The Art of Ransomware Negotiation

Kurtis Minder shielded his laptop screen from prying eyes in the airline seats around him.

It was late June, 2021, and the CEO and founder of GroupSense—which bills itself as a cyber reconnaissance company—was in the delicate and dangerous final stages of negotiating a ransomware deal with cybercriminals who were demanding the lofty sum of $6 million to return a corporate client’s network and data to normalcy.

This was a tough one, recalls Minder, 44, who brokers two or three ransomware agreements every day. Unlike most attacks, the hackers in this case made off with the privately held firm’s financial records, so they knew how much it was worth. They’d also discovered the company’s cyber insurance policy, which indicated it had the wherewithal to pay. In short, the hackers had the upper hand.

Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security

“Most times, ransomware negotiation is a bit of a tennis match where you go back and forth on numbers,” Minder says. “This time, they weren’t willing to do that. They were digging in their heels.”

With U.S. ransomware attacks skyrocketing more than 300% and known payouts leaping 341% to $412 million last year, compared to 2019, negotiators like Minder are becoming vital lifelines for thousands of corporate and government agency victims around the world. However, their services can draw controversy.

The FBI and Department of Homeland Security, which investigate ransomware attacks, advise organizations not to pay ransom. Paying, they point out, does not guarantee you will get your data back. It also encourages—and subsidizes—the work of ransomware gangs.

That said, there are times when organizations—particularly those in the infrastructure and healthcare industries—are literally facing life and death decisions over getting their systems back online as quickly as possible. That’s where professionals like Minder come in.

[Read also: Cyber insurance isn’t your best protection against cyber attacks]

Like any good negotiator, Minder applies a mix of candor, cunning, and charm to end his clients’ crises. During the recent negotiation, Minder told the hackers his client was willing to pay—but not if the amount led it to bankruptcy. Minder and his clients remained patient and steadfast in that stance, even as the hackers turned up the heat by enlisting a call center to tell staff and partners the company was not acting in their best interests by refusing to meet their price.

In the end, as Minder’s plane touched down on a San Francisco tarmac, he’d convinced the hackers to accept about 85% to 90% less than their original demands. His fellow passengers were none the wiser.

Who ya gonna call?

As even the most casual news consumer knows by now, ransomware is a form of malicious software (called malware) that typically blocks access to a computer system or data by encrypting its data or programs. Culprits then demand payments to unlock systems and information, a process that can last weeks or even months.

Because few organizations can withstand being without IT systems and information for so long, savvy executives seek outside assistance to determine the quickest path to resolution. This usually starts with contacting a privacy attorney, reaching out to a cyber insurance provider, or both. Each will assess the client’s exposure (legal, technological, or otherwise) and suggest a series of next steps.

Most times, ransomware negotiation is a bit of a tennis match where you go back and forth on numbers.

Frequently, they will then refer executives to a ransomware negotiator to help them deal with the hackers. Michael Phillips, a practicing attorney who is chief claims officer at Resilience, a cyber insurance start-up, as well as co-chair of the Ransomware Task Force of the Institute for Security & Technology, says referring most clients to negotiators is a no-brainer.

Some hotheaded executives and IT leaders will invariably try to negotiate on their own, he says, but they don’t understand the ground rules and can make things much worse if left unchecked.

“I dealt with one CEO who was totally infuriated,” Phillips says. “He was this hot-blooded, masculine dude who wanted to contact the attacker and tell him exactly what he thought of him—to threaten him. But that kind of behavior just exacerbates situations and motivates hackers to raise their demands, or go silent, or launch more attacks out of spite.”

[Read also: Lateral movement: how cybercriminals move across your network and how to stop them]

What’s more, if the time comes to actually pay off a cybercriminal, Phillips notes, few business or IT leaders know where to start to accumulate the volume of bitcoin they will need to close the deal.

“You don’t want to be trying to acquire millions of dollars of cryptocurrency with no expert support,” he says. You’re not going to get the pricing safety you would with an expert. I’ve spoken to people, for example, who bought cryptocurrency at such a heightened valuation that it cost them far more than it should, and spoke with others who ended up paying twice because they sent bitcoin to the wrong address.”

