Negotiating with the threat actors during a ransomware attack is always stressful and challenging. In this article let us see what to do and what not to do while you are negotiating a ransomware attack.
Ransomware attacks can be devastating for individuals and organizations, causing significant disruptions and financial losses. If you are a victim of a ransomware attack, you may be faced with the difficult decision of whether to pay the ransom or try to recover your data and systems without paying.
Here are some do’s and don’ts for ransomware negotiation:
Assess the Situation:
Before making any decisions, it is important to assess the situation and determine the extent of the damage. This may include determining which systems and data have been affected, the value of the encrypted data, and the likelihood of being able to recover it without paying the ransom.
Seek Expert Assistance:
Ransomware attacks can be complex and technical, and it is often helpful to seek the assistance of experts, such as cybersecurity professionals or forensic analysts, to help assess the situation and develop a response plan.
Consider the Likelihood of Success:
It is important to consider the likelihood of success when negotiating with ransomware threat actors. If the ransom demand is reasonable and there is a good chance that the threat actors will decrypt the data after payment, it may be worth considering paying the ransom. On the other hand, if the ransom demand is unreasonable or there is little chance that the threat actors will follow through on their promise to decrypt the data, it may not be worth paying.
Negotiate:
If you decide to pay the ransom, it is important to try to negotiate a lower amount. Threat actors may be willing to accept a lower payment if you can demonstrate that you are unable to pay the full amount.
Use a Third Party:
If you are unable to negotiate a satisfactory agreement directly with the threat actors, it may be helpful to use a third party, such as a cybersecurity firm or a ransomware negotiation service, to act as a mediator. It is always easy and advisable to “Transfer the Risk”.
Use Attacker’s Language:
Identify the native language of the attacker. It can be either Russian, Chinese, English, as applicable. Psychologically, talking to an attacker in their own native language can lead to a better deal and closure. You can either hire someone or train someone proactively.
[IMPORTANT] Gather Intelligence While Attacker is Busy:
While the prime negotiator is keeping the threat actor busy and buying time, it is extremely important to gather as much as RELEVANT intelligence regarding the threat actor. In addition, the objective of the intelligence gathering should be to understand
- Attack Pattern used to infiltrate the networks — From Forensics and RCA.
- Pattern Matching — Matching the pattern, tactics and techniques with that of the known and active threat actor groups to attribute the attack.
- Monitor Darkweb Conversations — Monitor for any relevant conversations on darkweb. It is highly likely that the threat actors thump chests when they successfully attack any organization. And try to share the exciting news among their community in the dark channels. It is extremely important to be present in those groups to gather more intelligence regarding the threat actor, its behavior.
Note: Intelligence is the only possible solution that can give you a high ground in the negotiation and turn the tables and bring the situation to favor you.
Tips: Assess the Attacker Psycology, Avoid Confrontation, Be Confident, Come Prepared, and most importantly Use Right Words
Panic:
It is natural to feel overwhelmed and panicked when faced with a ransomware attack, but it is important to remain calm and avoid making hasty decisions. Take the time to assess the situation and seek expert help before making any decisions.
Pay the Ransom Immediately:
While it may be tempting to pay the ransom as soon as possible in an effort to get your data back, it is important to carefully consider your options and negotiate a fair deal before agreeing to pay. In addition, just think, even the threat actor is waiting, so sometimes it turns our to be better if you keep them wait so you can get a better deal (SOMETIMES).
Ignore the Attack:
While negotiating, never ignore the fact that you’re under attack and the attacker is on a high ground. Ignoring the attack and hoping it will go away is not a viable option. Ransomware attacks can cause significant damage, and ignoring the attack will not make it go away.
Give in to Extortion:
If the threat actors are demanding an unreasonable amount of money or are threatening to release sensitive data if the ransom is not paid, it is important to resist the temptation to give in to extortion. This may encourage the threat actors to continue their attacks and could put you or your organization at risk in the future.
Neglect Cybersecurity Measures:
Ransomware attacks can often be prevented or mitigated by implementing strong cybersecurity measures, such as keeping software and systems up to date, using antivirus software, and educating employees about cyber threats. It is important to continue to prioritize cybersecurity even after a ransomware attack has occurred.
Tips: Never Argue, Never Threaten, Never Try to Take High Ground to Dominate
In conclusion, ransomware negotiation can be a difficult and stressful process, but it is important to take the time to assess the situation, seek expert help, and consider all of your options before making a decision. By following the do’s and don’ts outlined above, you can increase your chances of successfully negotiating a fair deal and minimizing the impact of a ransomware attack on your organization.
TO Summarize:
1. Never pay the ransom.
2. Don't negotiate with the attackers.
3. Have a reliable backup and disaster recovery plan in place.
4. Keep software and systems updated to prevent initial infection.
5. Train employees on how to recognize and avoid phishing scams.
6. Consider purchasing cyber insurance to mitigate potential losses.
7. Have a incident response plan in place in case of an attack.
8. Seek professional help if necessary.
