse an “unfair negotiation game” which guides them to a pre-set but reasonable ransom range without the victim’s knowledge. “It is a rigged game. If the adversary plays well, he will always win. This conclusion ultimately contributes to a rampant ransomware ecosystem.”
An interesting observation within the research is that smaller companies generally pay more from a ransom per annual revenue perspective. This means they pay less in absolute amount, but higher in percentage of their revenue. In contrast, the highest amount of ransom within the data set ($14 million) was paid by a Fortune 500 company.
“It is therefore understandable that a financially motivated actor could cherry pick valuable targets and profit from just a few big ransoms instead of attacking small companies. This situation leads to a few ransomware groups indeed deciding to only target big and profitable enterprises.”
4 preparation steps to take before a ransomware attack
The research set out best practices and approaches that can help tip the negotiation balance (at least somewhat) in the victim’s favour, starting with preparedness before negotiations arise. Organisations must:
- Teach their employees not to open ransom notes and click on the link inside it. This often starts a countdown to when payment is required. Not opening the note buys time to ascertain which parts of the infrastructure are hit, what consequences the attack has, and the likely costs involved
- Establish their negotiation goals, taking into consideration backups and best- and worst-case payment scenarios
- Set out clear internal and external communication lines involving crisis management teams, the board, legal counsel, and the communications department
- Inform yourself about the attacker to learn their tactics and see if a decryption key is available
5 approaches to ransomware negotiation
Armed with this preparedness, organisations will be better placed to enter ransomware negotiations, if they take the decision to do so. From this point, they are advised to consider five approaches to negotiation designed to lessen the damage.
- Be respectful in conversations and using professional language, leaving emotions outside of the negotiations.
- Victims should be willing to ask attackers for more time, which can allow them to explore all possibilities for recovery. One strategy is to explain that you need the extra time to raise the required cryptocurrency funds.
- Instead of stalling for time, organisations can offer to pay a small amount early instead of a larger amount further down the road, with adversaries known to accept heavy discounts in favor of making a quick profit and moving onto another target.
- One of the most effective strategies is to convince the attacker that you are not in the financial position to pay the amount initially requested, and this can even prove effective for very large organisations that adversaries know have huge amounts of money at their disposal. The research pointed out that there is a difference between having a certain amount of revenue and having millions of dollars in cryptocurrency laying around just for the occasion
- Avoid telling the adversary it has a cyber insurance policy in place. They should not save cyber insurance documents on any reachable servers. The presence of cyber insurance can make attackers less likely to be flexible with negotiations as most policies cover the costs
The research also cited some simple, practical advice points to supplement the above negotiation processes.
These include requesting a test file to be decrypted, proof of deletion of the files if you end up paying, and an explanation of how the adversary hacked the organisation. A company should also prepare for a situation in which files will be leaked or sold even if payment is made.