Should I or Shouldn't I? Ransomware Negotiation

by lg0p89

Ransomware's successful use as a malicious tool is growing.

Way back when this began as only encrypting files and systems, the affected party or business would receive the usual message to pay for the decrypt key in Bitcoin.  If no payment was made in a reasonable amount of time as determined by the attackers, you generally were out of luck.  There was no appealing to any level of moral fiber, but only "pay me."  At times, people would get lucky and find the decrypt key in code or a file left somewhere on the system.  This was not the norm, but occasionally the person/company would be fortunate.

This evolved with additional forms of encryption and, as a tangent, instead of only having the option of encrypting, the attackers added exfiltering the data and threatening to publish it unless the ransom were to be paid.  Now the targets had two issues to possibly contend with.

As ransomware has become much more profitable with a Return on Investment (ROI), the attackers operationalized this into an industry.

This is so prevalent that it even has its own acronym: Ransomware as a Service (RaaS).

Gone are the days of the lone attackers targeting businesses from his own system.  The bad actors have businesses set up and working with ransomware attacks as the corporate goal.  As the ease of use continues, this is only going to get worse until a robust, reliable set of tools becomes available to combat this directly.

If there is any doubt on how expensive ransomware can be, just do a quick Internet search.

These are only the large and published payments.  Adding to the attackers' revenue are all the other smaller successful compromises and payments.  This line of work can be lucrative, which is what continues to drive this forward.

The question is, if you happen to be infected, what is the next step?

Do you pay or not pay?  If you don't pay, get ready to spend a lot of money on new equipment.  If you pay, you may be a victim of Bend Over, Here It Comes Again (BOHICA), as they know you will pay.

The choice boils down to economics.  When there are viable backups which are recent and go through periodic checks, you may not need to pay.  If, on the other hand, the backups are done quarterly and the system has never been checked other than to look at the record when the backup was last done, the company and their insurance carrier may want to get their checkbook out.  If you choose to pay, you may ask yourself if you can negotiate with them.  Maybe you could pay a little less and still get your files back or they'll promise not to disclose the files.

The attackers have lofty goals for the revenue generation from ransomware.

The amounts they are seeking are probably not in line with what the business and/or their insurance company, if they have the coverage, are able or willing to pay.  In the attackers' minds, you have a massive treasure chest of gold, when you have enough for a month or two of cash flow.  This perception has been furthered by the large payment mode by companies who really didn't have a choice.

This is where the ransomware negotiator comes into play While the attackers still need to maintain a planned revenue level, there is no blank check for them.  With ransomware being so prevalent in the last two years, the negotiator role is relatively new.  This role may be used more as the attackers who already have compromised your system ramp up the pressure to pay them with calls of threats and intimidation.

In this case, when you have no other choice but to talk to them, the negotiator is there to mitigate the amount and talk to them, focusing on the relevant points.
Return to $2600 Index