Negotiating With Threat Actors to Defeat Ransomware

CyBiz’s partner, Sygnia has a ransomware negotiator on their team, which is a key weapon they use when responding to sophisticated ransomware attacks. Having an in-house negotiator enables a more seamless response to cybersecurity incidents.

In today’s digital age, the proliferation of ransomware attacks has become synonymous with the rise of cryptocurrency, enabling threat actors to leverage the anonymity and ease of transaction through cryptocurrencies. Today’s ransomware groups are increasingly sophisticated and are modelled on big business with franchises, resellers, customer service, collaboration tools, training, HR departments and performance reviews.

Unlike many large organisations, ransomware groups are nimble and constantly adapting their TTPs (Techniques, Tactics and Procedures). Threat actors have been quick to adopt Gen-AI and use it in ransomware attacks to develop malicious code, tailored phishing attacks and deep fake attacks. Once inside an organisation, threat actors can use Gen-AI to identify the most valuable data for extraction.

The landscape of cyber threats is constantly evolving, with attackers operating within safe havens, often with state consent, employing increasingly sophisticated tactics. Splinter ransomware groups are emerging, seeking notoriety, operating with impunity and adapting quickly to countermeasures.

The need for effective negotiation strategies has never been more critical!

When faced with a ransomware attack, negotiation becomes a delicate balancing act for organisations. Even if an organisation has no intent to pay a threat actor, negotiation remains an important tool to utilise in the incident response. Engaging with threat actors helps understand the extent of the breach and explore potential avenues for resolution. However, negotiating from a position of strength requires careful consideration and a comprehensive understanding of the adversary’s motives and capabilities. Negotiating terms and deadlines, while also assessing the credibility of the threat, requires a nuanced approach that balances the immediate need to protect data with the long-term interests of the organisation.

Central to successful negotiation is the ability to extend decision-making time, reducing the pressure imposed by the attacker and allowing for a more thorough assessment of the situation. By understanding the scope of the attack and exploring alternative solutions, organisations can improve the terms of a potential deal and minimise the impact on their operations.

Sygnia’s key insights for effective ransomware negotiation include:

1. Information Gathering

Using negotiation as an opportunity to identify the threat actor, gather intelligence and understand the scope of the ransomware attack.

2. Tactical Engagement

Utilising negotiation as a tactical process to get “proof of life” of organisational data accessed, understand how the threat actor gained access to the data, and extending time to reduce the pressure imposed by the attacker.

3. Improving the terms of a potential deal

Negotiation, even when there’s no intention to pay, remains a critical tool in incident response, enabling organisations to glean vital insights into the breach’s scope and potential resolution pathways. The delicate balance between protecting immediate interests and safeguarding long-term organisational integrity underscores the nuanced approach required in negating with threat actors.

As organisations confront the evolving cybersecurity threat landscape, the importance of negotiation in cybersecurity cannot be overstated. By embracing negotiation as a proactive and strategic response tool, organisations can fortify their defences, mitigate risks, and safeguard their digital assets against the ever-present menace of ransomware attacks.