Some ransomware gangs demand millions of dollars in ransom or even tens of millions of dollars. Even smaller businesses, non-profit organizations, and public school districts have increasingly become victims of cyberattacks because they are easy targets with poor defenses against attackers. Do you want your system unlocked? Do you want your data back or deleted from the criminals’ server? Are you prepared to pay what they demand?
Most (but not all) ransomware threat actors are financially motivated. When money is the motive, negotiations are usually possible because many threat actors would rather walk away with something for their work than nothing. But if you are thinking of trying to negotiate some payment with them, what works as a negotiation strategy, and what doesn’t?
An article in Infosecurity Europe in August 2023 provides a useful example of some considerations and strategies, and a second article at the same time in PC Magazine incorporates findings from research on negotiation chats. In that article, Christopher Janaro reports an interesting finding:
We looked at the starting ransom demands by hackers and compared them to the lowest negotiated amount from 50 attacks from eight different hacker groups, after which one thing became apparent: People who paid the full ransom amount forked over far more than may have been necessary to appease the gangs.
In fact, in our selection of transcripts, victims were able to, on average, negotiate hackers down to a little over half of the amount that was initially demanded (52.7%).
Not all groups will accept an offer of half the demanded amount. Some will tell victims that if the victims pay promptly — within 24 hours or so — they will give them a 20% reduction. If the victim asks for a greater reduction, the negotiator for the threat actors will likely claim that they have to ask “the boss” and that they will get back to them.
Most negotiations involve lying by both the attackers and the victims. Ransomware group negotiators will swear that if you pay them, they will delete all your data. If you question that, they will tell you that their reputation depends on them keeping their word. They may even offer to give you access to a server so you can delete the data yourself. But time and time again, law enforcement has found that groups often do not delete the data even after swearing they will and that they did. As a recent example, the UK’s National Crime Agency reported that in their seizure of LockBit servers, they found “Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.”
So if they lie, so can you, right? But are there any effective lies? And is there any risk in lying? The following are a few victim statements or strategies that may or may not impact the amount of ransom or outcome:
“We are a non-profit hospital. We can’t afford what you are asking.” At this point threat actors may take out a tiny violin or just shrug because they are not moved at all. In one negotiation chat published by DataBreaches.net, a hospital negotiator told the ransomware negotiator, “NON-PROFIT means we don’t keep money on our books. ALL of the money gets spent on operating costs. I wish you could understand this a little more.” That argument usually fails because experienced ransomware groups research their victims and will point out that while the hospital cries, “Non-Profit,” their CEOs are often making huge salaries while not investing much in security at all.
“For an amount that large, we will have to have a special board meeting and get a lot of people to sign approval.” Many ransomware negotiators will agree to extend the time to pay if they think that they may get a larger payment this way, although in many cases, they suspect that the victim is just lying or stalling. The victim may use the “meeting” to come back and make another offer in hopes of the threat actors accepting a lower amount.
“We’ve been talking and our CEO is working on getting the amount you want. We just need more time.” This strategy or stalling attempt will fail if you are lying and if your team has been communicating via company email when the threat actors are still in your system and can be monitoring your communications and strategies. If you have been the victim of a ransomware attack, do not use company email or phones to communicate about incident response. Pre-plan other communication means that the threat actors cannot access.
“We don’t have any cyber insurance to help pay the ransom. Please consider reducing the amount.” Experienced ransomware gangs have probably already researched your firm and know whether you have a cyber insurance policy and how much it covers. In some cases, threat actors even publish a victim’s cyber insurance policy as a way of showing the victim and those affected that the victim has coverage to pay them. If you have a cyber insurance policy, it’s best not to keep a copy of it or correspondence concerning the policy on your system. Keep those types of records safely stored elsewhere.
Some stalling attempts may be more likely to help. Azeem Aleem, managing director for Northern Europe at Sygnia, gives an example of a victim negotiator telling the ransomware group’s negotiator that they’re a woman and that they have to take care of their children while dealing with the cyber-attack to ask for an extension to respond and to pay. But victims can only stall for so long and some groups have a shorter timeframe than others.
Insulting the threat actors is generally not a winning strategy. Trying to shame them is as about as ineffective as appealing to their better nature. It’s all business — and just business — to most of the big groups and their affiliates. It is always smart to research the threat actors to find out what you can about their usual negotiations and behaviors before you decide whether to engage with them or how. Some negotiators will be very professional. Others may be downright nasty. Quickly researching the threat actors (if they have signed a ransom note or identified themselves) is time well spent. If you hire an experienced negotiator for your firm, they will likely already have experience with the threat actors in your situation and may know how much of a discount they may be able to secure if you are thinking of paying any ransom.
While professional incident response firms and negotiators know that yes, you can lie to criminals in negotiations, a recent ethics column in VINnews involved a question about the ethics of lying to them. A rabbi was asked:
There are vicious and vile hackers out there who target innocent companies and shut out their computer systems and demand a ransom to let them back in. There is a yeshiva that was hacked and a demand was made for tens of thousands of dollars. I am a CPA for one of the Big Four accounting firms. Am I allowed to produce false documentation to effectively convince the blackmailers that the yeshiva is in chapter eleven bankruptcy to help reduce the cost of the ransom? It could be appended with a letter that anything over the sum of $5000 must be approved by each of the sixteen creditors and it take seven or eight months for that to happen?
Citing an example, the rabbi told the individual, “It is clear that you may lie in order to help someone get out of this situation. I do not suggest that you affix your real name to the paperwork, because who knows? The blackmailer may somehow be able to sue you.”
The Data Breach Times seriously doubts that ransomware operators or affiliates will sue in a court of law if they are lied to. But criminals have other ways of exacting revenge that may include publishing fake data and claiming it came from the accountant’s firm. Or they may start contacting the firm’s clients and threatening them or harassing them. In a situation like the one posed to the rabbi, if the threat actors checked, they could even determine the yeshiva wasn’t in Chapter 11 bankruptcy and things might then get worse for the Yeshiva. The attackers could start contacting parents, students, and staff directly to harass them (assuming they had exfiltrated a copy of the data), or if they still had access, they could delete all the yeshiva’s data and any backups on the servers.
Experienced ransomware gangs also research laws and may threaten to report victims to regulators for poor data security or for failure to comply with data protection laws. In at least a few recent cases, they have reported firms to federal regulators. Some of their reports were premature, however, as the laws they were citing were not in effect yet.
So the rabbi may have been on solid ethical ground in saying that lying to criminals to help a victim is permissible, but hopefully, someone told the accountant to check with his firm’s legal department before he created fraudulent documents on his firm’s letterhead to try to help the client.
To be clear: The Data Breach Times is not suggesting victims never lie to threat actors but do not underestimate the threat actor’s ability to check or verify claims. The best strategy is to try to prevent an attack by investing in good security, updating it, and not collecting or storing data when it is no longer essential for its original purpose. And do test and maintain regularly updated backups. Recent research by the University of Twente that reviewed 481 ransomware incidents found that organizations with recoverable back-ups were up to 27.4 times less likely to pay the ransom compared to victims without recoverable back-ups.