NCC Group: Attackers Know How Much Ransom You’ll Pay Before Negotiation
… the ability to hack a company, and the ability to read and dissect complex financial statements might not have much overlap. This does not mean, however, that it’s not advisable to keep a strict network separation in place. This way key financial documents can be kept away from the rest of the network, which could decrease the possibility of attackers getting their hands on them.”
Ransom Negotiation Dos and Don’ts
There are dos and don’ts for organizations during the ransom negotiation process, Hack said. It’s important to prepare employees, think about your goals and set up communication lines.
“Lastly, get informed about your attacker,” Hack said. “Do some research yourself about their capabilities or hire a specialized company with a threat intelligence department. They can tell you more about the peculiarities of the adversary you are dealing with. Perhaps they have a decryptor which is not available online or know of another company who might be of help. They can also tell you more about the reliability of the adversary you are dealing with. Furthermore, knowing if you should expect a DDoS attack, calls to your customers, or the leakage of information to the press will be useful information to incorporate into your crisis management strategy.”
Also, during the negotiation process, it’s important to be respectful and don’t be afraid to ask for more time, he said. In addition, promise to pay a smaller amount now or a larger amount later.
“One of the most effective strategies is to convince the adversary your financial position does not allow you to pay the ransom amount initially asked,” Hack said. “In one example, a company was asked to pay $2 million and got a $50,000 discount. Although this seems like a good deal, there are cases in which much less has been paid after a more drawn-out negotiation. Two examples of this are two companies who were both asked to pay $1 million. One ended up paying $350,000 and the other, only $150,000. There was also one victim who talked down the price from $12 million to $1.5 million. These companies achieved this by constantly stressing they could not pay the amount asked.”
Stay Silent About Cyber Insurance
In addition, it’s important to not tell anyone you have cyber insurance, Hack said.
“You must not mention to the adversary you have cyber insurance and preferably also do not save any documents related to it on any reachable servers,” he said. “If criminals find out that a company has insurance, the victim could still tell the adversary the insurance company is not willing to pay, but this severely limits the options for any negotiation.”
When it has come to a negotiation, you “basically already lost as the victim,” Hack said.
“There are still strategies you can use to lessen the damage, but the real fight has already been won by the attackers,” he said. “That one can only be won before you get hacked. Therefore, companies should invest in better cybersecurity measures and increase their cybersecurity hygiene to prevent getting hacked in the first place. This will raise the costs for the attacker, and combined with paying them less when a company gets ransomed, will slowly decrease the overall profit for ransomware groups. Lastly, we always advise victims to inform the authorities. There have been some really great examples of recent successes from international cooperation between police agencies in Europe and the United States which show that these criminals are not invincible.”
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
- Page 1
- Page 2