Negotiations with ransomware hackers
“How to negotiate with ransomware hackers” was the title of a story published in “The New Yorker”. These are my key takeaways.
First of all, I emphasize that I have never negotiated ransomware cases. Neither on the one side nor the other (of course). In this issue, I would like to share my key takeaways from an exciting story from “The New Yorker” about Kurtis Minder, a ransomware negotiator (find the link below).
Why would anyone want to negotiate with ransomware hackers? The FBI discourages paying ransoms to not support hackers’ business cases. Also, paying a ransom does not guarantee the recovery of encrypted files. Both arguments are valid. Nevertheless, it has a long tradition of paying ransoms for hostages. Nobody wants to encourage terrorists to continue kidnapping people. And paying a ransom does not guarantee to get loved ones back in one piece. If ransoms should not be paid due to deter criminals, this must be even more valid for abductions than for ransomware cases.
As soon as a company is affected by ransomware (this is only a matter of time), it will often become clear that paying a ransom is more a matter of business calculation than idealism or heroism. In many cases, backups and continuity plans are not enough to recover files and operations (at least fast enough). However, paying a ransom and not being able to recover must be part of the calculation.
Kurtis Minder collected learnings from hostage negotiators. He learned that counteroffers should not seem like arbitrary bargaining (e.g. round numbers) and every concession must come with a justification (to the hacker). Minder experienced that negotiating employees are often frustrated by the attack and insult hackers. This lowers the chances of successful data decryption after paying a ransom. It is beneficial to be empathic and to mirror the hacker’s language (hackers are humans, be friendly, honor their achievements).
Minder cooperates with a blockchain-analysis company to find connected crypto addresses so that they can find out the amount of payments to hacking groups in similar ransomware cases.
I was surprised that there might be victims that made use of negotiators without knowing. According to the story, there seem to be security companies that pretend to be able to recover encrypted data. But instead, they negotiate in secret with the hacking groups, pay the ransom and add it to their price. Kurtis Minder said that such a security company demanded 145 thousand dollars to allegedly decrypt the files without paying a ransom, while the attackers asked for 65 thousand dollars directly from the affected company.
I am personally not surprised that there is - according to the story - only a handful of ransomware negotiators. I think that most often the exact amount of ransom is not match-winning. Colonial Pipeline paid 4.4 million dollars ransom within a few hours (FBI was successful in recovering the largest part of the ransom later). Still, it took almost a week to recover all operations while more than 10.000 gas stations were out of fuel. The ransom was probably only a rounding error of the total damage they experienced. One more day out of business would have caused more damage than the total ransom was. I believe that a ransomware negotiator might make sense when negotiations failed or time is not critical to the business.
These are my key takeaways and personal comments on “How to negotiate with ransomware hackers” published in “The New Yorker”.