It is never easy to negotiate with criminals, especially in the cyber-world we live in. Organizations that fall victim to a ransomware attack should never let the cyber criminals know they have cyber insurance, because if the attackers know that their victim holds an insurance policy, they are more likely to outright demand the ransom payment in full. Criminals are smart and cunning.
Cybersecurity researchers recently examined over 700 negotiations between ransomware attackers and ransomware victims in order to analyze the economics behind the digital extortion attacks that demand a ransom payment, often millions of dollars in Bitcoin in exchange for the decryption key. Even worse, paying the ransom and not receiving the key to unlock files. You mean you cannot trust crooks?
They found that if the victim has cyber insurance and that the attacker knows about it, then there is little room for negotiating for a smaller ransom payment, because the attackers will exploit the existence of the cyber insurance to cover the payment they are demanding. Often, they will begin negotiations at a much higher price point, knowing what their deal amount will be in advance.
"Look, we know about your cyber insurance. Let's save a lot of time together? You will now offer $3.0 M, and we will agree. I want you to understand, we will not give you a discount below the amount of your insurance. Never. If you want to resolve this situation now, this is a real chance," said a chat message from an unspecified ransomware gang to a victim company. In this case, the attacker set the fee in the knowledge of the cyber insurance plan, leaving the victim without any real platform for attempting to negotiate a lower ransom payment.
Another note from an unspecified ransomware operator appears to show that the cyber criminals have set a significant ransom demand because they know about the victim's cyber insurance policy seemingly after the victim claimed they could not afford to pay the demand in the specified time frame. "Yes, we can prove you can pay $3.0 M. Contact your insurance company, you paid them money at the beginning of the year and this is their problem. You have protection against cyber extortion. I know that you are now in trouble with profit. We would never ask for such an amount if you did not have insurance," said the attacker. This is a psychological attempt to appear reasonable. Heck, they are not taking the company’s money, but the greedy insurance company’s money.
A company could still claim that the insurance company would not pay for the ransom demand, but it is very unlikely to be accepted as the truth by the attacker. Remember the bottom line that the attacker is crook, no different than a mugger or bank robber.
While researchers suggest telling the ransomware attacker about a cyber insurance policy is not a good move for negotiations, there is also the possibility that the attacker could find out about any cyber insurance the company has themselves once they are inside the network ahead of the ransomware attack. "Preferably also do not save any documents related to it on any reachable servers," warn researchers. This is using common sense, yet many fail in utilizing common sense.[1]
Cyber insurance has become a way for victims to deal with the damage of a ransomware attack, but knowledge of it can put criminals in an even more powerful position for demanding payment, especially if the insurance holder does not have good cybersecurity in the first place. One answer could be that organizations that want to take out a cyber insurance policy should be required to meet certain requirements around cybersecurity before the provider can agree to issue it. "It's a really difficult debate in which I think there are definitely some advantages to having cyber insurance, but only if there are certain thresholds for a company to get it," a cybersecurity analyst recently noted. "Those thresholds can be an incentive to get a better grip on your cybersecurity awareness and your what your entire organization's cybersecurity is right now," he said. "Some cyber insurance service companies have found out that people get hacked a lot, so it's become became really expensive and now they're just stopping to give any cyber insurance at all, which I also don't think is the right solution," said the analyst. "It has to be some kind of middle ground and I think we'll get there eventually," he said.
The US government is currently evaluating cyber certification programs, similar to the PCI compliance that all credit card accepting companies are required to adhere to, or they lose their right to accept credit card payments.
While paying a ransom to cyber criminals is generally not recommended because it encourages further attacks. After analyzing hundreds of negotiations, researchers offered some suggestions around what to do if your business is hit with ransomware. That approach starts with preparing employees on how to react to a ransomware attack and crucially not clicking links in any ransom notes, to not prematurely start negotiations by setting the hackers countdown running. "The first thing any company should teach their employees is not to open the ransom note and click on the link inside it... the timer starts to count when you click on the link. You can give yourself some valuable time by not doing this. Use this time to assess the impact of the ransomware infection," the researchers said. This time provides the response team with a chance to examine what infrastructure has been hit and what impact it has had on operations, allowing the victim to retake some degree of control over the situation.
Before starting negotiations, it is also useful to know what your end goal should be? Can the organization restore from backups, or will a ransom have to be paid? If the victim is willing to pay a ransom, they should have an idea about what the maximum amount they would pay.
Research into the attacker can also help prepare victims for negotiations. It is possible that a free decryption tool for that strain of ransomware is available, preventing the need to pay a ransom at all. Examining research papers and media reports about the ransomware group can also provide information on how reliable they are at providing a decryption key and if they will engage in other tactics to try and force a payment, such as DDoS attacks, calling your customers or stealing and leaking data. The tactic of releasing confidential or private data during negotiations provides the attacker additional leverage in getting their ransom amount paid quicker.
When it comes to engaging in negotiations, researchers state that it is important to be respectful and professional. It is understandable that victims will be angry, but antagonizing the attacker is unlikely to help the negotiation strategy. Sometimes being polite can help, as in one example detailed in the blog post, a victim negotiated a ransom down from $4.0 M to $1.5 M.
Many ransomware attacks try to pressure victims into paying within a set period, often with the threat of leaking data if they do not. Researchers suggest that attackers are almost always willing to negotiate an extended window. After all, they want the money, they have taken the time to infect the systems, so they are likely to be willing to wait a little longer. Remember, this is their chosen business and if victims refuse to pay, they might have to get honest jobs and work for a living. There is the option of trying to convince the attacker that you cannot pay the ransom, but if the attacker has access to the network, they may be able to see financial documents or cyber-insurance policies and likely have a figure in mind based off that document that will be the basis for negotiations.
How about keeping the attackers out your networks and servers in the first place?
Red Sky Alliance’s recommendations:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Engage a database security firm and review all locations and access points. Monitor and update access and levels.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Join an industry ISAC or ISOA that welcomes and allows cyber threat sharing and defense strategies, some of these are free or at a nominal annual membership fee.
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants. And require IT team review and approval
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Dark web investigations, is your network access already for sale. What is the value of the data you are storing on the dark web?
- Ensure that all software updates and patches are installed immediately. No exceptions.
- Engage the services of a company that can inform you of targeted cyber threats against your organization that has the features to enter these threat IPs into your SEIM daily for blacklisting. Like Wapack Labs Corp, https://www.wapacklabs.com/redxray
- Purchase RedXray or our Cyber Threat Analysis Center (CTAC) services to help protect your company’s network with proactive dark web indicators.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our company has worked with several insurers and helped with ransomware attacks. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.zdnet.com/article/hit-by-ransomware-make-sure-you-dont-make-this-first-obvious-mistake/
Comments