Negotiating a ransom down to $0 is possible.
When COVID-19 began to put serious pressure on healthcare organizations, cybercriminals took advantage, especially ransomware gangs. But in at least one instance, a victim healthcare organization was able to level with their attackers.
"The threat actor basically said, 'Hey, we're actually really sorry about that. We're not trying to hit healthcare organizations, we're just going to give you a decrypter," said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, who has been partnering with third parties since 2019 to negotiate ransom payment.
"One of the most notable experiences I've had is having that free issuing of the decryptor."
Drew Schmitt
Principal threat intelligence analyst at GuidePoint Security
Some ransomware groups are "not necessarily just doing what they're doing to watch the world burn. There are varying levels of how some groups feel about their operations," he said. "One of the most notable experiences I've had is having that free issuing of the decryptor."
Not all organizations are as lucky and not all cybercriminals have a moral compass.
Fear lies at the root of the decision of whether to pay a ransom. When considering whether to pay, companies want to know how quickly operations can resume while uncovering the hole that allowed the ransomware in. As for the negotiation, companies have to take a backseat.
"The victim organization is involved very little in the direct negotiations. You don't want the emotions coming through in the negotiations and involving the client directly almost always results in that," said Jake Williams, co-founder and CTO at BreachQuest.
The ransom negotiator business took off in tandem with the rise of ransomware, starting around 2018. As negotiations become a more routine component of incident response, "I don't think it will be its own business for long," said Williams.
Tick tock
When a company onboards negotiators, they hand the reins to professionals with ransomware group experience. There is a sense of familiarity and anecdotes that allow negotiators to adapt to who they're talking to.
The first thing ransomware negotiators do is ensure a secondary backup to communication with the criminals as the actors might disable their email accounts, said Williams.
Historically, ransomware actors would provide the email address for their victims to contact. Now, ransomware actors share a link with instructions on how to interact with them. Once initial contact has been made, negotiations can start.
"Once you reach out and engage the threat actor, that's going to be kind of when your proverbial clock starts," said Schmitt. "That's when they know that you're aware of the situation, you've reached out to them, and they're going to kind of have this timeline in their head of how long this negotiation process should take."
If a company is able to determine what was encrypted or breached during an attack, the negotiator will ask the actor for sample data or screenshots to get a sense of the depth of the infection.
This is the most important role the victim company will play in the negotiation process because "there is no reason to pay if recovering encrypted data has no value. Only the victim company can forecast or ascribe what the value is," said Bill Siegel, co-founder and CEO of Coveware.
Negotiators, at the end of the day, do not make decisions on behalf of the company, Schmitt said. They are there to provide guidance to the victim company, insurance provider, or counsel based on previous interactions with the threat group.
Threat group relations
If a company determines the value of the hacked data could cause harm to the business and there are no effective solutions, fear can return. Payment will feel like the only option, so negotiations proceed.
This is where "we get a temperature check for how amenable the threat actor is to negotiating down the price. We have threat intelligence on groups and know the typical ransom demand movement and timelines for that," said Williams.
Negotiations are seldom linear, though negotiators try to keep the process within a few days of when a ransom note goes live. If a company is tempted to take longer or be more specific in their counteroffers, "it's our experience that that's when a threat actor starts to get a little bit more annoyed with the processor," and even aggressive, said Schmitt. The actors might retaliate and call the whole deal off, revoke the decryption keys, or publish the stolen data.
"Another reason we try to keep it shorter is because we want their attention during that time," especially when the interactions are based on a real-time chat platform, he said. Ransomware actors might lose interest in negotiations lasting longer than a few days and become less communicative.
"At this point, everybody's aware of how busy a lot of these groups are," said Schmitt. "I mean, they have a lot of victims that they're hitting on on a very consistent basis."
The Conti ransomware group, for example, will usually have multiple negotiations going simultaneously. "They're interacting with the client, and not necessarily us. So there's still a little bit more of that veil or obfuscation as to who they're actually talking to," he said.
