Tips on how to negotiate in case of digital extortion

Have you thought about how to deal with a ransomware attack if your company is a victim of this type of cybercrime and suffers extortion? Unfortunately, this type of digital crime has become increasingly common in all regions of the world, regardless of company size or industry sector. 

Much of the analysis of ransomware activity focuses primarily on the technical perspective and how to protect yourself technologically, without necessarily addressing negotiation strategies in the face of digital extortion. An article by the NCC Group sought to address three other perspectives: how are the economic models used by attackers to maximize profits; how victims position themselves during the negotiation phase; and what strategies can be adopted to level the playing field?

The research revealed that cybercriminals have a significant negotiating advantage – they generally know how much the victim will be able to pay at the end of the process. More than 700 negotiations between attackers and victims between 2019 and 2020 were studied using quantitative and qualitative methods.  Based on these examples and real conversations between ransomware gangs and their victims, and mainly on empirical approaches from the NCC Group, the article proposes recommendations that can help victims reach a more favorable outcome – or with less damage.  If the decision to pay the ransom is made, there are still ways to lessen the damage. It should be noted that using only one of these negotiation strategies will not help much; most of them need to be followed. 

1. Be respectful – View the ransomware crisis as a business transaction. Hire outside help if necessary, but be respectful as in professional conduct. The study revealed that there is a relationship between being kind and the amount of ransom paid in the end.

2. Not being afraid to ask for more time – Even if the cybercriminal tries to pressure the victim to make quick decisions, he or she will usually agree to extend the negotiation period. This can be useful for the victim to better assess the situation and eventually reach the conclusion that he or she will be able to recover the data on his or her own. Similarly, it may buy extra time to devise defense strategies or, conversely, to pay the ransom.

3. Promise to pay a small amount immediately – If you want to avoid data leakage during system reconstruction, a good strategy is to try to negotiate a smaller amount to close the deal. In several cases, the study identified large discounts when this option was presented.

4. Convincing the gang that you cannot pay a high ransom – One of the most effective strategies is to convince the opponent that their current financial position does not allow them to pay the requested amount.

5. If possible, do not disclose the existence of cyber insurance – To hide this information, the victim cannot have stored insurance documents on any accessible server.

6. Establish a different communication channel with the adversary – In several cases evaluated by the study, the chat used to exchange messages was infiltrated by third parties who started to interfere and hinder the negotiation. It is necessary to be careful.

7. Ask for some files to be decrypted as a test – This is a measure to make sure that after the ransom is paid, the files will actually be recovered. Also, be sure to ask for proof of deletion of the files.

8. Prepare for situations where files will leak or be sold in any way – Despite the eventual assurance from cybercriminals, data may leak or be sold and may have passed through many hands.

Maximising profits 

In the early years of ransomware, groups used to use a uniform pricing strategy, i.e. a fixed price after the break-in. This was the case with CryptoLocker, whose ransom was based on the payment of $400 or Euros per victim. However, this system has evolved and today there are basically three categories of pricing: personalized when the ransom is charged based on willingness and ability to pay; with bulk discounts; and the one that uses personal or business characteristics of the victims. 

The article exemplifies the second type of pricing with the case of a Chinese cybercriminal group that asked for a relatively high initial fee to decrypt the data of less than 10 computers. The amount plummeted after numerous decryption systems were sold. 

The NCC Group study acknowledges that there are limitations to the assessment. It cannot be said with certainty that the pool of identified victims is representative of the entire population. In addition, ransomware groups use other factors to determine the value of ransoms, such as the number of encrypted computers and servers, number of employees, or expected media exposure. Factors such as these are more difficult to compare. 

Despite these limitations, research suggests that cybercriminals are optimizing profits by trial and error. They have the advantage that the victim is usually inexperienced in this type of negotiation, while they are already professionals and can more easily decide the best strategy. Besides that, they can snoop the stolen data of the victims, as if, in a card game, the adversary could see the opponent’s cards. In other words, if the adversary plays well, he will always win. This is why ransomware crimes are growing at a galloping rate.