Know thine enemy

Kirsten Bay, CEO of Cysurance, which provides cyber insurance to small companies and their partners, says her firm similarly refers clients to negotiators because they tend to know better than anyone else how to limit overall costs and expedite processes.

“Ransomware negotiators know what’s reasonable to pay for organizations of certain sizes, the attackers involved, the types of attacks, and so on,” Bay says. “They know your enemy and which ones will take 60%, 40%, or 20% less, which can save you a lot.”

Sometimes organizations…just make a business decision to try and restore from backups and tell the hacker to get bent.

That doesn’t mean negotiators immediately default to paying cybercriminals. According to Minder, although 80% of his clients do fork out something, about 20% invariably do not.

“Sometimes organizations take an ethical stand, saying that paying ransom does not align to their core values,” he says. “Other times, they have a decent business continuity plan in place, giving them a clear path to resolution. Or they don’t believe the impact of the attack will be too bad. Or they just make a business decision to try and restore from backups and tell the hacker to get bent.”

Few organizations have such luxuries, however. In fact, most cybervictims are smaller companies with scant IT resources, and they are “freaking out,” says Keith Swanson, a retired Scottsdale, Ariz., police detective turned ransomware negotiator for Kivu Consulting in Phoenix, as well as manager of incident response and forensics at insurance company Allstate.

[Read also: Why cybercriminals target small utilities]

When that happens, Swanson says, it’s the negotiator’s job to settle them down. He works with the client to figure out how the hackers penetrated the network. (Hint: Poorly secured or misconfigured endpoint devices, as well as unpatched software, are often the culprits.) He then helps clients determine if the hackers seized any private or sensitive data, figures out which cybergang is behind the ransomware (by analyzing their communications with the victim), and then discusses options for getting everything back online.

Swanson tells clients that cybercriminals march to a certain timeline for negotiation and warns it will take time to reach a conclusion. More important, he reminds them that even if they pay a ransom and receive the cryptographic antidote to their dilemma, systems won’t be immediately back to normal. The data won’t be returned quickly. That, too, takes time.

Survival of the calmest

It’s a pressure-packed situation for most business leaders, he says. The viability of their companies as well as their relationships with customers, partners, investors, employees, and the media are all at risk.

“We had one client who had been hacked call us up on a Friday afternoon, and they were like, ‘We’ll do anything right now!’ ” Swanson says. “They said, ‘We need to pay this ransom within the next 30 minutes so we can get our stuff up and running again by Monday. We don’t have backups. We have to pay because it’s quicker for us to decrypt that way.’ Of course, that’s not true. We’ve never seen anybody, even if they pay for the cryptographic key, back in operation in less than a week. The encryption and decryption process corrupts files. It kills connections. It makes computers unstable. It’s a nightmare.”

In most cases, negotiators are able to bring executives down to earth. They’ll then have a candid conversation about their backup status. If it turns out the hacked databases were on-site but the organization was wise enough to park information in off-site locations, they’re in a power position. They don’t necessarily have to negotiate, though it is sometimes worthwhile if an agreement helps speed the recovery process along or gets the hackers to agree not to release seized data to the Dark Web.

Preparing for battle

Both Swanson and Minder say they never go into a negotiation intending to pay a cybercriminal. But if a client is in a weak position, they know that’s the likely result. That’s when, like any experienced police negotiator in a hostage situation, they apply as many tricks of the trade as possible to forge a connection.

Communication with ransomware attackers usually happens like this: Employees arrive at work one day to find systems failing. Email doesn’t work. They can’t access key internal apps. Digital connections to the outside world disappear. In the midst of it all, an electronic ransom letter appears on executive and IT leader screens demanding money—in untraceable bitcoin—in exchange for a decryption key. The note might even identify the perpetrator. Conti, DarkSide, Maze, and NetWalker are common villains.

You don’t want to be trying to acquire millions of dollars of cryptocurrency with no expert support. [It can] cost far more than it should.