Ransomware groups target multiple victims simultaneously
| Ransomware group | Number of victims | Added victims between Jan. - April 2021 |
|---|---|---|
| Ryuk/Conti | 352 | 63 |
| REvil | 161 | 52 |
| Doppelpaymer | 186 | 59 |
| CLOP | 53 | 35 |
| DarkSide | 59 | 37 |
| Avaddon | 88 | 47 |
SOURCE: eSentire
When the final amount is agreed upon by both parties, they involve a certified money services business (MSB) for the logistics of the payment. The MSB must confirm the group is not sanctioned by the Treasury Department's Office of Foreign Assets Control (OFAC), to secure cryptocurrency and complete the transaction.
Insurance companies become involved when the negotiation and payment processes are complete. "They just process claims when the entire process is over," said Siegel.
Customer service check
Ransomware groups pride themselves on their reputation and customer service, relationships between criminal gangs and negotiators do develop. "We have worked with the same ransomware groups on multiple occasions and we rely on our MSB payment partners to ensure their due diligence negates the chance of paying a sanctioned group," said Williams.
However, ransomware groups that employ affiliates can complicate the negotiator-threat group relationship. Affiliates can go rogue, which gangs would have to answer to. Ransomware group SunCrypt claims healthcare organizations are not one of its preferred targets. But last year SunCrypt operators had to clarify a hack on University Hospital in New Jersey was due to a new affiliate.
Though ransomware groups' customer service tends to be accommodating, trusting criminals is not a perfect science. Industry has seen ransomware groups make false promises before — like when Maze operators claimed its ransomware stopped short of "socially significant services," including "hospitals, cancer centers, maternity hospitals and other socially vital objects" in December 2016, but the group proceeded to target healthcare organizations involved in COVID-19 response in 2020.
A similar empty promise was made by the DarkSide gang. In October, DarkSide operators claimed to donate $10,000 in bitcoin to charities. "No matter how bad you think our work is, we are pleased to know that we helped change someone's life," DarkSide operators said, according to Emsisoft research. It's illegal for charities to collect funds illegally obtained anyway, Emsisoft clarified. DarkSide also has a blacklist of targets; affiliates cannot target hospitals, nursing homes, morgues, funeral homes, schools, non-profits, and so forth.
Regardless of who targeted who and why, affiliates are typically not involved in the actual negotiations, according to Schmitt.
Negotiators have profiles of known threat actors, which includes how those actors prefer to negotiate. These profiles can dictate which negotiation strategies are effective when using anecdotal evidence they're based on.
When negotiators work with groups using affiliates, they might ask the gang if it was one individual working out of line that caused the attack. But even if the group claims it was an individual act, "we of course can't confirm any of that," said Williams. "If we don't have reputational data on the group, it's hard to send significant sums of cryptocurrency with no means to recover it if you don't know you're getting a decryption key.">
Negotiators have to build trust with cybercriminals, unreliable as that sounds. Trust goes beyond a company's chances of receiving a decryption key because the key may not work as promised.
If we don't have reputational data on the group, it's hard to send significant sums of cryptocurrency with no means to recover it if you don't know you're getting a decryption key."
Jake Williams
Co-founder and CTO at BreachQuest
"I've seen [encryption programs] encrypt entire file systems — 100 gigabyte file systems — in about five minutes. The decryption of that same file system took about 36 hours," with some files still missing, said Tyler Hudak, practice lead of incident response at TrustedSec, during a July webcast hosted by NinjaRMM. Costs will accrue despite paying a ransom.
Almost half of organizations that paid a ransom regained access to their data, however, at least some of it was returned corrupted, according to a Cybereason survey of more than 1,200 information security professionals conducted in April. Fifteen percent of respondents said they had no issue with their returned data.
Williams tests the decryption program in a "safe environment" prior to paying, though it's an optional step, he said. "Most malware developers are not software engineers, so there's always a risk that sloppy encryption was performed because the software is buggy."
