How Ransomware Gangs Negotiate with Their Victims

Hacking into a corporate network and encrypting files does not mean that a ransomware attack was successful. Ransomware attacks are only successful if they make money for the hacking group, and ransom payments can never be guaranteed. Almost no company will instantly agree to pay whatever ransom is demanded, unless the files are vital to their day to day operation. In such cases, the enterprise may feel that the ransomware cost is less than the daily cost of being out of service.

According to the Wall Street Journal, these are the sectors most likely to pay a ransom.

Not surprisingly, there is an overlap between those sectors most willing to pay a ransom and the sectors that receive the most ransomware attacks. Here is a chart for 2021 from Statistica.

Studies may vary but certain sectors are always most targeted by hackers. These include healthcare, education, services, and manufacturing. The government section listed here is a little vague. The reason it is listed first is because it includes all government agencies from the local on up to the federal. In fact, local and state government agencies that provide public services are most often targeted. Again, they’re targeted because they often pay.

When any company or organization is attacked with ransomware, they will be shown, usually on the hacked device, a text message informing them that they have been hacked and need to pay a certain amount in cryptocurrency. They will often be given instructions on how to do this. The hackers may also allow the victim to choose a file they’d like to be decrypted, just to show that paying will, indeed, get the files back. If all goes well for the hackers, the victim dutifully pays. In fact, 32% of those hacked will pay the hackers. Most of those who paid got back some of their data, but only 8% got all of their data back. Once the money is paid, the victim is really at the hacker’s mercy. The only real reason hackers give back any data at all is because they have a reputation to maintain. No victim of a ransomware attack will pay a ransomware group that has a reputation of never returning the encrypted data.

One question that needs to be asked is: How do the hackers arrive at the ransom amount? Basically, they select an unrealistically high amount depending on the size of the enterprise hacked and the estimated value of the data they encrypted. In fact, it’s more or less wishful thinking. They never really expect the first amount they suggest to be paid. This is why no enterprise should ever pay the initial amount asked. In other words, the hackers expect a negotiation. So how, exactly, should you negotiate with these ransomware hackers. Well, this is where a study by the Cisco Talos Intelligence group comes into play.

The Cisco Talos Intelligence group researchers monitored and analyzed four months of text messaging conversations between the Conti and Hive ransomware groups and their victims to learn what techniques these groups use. Such findings could enable victims to negotiate ransoms more effectively, assuming the victims believe that paying a ransom is inevitable.

It becomes immediately clear that the main goal of both ransomware groups is to take the money and run. They don’t want to waste their time in negotiations; they just want a quick payout. That’s why they quickly lower the amount of the ransom as soon as negotiations begin. The report also clarifies how these hacking groups decide on the initial ransom amount. It appears as if they simply calculate 1% of the company’s annual revenue.

Of course, some companies may want to hire a third party to negotiate for them. There are certainly a number of these around, but just be sure you don’t pick one that may be affiliated with the hackers, as I could certainly see this developing as a new angle. Generally speaking, hacking groups will try to dissuade victims from using these services and may even threaten the victim if they try to employ such a negotiator.

According to the Talos report, Conti may initially appear to be more cooperative and understanding. They are simply helpful guys who are providing the attacked company or organization with a service by exposing some of the weak points in their cybersecurity architecture. In fact, they submit that they have just completed a free pentest for the company, but, then, after some reflection, they’ve decided that they should be paid for this. After all, they are just businesspeople looking to make a little money, right? To show their good intentions, Conti will offer their victims special discounts if they pay the ransom within a short period of time.

However, if this soft approach doesn’t work, Conti will resort to tougher measures. They have just recently attacked the Ministry of Finance of Peru. Apparently, the ministry has not been cooperative and, thus, the following note appeared on Conti’s deep web site.

In fact, they do release some files that seem valid.

To increase the pressure on the victim, Conti may explain the negative impact that the release of the stolen data may have on the company. They may threaten to inform members of the company’s supply chain to ruin their reputation. The fact that members of the supply chain may have had their data compromised may lead to lawsuits. In addition, competitors could learn of company secrets. Employee data that is released will expose them to identity theft which the company may be held responsible for. In short, the victim is blackmailed.

But the negotiation doesn’t need to get to this stage. Keep in mind that the hackers only want money, They will more often than not agree to any reasonable counter offer. If you are forced to negotiate, select an unrealistically low amount as a counter offer; an amount that is lower than your enterprise would find acceptable. Stand by that amount and they will lower their ransom demand. That said, when Conti agreed to lower one demand by 80%, it came with the disclaimer that they would leak 80% of the encrypted data.

The initial ransom note will contain a time deadline. This is also negotiable. Any excuse can be given and will be accepted if the hackers feel it will end with them getting some money. Why would you want to extend the deadline? Well, there’s always some chance an encryption tool will be released or the company can use the delay to rebuild its hacked files without paying the ransom.

But if the enterprise decides to pay, they want to be assured that they will really get their files back. Fly-by-night ransomware groups have no incentive to return your data; they may return it, or they may not. It doesn’t much matter if next week they change the group’s name. However, well-known groups rely on having a good reputation. They know that no one will pay a ransom if their reputation is one in which they never return the hacked files. As one Conti negotiator remarked when asked about returned files, “The chances that Hell will freeze are higher than us misleading our customers. We are the most elite group in this market, and our reputation is the absolute foundation of our business and we will never breach our contract obligations.” There’s some truth in this.

In contrast to Conti’s more helpful style, the Hive ransomware group is more direct. This could be because they lack the English ability required for fine-tuned negotiations. The HHS Cybersecurity Program designates the group as “possible Russian-speaking actors”. They openly target the healthcare sector as well as nonprofit organizations. Money is their primary motive and they’ll stop at nothing to get it. Here is the distribution of their victims.

Hive does the ‘good cop, bad cop’ routine in their initial message to the victim.

They lack the sophistication to participate in fine-tuned negotiations and are quick to increase the ransom amount if they see any hesitation in the victim. If they find that they are dealing with a paid negotiator, they have been known to try to bribe them to work with their hacking group. Don’t be so naïve as to think that this wouldn’t be considered in cases where high ransom demands are being asked for. The good news for victims is that the Talos researchers don’t consider Hive a top notch hacking group. They point out that their encryption algorithm has been disclosed on several occasions meaning that a decryption key could be available to those who’ve been attacked. If attacked by the Hive group, check first to see if some of the released decryption keys work before starting negotiations. If no key is available, the same negotiating tactics described for Conti can be used with Hive.

Talos recommends the usual preventative measures for avoiding ransomware attacks. Keep your systems and software updated and make frequent backups. Enterprises should also employ endpoint protection that factors in irresponsible employee behavior.

There is one questions victims always ask: Should you pay the ransom? Law enforcement agencies say you should not pay a ransom because, in so doing, you are supporting criminal activity. You may or may not get your files back and there is no guarantee the hackers won’t keep the files for themselves and sell them off later. They may even come back to extort more money. Gartner suggests that companies assume they will become victims of a ransomware attack. In so doing, they will have a ransomware response model in place. If negotiating is an option, they should learn some of the tactics described above and have a bottom line figure for a ransom that they can absorb without putting the company in financial distress. Plan now for as Ben Franklin said, “by failing to prepare, you are preparing to fail.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s