Ransomware victims often find themselves in a difficult position, forced to make the tough decision of whether to pay the ransom or deal with the fallout of a cyber attack. While many experts and authorities recommend against paying the ransom, it is not always a realistic option for organizations. As a result, ransomware negotiation services have emerged as a viable alternative for organizations that have decided to pay the ransom.
Ransomware negotiation services are third-party brokers who act as intermediaries between the victim organization and the ransomware group. These services are often part of the incident response supply chain and specialize in working with threat actors to determine responsibility for an attack and negotiate lower ransom payments. In addition to negotiation, these services may also offer remediation, public relations assistance, post-attack monitoring, detection and response services, and products to prevent future attacks.
One of the main reasons why organizations should consider ransomware negotiation services is that these specialists have a better understanding of how to work with threat actors and are more likely to achieve desired results. They often have knowledge about the credibility of the bad actors involved, such as whether they are known to release data even after ransom payment. By handling communications and negotiations with the ransomware group, these services can also buy organizations more time to respond to the ransom demand and make the payment.
Moreover, ransomware negotiation services act as if they are part of the victim organization to counter any issues that may arise from engaging a third party. Threat actors sometimes warn victims against involving negotiation services, which can be seen as an endorsement of the service’s success in dealing with ransomware groups. In some cases, organizations have worked with federal agencies while still paying the ransom, recognizing that it is the best option to protect their business and stolen data.
It is important for organizations not to handle ransomware negotiations themselves. Experts strongly advise against conducting negotiations without the help of specialists, as organizations may not know what constitutes a successful negotiation and could inadvertently act hostile towards the ransomware group. This can lead threat actors to refuse further negotiations or release exfiltrated data. Direct communications with threat actors without intermediaries are also risky, as threat actors may publicly release emails and chats to make their victims look bad.
Before engaging in ransomware negotiations, victim organizations should be aware of several key points. Firstly, it may not be possible to recover all stolen or encrypted data. Reports suggest that only 8% of organizations that paid the ransom were able to recover all their data, while 97% were able to retrieve most of it. Negotiation services can research the ransomware group involved and provide insights into the likelihood of data recovery.
Moreover, organizations should understand that ransomware groups are increasingly demanding additional payments via double and triple extortion attacks. This means that threat actors may demand a second payment in exchange for not exposing exfiltrated data or extorting individuals or businesses involved in the initial attack. Lastly, paying the ransom can make organizations vulnerable to future ransomware attacks as it signals that they are willing to pay. Research indicates that nearly 80% of victims who paid the ransom experienced additional attacks from the same threat actors.
The process of ransomware negotiation typically begins when an organization discovers ransomware on its system and receives a ransom demand. Ransomware negotiation services provide digital forensics and incident response assistance to determine the best negotiation strategy based on the ransomware group and its history. The services then initiate communication and negotiation processes to assess the legitimacy of the ransomware group and obtain a decryption program at an agreed-upon price. The negotiation services also handle the brokerage process and obtain the necessary cryptocurrency to pay the ransom. Finally, the consultants assist with the ransomware recovery process and monitor to prevent the threat actors from releasing the company’s data online in a double extortion attack.
While ransomware negotiation services have been around for some time, they are not entirely separate from cyber insurance. Some cyber insurance providers work with negotiation experts to help reduce claim payouts. Organizations with cyber insurance should keep their contracts secure, as threat actors are aware of these policies and may use that information during negotiations.
It is important to note that there is no guarantee that ransomware negotiation processes will be successful. However, by enlisting the help of negotiation services, organizations have a better chance of achieving a favorable outcome. These services have a deep understanding of the nuances involved in communicating and negotiating with threat actors, which internal incident response teams may not possess. Ultimately, if an organization decides to pay the ransom to protect its customers and critical data, using ransomware negotiation services can help navigate the process more smoothly.