Updates to the Ransomware Defense Playbook

Ransomware negotiation has become increasingly complex due to regulatory complications, unreliable attackers, and moral dilemmas, requiring a cross-departmental response team.

• Industry experts advise against engaging with attackers, but some see value in negotiating to gather intelligence, understand demands, and buy time for recovery measures.

• Professional negotiators can achieve better outcomes, reduce ransom demands, and verify decryption keys, but paying ransoms may encourage further attacks and doesn't guarantee data recovery.

  
  

The Ransomware Negotiation Process:

• Has become increasingly complicated due to regulatory issues and the unpredictable tactics of attackers, forcing organizations to make difficult choices and confront moral dilemmas.

• When an organization falls victim to a ransomware attack, it requires a cross-departmental response team consisting of legal counsel, cybersecurity experts, and organizational leadership to navigate the situation.

• The technical team's role involves securing unaffected systems, identifying the ransomware strain, and initiating data recovery processes from backups, while the legal team evaluates the implications of engaging with the attackers and coordinates with law enforcement agencies, regulators, and cyber insurers.

• Critical output: pay the ransom demand and/or how to negotiate terms requires input from the entire response team, with some experts

• Specialized negotiators from external companies often take the lead in communicating with attackers, aiming to gather intelligence, understand the attackers' demands, and negotiate terms, and can often achieve better outcomes than organizations trying to negotiate themselves.

• Negotiations are typically conducted anonymously, using encrypted channels specified by the attacker, and skilled negotiators can reduce ransom demands and verify the decryption key before finalizing a deal.

• Incident response firms are tracking multiple ransomware groups, with some being more flexible in their demands than others, and skilled negotiators can achieve discounts of up to 50% of the original asking price.

• Mark Lance from GuidePoint Security notes that the firm is tracking around 70 ransomware groups, mostly from Eastern Europe, but also from Iran, North Korea, and China, and that some groups are more inflexible in their demands than others.

• Many ransomware groups now employ a double extortion tactic, threatening to leak stolen data unless their demands are met, and some attackers simply steal and extort the victim for the data without deploying any ransomware.

• Some data leakage threats have become more personal, with hackers targeting VIPs to exfiltrate specific information such as emails, personal data, and financial information, creating pressure on them individually and the company.

• The legal team must ensure that all actions comply with relevant laws and regulations, as paying ransoms to sanctioned individuals or groups can lead to severe legal repercussions, including substantial fines and potential criminal charges, according to the US Department of Treasury's Office of Foreign Assets Control.

• If a victim organization negotiates with a group that's been flagged by government agencies, it opens up the risk of penalties and legal action against the victim itself, and the organization's legal team must liaise with law enforcement right away, according to Ladah.

• Reporting ransom payments to authorities within 72 hours is required in Australia under the Cyber Security (Ransomware Payments) Regulations 2023, and similar regulations are likely to follow in Europe.

• Law enforcement in the UK/EU does not encourage the payment of ransom demands, and the UK NCSC warns that paying for a decryption key is unlikely to result in an immediate return to business as usual, particularly for large organizations.

State of Play:

• Global efforts to limit payments and increase cyber incident reporting have reduced the negotiating power of victim organizations, while the rise of double and triple extortion tactics has complicated the negotiation process.

• Attackers now not only encrypt data but also threaten to leak sensitive information or pressure third parties, forcing organizations to balance reputational risks with operational disruptions.

• Trust in negotiations is eroding due to enforcement actions against major ransomware-as-a-service operations, which revealed that many attackers failed to delete stolen data even after ransoms were paid.

• Governments are promoting international cooperation and intelligence sharing, as well as scrutinizing third-party cryptocurrency payments agents, making paying ransoms a less viable and riskier option for many organizations.

• In sum, payment can and does encourage further attacks and does not guarantee data recovery. As well, prevention and hardening systems and procedures beforehand are always preferable to dealing with ransomware breaches, of course.

Read here for the full report: https://www.csoonline.com/article/3568817/the-ransomware-negotiation-playbook-adds-new-chapters.html?utm_date=20241025161516&utm_campaign=CSO%20US%20Update&utm_content=slotno-1-title-The%20ransomware%20negotiation%20playbook%20adds%20new%20chapters&utm_term=CSO%20US%20Editorial%20Newsletters&utm_medium=email&utm_source=Adestra&huid=