From there, it’s easy enough to communicate with the attackers. The letter also typically includes an encrypted ProtonMail address or a link to a chat portal on Tor (short for “The Onion Router”), an open-source privacy network that lets users browse the web anonymously.

Swanson says part of the game involves limiting communications with hackers.

“We don’t want to keep going back and forth with them,” he says. “We use time to our advantage by telling them, ‘Listen, you burned us down. We’re busy trying to get going again.’ You keep them at arm’s length so you don’t look desperate. We’ll listen to how they react. Analyze their tone. And adapt in the moment.”

[Read also: How to respond to a data breach]

The tone of hackers varies, Swanson says. Some are “guys trying to make a name for themselves by attempting to play the tough guy. Then there are guys who call us ‘f****rs and s***heads and stuff like that. Most I come across, though, act pretty professional.”

Minder has had similar experiences.

“If I was going to describe their general demeanor, I would say cold. Most aren’t threatening,” he says. “They are matter-of-fact: ‘This is what I have. This is what I will do and how it will impact you if you don’t pay.’ They’re not really hostile.”

Shifting legal implications

The negotiators rarely work in a vacuum. Most back-and-forth communications get approval from the client. They are also careful to loop in law enforcement (the FBI). And they must remain cognizant of federal regulations governing which groups can be paid ransom and which cannot.

It’s a little-known fact that paying ransom is not usually illegal. In fact, federal agencies like the FBI merely recommend against the practice, noting it doesn’t guarantee the return of data. Where paying a ransom can become illegal, though, is if an organization pays a hacker on any of the Office of Foreign Assets Control (OFAC) sanctions lists. Like the government’s terror watchlist, these identify hacking gangs thought to be associated with hostile foreign powers, like North Korea or Iran. And the lists are growing. Indeed, a Chainalysis study found 32% of known ransomware payments this year carried OFAC-related sanctions risk compared to 15% in 2020.

Nonetheless, negotiators say, they are consistently able to work with most hackers to agree on ransom settlements ranging from 10% to 25% of the original demands.

“It’s an art form,” says Swanson. “We use our wording to do it. Our creativity. Our timing. We used COVID as an excuse at times. Hell, during the elections we even used Donald Trump. Whatever we can think of in the moment, we leverage.”

Countering industry backlash

Not everyone in the industry agrees ransomware negotiation is that artful.

French insurer AXA, for example, recently decided to stop reimbursing ransomware payments after government officials voiced concern that it could encourage more crime. Meanwhile, a group called “The No More Ransom Project” has arisen with the support of cybersecurity companies, as well as Amazon Web Services, to challenge ransomware payments. And in August, Microsoft took a stake in start-up Rubrik to develop products for rapidly recovering data without paying hackers.

The backlash against ransom payment (not necessarily against negotiators) also extends to financial services, where cyber insurance rates have been climbing higher with major ransomware attacks against the likes of SolarWinds, Kaseya, CNA Financial, Colonial Pipeline, and Acer, among others. Marsh CEO John Donnelly, for example, says cyber insurance premium rates have increased up to 60% in the past year. That certainly lessens the bottom line of Fortune 1000 companies, of which about 70% are thought to carry cyber insurance, says Cysurance’s Bay. But for smaller companies under attack, the price hike is significant—enough that it’s pricing many out being able to afford insurance.

[Read also: Cyber insurance isn’t your best protection against cyberattacks]

“The mid-market is really where people are suffering the most,” says Bay. “When you get below $50 million in annual revenues, you’re probably looking at 30% to 40% coverage. We need to get better.”

Bay says that unlike other observers, she doesn’t think ransom payments are the leading cause of cyber insurance rate hikes.

“The ancillary costs are driving most of the pain and loss,” she says. “You might have someone paying $12,000 in ransom after a negotiation, but they have $300,000 in remediation costs on top of that. Unless you’re talking about one of the major supply chain attacks, like Kaseya, it’s the recovery that’s so expensive for people. So, the faster negotiators get someone through the process, the better.”