What it’s really like to negotiate with ransomware attackers

By the time the two sides start talking, the hackers have already gained significant control of a company’s network, most likely securing access to sensitive account data, business contracts, and other key details of an organization. The more they steal, the greater the leverage they have. The only way for the victim to regain some ground, cybersecurity experts say, is to come armed with information about how much the hackers have really stolen and knowledge of the attackers’ past negotiating tactics. That’s where professional ransomware negotiators Tony Cook and Drew Schmitt come in. Together, working for the cybersecurity firm GuidePoint Security, the two have negotiated dozens of ransomware payments on behalf of organizations held hostage by cybercriminals. Based on that experience, they’ve developed sophisticated profiles of many of the cybercriminal groups they’ve dealt with to help gain an edge at the bargaining table. Some threat actors, such as the Ryuk ransomware gang that’s known for issuing astronomical payment demands, struck so often at one point that Cook said he started to suspect he was dealing with the same person on multiple occasions. “If you know how they typically operate, that helps tip the scales in your favor a little more,” said Schmitt. “There is a fair amount of strategy that happens before you get to the negotiation table.”The FBI and cybersecurity experts strongly discourage paying off ransomware attackers, mostly because it encourages further attacks. “They know that you already made the decision to pay,” said Lior Div, founder and CEO of cybersecurity firm Cyber Reason, “and now it’s, like, to make another decision to pay is easy.”But a string of high-profile attacks this year has led to some eye-popping payments. When Colonial Pipeline was hit, prompting a precautionary shutdown of operations that caused fuel shortages nationwide, it agreed to pay the cybercriminal gang DarkSide $4.4 million in cryptocurrency. Meat supplier JBS Foods paid $11 million to resolve a ransomware attack by the group REvil. And the same ransomware gang demanded $70 million to unlock all the devices it claimed had been hit in an attack on Kaseya, an IT services provider that indirectly supports countless small businesses such as local restaurants, accounting firms and dentists’ offices. In 2020, according to blockchain analytics firm Chainalysis, ransom payments, typically made in cryptocurrency, totaled the equivalent of $416 million, more than four times the 2019 level. And the firm has confirmed more than $200 million worth of payments so far this year. The virtual negotiation tableA ransomware negotiation rarely results in a ransom demand completely going away. But a successful encounter can mean the difference between paying hundreds of thousands of dollars and paying millions, Cook and Schmitt said. “Sometimes you can only go down just $10,000,” said Cook. “It really depends on what the actor perceives that they have and the negotiation tactics to get things done.” As soon as a victim decides to pay a ransom and reaches out to its attacker, it starts a clock that often leads to the release of an organization’s hacked materials if the two sides can’t quickly come to a deal, they said. Negotiations happen fast. Many ransomware groups communicate with their victims using online chat tools and instant messaging. The tools are made to be easy to use, because, after all, the criminals are running a business, too. They have an incentive to make the negotiation and payment process as quick and easy as possible, to maximize profits. Because so many cybercriminal groups operate from foreign countries, chatroom negotiations make heavy use of Google Translate, Schmitt said. Terse, one-word or one-sentence messages from the hackers in broken English are the norm. Despite the language barrier, many bargaining encounters are wrapped up within 10 to 15 exchanges. That’s why it’s so critical for hacked companies to quickly investigate their own systems before they finalize a ransom payment. Victims need to be able to credibly claim, “Whatever you think you have, it’s not worth that much money,” Cook said. And victims can’t say that unless they have a good grasp of what they’ve lost control over. That argument can still backfire if the hackers know they’ve obtained truly sensitive data — like trade secrets or financials — that a company can’t afford to have released publicly. In some cases, ransomware attackers realized companies were refusing to pay because they could just restore data from backups, according to Div of Cyber Reason. So before encrypting the data, attackers look for sensitive information — “your customer list, intellectual property, nasty emails, whatever might embarrass you,” he said — and then threaten to publish it if the victim refuses to pay.If that’s not enough, Div said attackers can contact a company’s customers to ratchet up the pressure on them to pay. The ‘double-edged sword’ of cyber insurance policiesAs ransomware attacks have increased, so has demand for cybersecurity insurance.Cybersecurity insurance is now a multibillion-dollar industry, according to Morgan Wright, chief security advisor at the cybersecurity firm SentinelOne. Cyber insurance is increasingly sophisticated, giving companies a one-stop shop for hacking response. Insurance companies contract with massive teams of lawyers, technical and forensic experts and, yes, negotiators to help victims manage and recover from a ransomware attack. “The minute you file a claim — just like a consumer, if you file a claim with Geico — it’s out of your hands at that point,” Wright said. The frequency of ransomware claims has increased by 150% since 2018, according to AIG, one of the nation’s largest insurance companies and a leading provider of cyber insurance. And ransom claims accounted for one in five cybersecurity insurance claims last year, according to an AIG fact sheet. What a company may pay for cyber insurance depends partly on how many times an organization has been hit in the past, along with other actuarial data, Wright said. “If I have poor cyber hygiene, my rates are going to be much, much higher than a company that has good policies,” he said. But cyber insurance can also be a double-edged sword, according to Karen Sprenger, COO and chief ransomware negotiator at LMG Security. “We’re starting to see where the attackers go through the data and look for cyber insurance policies to see what the deductible is and to understand how much coverage they have.” Sprenger said she has seen cases where attackers then used that information to push for higher ransoms. The best remedy, of course, is not being in the situation to begin with. Preventing ransomware attacks is relatively straightforward, cybersecurity experts say. Ensure your software is up to date, require that your employees use multi-factor authentication, use firewalls and monitor your network to catch unauthorized internet traffic, and establish cybersecurity incident protocols. But too many organizations still lack the skills to implement even these basic precautions, said Ed Amoroso, CEO of cybersecurity firm TAG Cyber. “This skills shortage pervades everything,” he said. “It’s in every sector. There’s not enough people that know how to do this.” And that’s why negotiators like Cook and Schmitt keep fielding calls for help. Between the two of them, they’ve now dealt with 75 cases — and counting.