Founder, BeforeCrypt GmbH – The Leading Ransomware Experts In Europe.
In his famous work The Art of War, Sun Tzu wrote, “If you know your enemy and know yourself, you need not fear the result of a hundred battles.” I see this ancient wisdom perfectly summing up how businesses should approach negotiating with ransomware hackers.
Understanding your own organization and the impact of a ransomware attack—along with information about the attackers—can help you decide how to negotiate or if you should negotiate at all. So how do you navigate a high-stress ransom situation? Below are eight steps you can follow.
Step 1: Build A Team
The first step of ransomware response is forming a team. You will need a team leader who has an overview of the situation and can present that data to decision makers. This may require coordinating with the heads of different departments in order to properly collect the data.
You’ll also need team members qualified to handle different tasks, from setting up secure communication channels to summarizing data for decision makers to actually making a ransom payment.
If you bring in a professional ransomware response team, you will need to designate team members to facilitate their work.
Step 2: Contact Law Enforcement
Before you start talking to the hackers, it’s best to contact law enforcement and report the breach. A designated team member should handle collecting the data needed for the police report and communicating with the authorities.
Step 3: Set Up Secure Communications
The hackers may be watching you try to get inside information they can use in the negotiation process. It’s important to keep all communications related to the negotiations secure and encrypted.
Step 4: Damage Assessment
It only makes sense to pay a ransom if the benefit is greater than the cost. That means you need to know things like:
• How much of the network has been breached?
• What types of data have been compromised?
• What are the costs associated with data leaks (i.e., patient data, customer data, trade secrets, etc.)
You also need to know how the encrypted data will affect your work.
• How will the loss of encrypted data affect operations? How much will the disruption cost?
• How long would it take to get back to normal by manually recovering the data or reconstructing the data?
• What will the damage look like in terms of customer relations and brand image?
Hackers know this is a lot to consider. This is why they will likely try to put pressure on you—they don’t want you to have enough time to make good, informed decisions.
Step 5: Make Contact
If you can, it’s best to avoid paying a ransom, and most law enforcement agencies recommend avoiding it if possible. If the costs of the attack are too high, however, it may be necessary to contact the hackers. There are also some things to keep in mind when making contact.
Exercise caution when talking to attackers.
Watch out for hackers trying to trick you into giving up information that can be used against you. Stay calm and don’t give up any sensitive information when talking with them.
Verify the extent of data loss.
Before you start negotiating the ransom, make sure the attackers aren’t bluffing. Don’t trust any of their claims and ask for proof. In some cases, they will upload the files to a server where you can see them, in which case you know their threats are authentic.
Step 6: Assess The Ransom Demand
At this point, you should know:
• How big the scope of the attack is.
• How much downtime you are facing if you do not recover the data.
• How long it will take you to get back to normal if you recover the data.
• A rough estimate of the cost of not recovering the data.
If the cost of a ransom is less than the damage of not paying it, it makes economic sense to pay the ransom.
Who are you dealing with?
After making contact with the hackers, it’s critical to know what group you are dealing with. Some gangs are notorious for demanding multiple ransom payments after promising not to leak data. Others try to build a good “reputation” since they know this will make it easier to get paid.
Step 7: Make Counter-Offers
According to Cybernews, most ransoms can be negotiated down by at least 20% and sometimes up to 90%. Discounts of over 50% are common in the majority of negotiations. It’s helpful to be aware of the typical range of ransom payments for organizations similar to yours so you know approximately what the attackers will expect.
The same Cybernews article found that the average ransom paid by a small company is approximately 0.22% of its annual total revenue. This figure can be a starting point to give you an approximate idea of what ransom size to expect. However, ransoms can fluctuate depending on the nature of the attack and the operational methods of the attackers.
Negotiation techniques
One common negotiation technique is to offer a smaller sum now or a bigger sum later and claim the inability to pay. For example, a message to the hackers might read something like this:
“Our company doesn’t have enough capital right now to pay that amount. However, we have $80,000, which we can pay right now if you deliver the decryption key and delete the data.”
At the same time, don’t insult the attacker’s intelligence by making ridiculous claims. If you lose credibility with the attackers, it can hurt your negotiating position.
Step 8: Make The Payment
Actually making the payment is not technically part of the negotiation, but payment methods can affect negotiations. Some hackers offer discounts if you agree to pay them with an anonymous cryptocurrency like Monero (XMR).
Keep Calm And Carry On
It’s important to approach ransomware negotiations with a level head. Panicking won’t help anything. Don’t be afraid to ask for more time if the hackers are threatening you, and don’t hesitate to consult with experts or hire professionals if you feel overwhelmed.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here