A ransomware payment primer
In a recent Fast Company article titled “From Colonial Pipeline to JBS, how ransomware gangs negotiate ransom payments”, various ransomware experts including ITsMine CEO Kfir Kimhi, provided insights on the little-understood but critically important world of ransomware negotiations.
Ransomware – when malicious software is used to encrypt and steal data, with a ransom demanded in return for decryption – has been increasing of late, both in terms of scope and frequency.
The average ransomware payment, according to the article, is $925,162, but this is just the tip of the iceberg; there are significant costs around ransomware in addition to the ransom itself, such as reputational damage, loss of customer trust, interruptions to the business, and so on. This is why IBM have pegged the total cost of a ransomware attack north of $9m.
It makes it more understandable, despite recommendations to the contrary, that many organizations feel that paying the ransom is the right course of action for them.
This brings us to the murky world of ransomware negotiations.
How Ransomware negotiations work
The list of ransomware payments is long, and is getting longer all the time.
As mentioned, official bodies such as CISA recommend against paying a ransom to attackers, however this is not always possible. While some companies refuse to talk to the attackers at all, others engage either in order to buy time, to negotiate a lesser ransom, or to coordinate payment and decryption.
Here’s are some key elements of ransom negotiations:
- Complete anonymity: there is almost no way of identifying the individuals behind the attack, even when it comes to some of the better know ransomware gangs
- They dictate terms: from mode of communication, to ransom currency (often using Tor and cryptocurrency)
- Communication: they seldom use email as this is somewhat traceable
- How it starts: such attacks will start with the ransomware note, which usually announces the attack and can include specific demands and instructions; this note can be in the form of a text file or image
- Mindgames: the ransomware attackers understand that time is on their side, as the victim struggles to come to terms with the attack, so they play the waiting game and can wait hours if not days before responding
From the victim’s side, common tactics include:
- Assuming a female personality to build trust and empathy
- Attempting to create a sense of friendship
- Hiring professional negotiators
- Understanding the attackers’ mindset, including the tactics they used to breach the network
While these tactics may work in some cases, experts such as ITsMine CEO Kfir Kimhi highly recommend bringing in cyber insurers as early as possible. This is for several reasons:
- Trying to go alone, you’ll be fighting in unfamiliar territory
- They have professional Incident Response (IR) teams
- They have large, dedicated cybersecurity teams and the experience of having worked on a number of attacks
- They can determine risk levels effectively
- They have trusted, professional negotiators that also precludes collusion between outside negotiators and cybercriminals
Get yourself into the best position
At some point, cyber insurance will have to be introduced, and hopefully this will be done sooner rather than later. One of the first things cyber insurers (and regulators) will want to know is, “What’s been compromised? What’s the damage?”
It’s also important to note that in the absence of specifics, regulators specifically can assume that all data was compromised, resulting in heavy penalties.
The good news is that there is something you can do now to prevent this state of confusion and instability. By adding ITsMine’s Agentless Managed Data Protection MDP, organizations can get:
Real-time alerts: these are crucial when an attacker uses forbidden files outside the company: ITsMine’s Managed Data Protection proactively monitors file activities and triggers real-time alerts when unauthorized individuals attempt to access or use restricted files. This immediate notification enables security teams to respond swiftly and mitigate potential data breaches.
Know exactly which files were leaked: by leveraging advanced data tracking and monitoring capabilities, ITsMine’s solution provides organizations with granular visibility into the files that have been compromised. This knowledge empowers organizations to take the necessary actions to mitigate the impact of data breaches and meet regulatory requirements for reporting incidents.
Kill sensitive files remotely: even after they are far beyond company boundaries. ITsMine enables organizations to remotely delete sensitive files, even if they have been exfiltrated from the company’s network. This unique capability allows companies to maintain control over their data, ensuring that even if stolen, they do not pose an ongoing risk to the organization.
For example, with ITsMine, a company can investigate in seconds, and come to their insurance company confidently with the knowledge that:
- We know what was leaked
- It involved 32 sensitive files
- These have been killed
- We’re in control
Where ransomware is going
As the Fast Company article notes, ransomware is likely to increase further, among other factors due to the rise of RaaS (Ransomware as a Service) groups, and cooperation between attackers and state-sponsored entities.
And while governments are rightly being looked towards to provide an umbrella of protection, they have also made it clear that private IT departments are the owners of ransomware protection.
To learn more about ITsMine’s agentless solution, for protecting against ransomware attacks, preventing data leakage and theft, and mitigating attack consequences, reach out to a product expert today.