Web Analytics Made Easy - Statcounter
Ransomware Negotiation Tactics Evolve as Victims Seek Discounts and Threat Actors Try to Avoid Being Scammed.

Ransomware Negotiation Tactics Evolve as Victims Seek Discounts and Threat Actors Try to Avoid Being Scammed.

The landscape of ransomware negotiation is undergoing significant evolution, as illustrated by a recent reported news story involving a European manufacturing company. The ransomware negotiator, who requested anonymity, due to confidentiality reasons, found himself engaged in unexpected dialogue with the hackers who had infiltrated his client’s systems.

Tales from a ransomware negotiator

This negotiator is part of a cohort of cybersecurity professionals, tasked with navigating negotiations between ransomware victims and hackers, aiming to persuade the attackers to lower their demands.

The realm of ransomware negotiations is bustling with activity. In 2021, ransom demands soared to an average of $2.2 million, more than doubling the figures from the previous year, as per research by Palo Alto Networks. However, victims typically end up paying around $541,000, less than half of the initial extortion demand. In our experience, when negotiating with threat actors, most victims will be able to acheive a settlement of half, or more than the original demand made.

Who is involved in negotiations?

Ransom negotiation primarily involves lawyers, cybersecurity firms, and private consultants adept at handling interactions with hacking groups. Notably, CNA Financial Corp., a major US insurance company, reportedly negotiated a ransom payment of $40 million last year to unlock its network, a significant reduction from the initial demand of $60 million.

An unexpected request

image

In the European case mentioned, the negotiator successfully negotiated down the hackers’ payment demands by tens of thousands of dollars. However, the situation took an unexpected turn when the hackers expressed concerns about potential deception on the negotiator’s part. They demanded proof of his integrity, such as a copy of his contract or communication records with the victim, fearing that he might be skimming off additional funds for personal gain. This is a real risk for victim companies, when considering who to hire to conduct ransomware negotiations.

This request, as described by the negotiator, was deemed “bizarre,” underscoring the heightened level of paranoia among these groups. The negotiator emphasised the hackers’ apprehension, citing instances where other negotiators had misled them about the victim’s willingness to pay, pocketing the difference between the actual payment and the lower amount conveyed to the hackers.

In a bold move, the hackers proposed offering the negotiator privileged access to the identities of other potential victims, allowing him to pitch his negotiation services before competitors. In exchange, they suggested compensating him with a commission for each ransom successfully negotiated. However, the negotiator declined this offer.

Why how you pay a ransomware negotiator matters

Richard FOSTER, founder of the ransomware negotiation firm Brainstorm Security, noted similarities between the hackers’ proposed fee structure and those employed by some cybersecurity companies. These firms often receive a percentage of every ransom payment negotiated on behalf of clients. This model can provide a substantial payout for the negotiator, but at Brainstorm Security, we only ever charge a daily/hourly rate for the work we conduct on your behalf. This avoids any accusations of collusion with threat actors, in addition, at Brainstorm Security, extra safeguards are put in place to protect the victim during each negotiation.

Furthermore, some hacking groups have been known to extend discounts to negotiators and data recovery firms they frequently encounter, along with providing tools to conceal these kickbacks from clients.

Presently, negotiation firms typically adopt a flat fee model for their services. In the European case, the victim agreed to pay the negotiated ransom, leading to the hackers providing a decryption key to unlock the network.

Details about the hackers, identified as part of the Haron group, remain scarce. This group emerged following a ransomware attack on Colonial Pipeline, prompting a reorganisation among Russian-speaking ransomware groups conducting aggressive attacks.

In conclusion

The dynamics of ransomware negotiation continue to evolve, marked by complex interactions between victims, negotiators, and hackers seeking to maximise their gains in this high-stakes game of digital extortion.