Ransomware attacks present significant challenges for organizations, often leading to substantial financial losses and operational disruptions. The publication "How Does One Negotiate with Ransomware Attackers?" by Sonia Boticiu and Fabian Teichmann, published in the International Cybersecurity Law Review, addresses the critical issue of ransomware attacks and the intricacies of negotiating with attackers. The study provides a comprehensive overview of the ransomware negotiation process, focusing on the period from the occurrence of an attack to the decision to pay the ransom, and includes an in-depth analysis of the Conti ransomware group's negotiation tactics. It explores the initial first steps assessing the situation and negotiation to recommendations on what measures one should take minimize to damage and risks.
The first step is to distinguish the nature of the ransomware attack. Ransomware attacks have become a significant threat, leveraging the lack of security in many organizations. These attacks involve malware that denies victims access to their data or systems, demanding a ransom for their return. The rise of ransomware-as-a-service (RaaS) has further exacerbated the issue, enabling attackers to easily distribute custom malware through the dark web. For instance, high-profile attacks like those on Colonial Pipeline and the University of California San Francisco highlight the severe impact of ransomware, prompting many organizations to pay the ransom to minimize disruption. However, this approach is fraught with risks, including potential future attacks.
Companies should take pre-attack measures, with robust response plans, based on the frameworks like those from CISA, NIST, and the SANS Institute. These plans typically include five steps: preparation, identification, containment, eradication, and recovery. Immediate actions such as disconnecting affected devices and identifying the ransomware type are crucial to mitigate the spread and damage.
Ransomware incidents may require mandatory reporting to regulatory bodies, depending on jurisdictional laws. For example, the EU's Network and Information Security Directive 2.0 (NIS2) mandates such reporting. Additionally, companies must ensure that paying the ransom does not violate international sanctions, as many cybercriminal groups are subject to financial penalties. In Addition, paying ransoms can also be regarded as financing terrorist organizations.
Deciding whether to pay the ransom involves input from various stakeholders, including the General Counsel, Director of Operations, and ultimately the CEO. Though it often comes down to whether the company's cybersecurity insurance will cover the ransom payment. Preparation involves recording all communications with attackers and understanding their past behavior and reliability. Organizations should demand for proof of decryption key. Analyzing the attacker’s history can help determine their credibility and likelihood of lowering the ransom.
During negotiation, ensure piece of evidence and communication is documented and preserved. seeking assistance from experts like criminal analysts or cybersecurity professionals. These specialists are adept at negotiating with attackers and can often reduce the ransom significantly. Communication with attackers typically occurs through encrypted channels, and the negotiation process may involve multiple stages of extortion. Negotiations should be approached as business transactions, maintaining calm and avoiding any indication of desperation. Organizations should not disclose details about their cyber insurance and should request more time to explore recovery options. Demonstrating financial constraints can also help negotiate a lower ransom.
An example of a case mentioned by the author is Conti, known for its aggressive tactics, uses a RaaS model to distribute ransomware. Their double extortion method involves not only encrypting victims' files but also threatening to publish or sell the data. The negotiation process with Conti includes initial demands, proof of decryption capabilities, and potential threats to escalate the attack if demands are not met.
Though it is important to acknowledge it is a difficult process, there are preventative measures such as educating employees on cybersecurity risks, implementing strong security policies, investing in cybersecurity insurance and maintaining regular software updates.
For more on this topic, see International Cybersecurity Law Review, 06. December 2023 (Fabian M. Teichmann & Sonia R. Boticiu). https://link.springer.com/article/10.1365/s43439-023-00106-w.