In his famous work The Art of War, Sun Tzu said “If you know your enemy and know yourself, you need not fear the result of a hundred battles.” This ancient wisdom sums up how to negotiate with ransomware hackers.
Understanding your own organization and the impact of a ransomware attack, along with information about the attackers can help you decide how to negotiate, or if you should negotiate at all.
So how do you navigate a high-stress ransom negotiation?
Step 1: Building a Team
The first step of ransomware response is forming a team. You will need a team leader who has an overview of the situation and can present that data to decision makers.This may require coordinating with the heads of different departments and collecting data.
You’ll also need team members qualified to handle different tasks, from setting up secure communication channels, to summarizing data for decision makers, to actually making a ransom payment.
If you decide to make use of a professional ransomware decryption service, you will need to designate team members to facilitate their work.
Step 2: Contacting Law Enforcement
Before you start talking to the hackers, it’s best to contact law enforcement and report the breach. A designated team member should handle collecting the data needed for the police report and communicating with the authorities.
Step 3: Setting Up Secure Communications
The hackers may be watching you to try to get inside information they can use in the negotiation process. It’s important to keep all communications related to the negotiations secure and encrypted.
Step 4: Damage Assessment
It only makes sense to pay a ransom if the benefit is greater than the cost of a data breach. That means you need to know things like:
- How much of the network has been breached?
- What types of data have been compromised?
- What are the costs associated with data leaks (ie. patient data, customer data, trade secrets, etc.)
- Which ransomware variant has been used for the attack?
You also need to know how the encrypted data will affect your work:
- How will the loss of encrypted data affect operations? How much will the disruption cost?
- How long would it take to get back to normal by manually recovering data or reconstructing data?
- What will the damage look like in terms of customer relations and brand image?
There is a lot of data that cybercriminals can steal, and they know this is a lot to consider. This is why they try to put pressure on victims— they don’t want you to have enough time to make good, informed decisions.
Step 5: Making Contact
If you can, it’s best to avoid paying a ransom and most law enforcement agencies recommend avoiding it if possible. If the costs of the attack are too high, however, it may be necessary to contact the hackers.
Exercise caution when talking to attackers
Watch out for hackers trying to trick you into giving up information which can be used against you. Stay calm and don’t give up any sensitive information when talking with them.
Verify the extent of data loss
Before you start negotiating the ransom, make sure the attackers aren’t bluffing. Don’t trust any of their claims and ask for proof.
In some cases, they will upload the files to a server where you can see them, in which case you know their threats are authentic.
Step 6: Assessing the Ransom Demand
At this point, you know:
- How big the scope of the attack is.
- How much downtime you are facing if you do not recover the data.
- How long it will take you to get back to normal if you recover the data.
- A rough estimate of the cost of not recovering the data.
If the cost of a ransom is less than the damage of not paying it, it makes economic sense to pay the ransom.
Who are you dealing with?
After making contact with the hackers, it’s critical to know what group you are dealing with. Some ransomware gangs are notorious for demanding multiple ransom payments after promising not to leak data. Others try to build a good “reputation” since they know this will make it easier to get paid.
Step 7: Making Counter-Offers
Most ransoms can be negotiated down by at least 20%, and sometimes up to 90%. Discounts of over 50% are common in the majority of negotiations. It’s helpful to be aware of the typical range of ransom payments for organizations similar to yours so you know approximately what the attackers will expect.
The average ransom paid by a small company is approximately 0.22% of their annual total revenue. This figure can be a starting point to give you an approximate idea of what ransom size to expect. However, ransoms can be lower or higher depending on the nature of the attack and the operational methods of the attackers.
Negotiation techniques
One common negotiation technique is to offer a smaller sum now or a bigger sum later and claiming inability to pay. For example, a message to the hackers might read something like this:
“Our company doesn’t have enough capital right now to pay that amount. However, we have $80,000 which we can pay right now if you deliver the decryption key and delete the data.”
At the same time, don’t insult the attacker’s intelligence by making ridiculous claims. If you are too dishonest, you may lose credibility with the attackers which can hurt your negotiating position.
Step 8: Making the payment
Actually making the payment is not technically part of the negotiation, but payment methods can affect negotiations. Some hackers offer discounts if you agree to pay them with an anonymous cryptocurrency like Monero (XMR).
Keep Calm and Carry On
It’s important to approach ransomware negotiations with a level head. Panicking won’t help anything.
Don’t be afraid to ask for more time if the hackers are threatening you, and don’t hesitate to consult with experts or hire professionals if you feel overwhelmed.
