Webinar Recap: 5 Key Takeaways From ‘Across the Negotiation Table: Lessons from Threat Actor Engagements’

The Evolving Ransomware Threat

An evolving threat landscape requires organizations to prioritize preparation and prevention as their first line of defense to safeguard their assets and infrastructure. But even when steps are taken to prevent attacks, the reality remains that ransomware events do occur and are a pressing concern in the modern threat landscape. And as cyber threats evolve, this proliferation underscores the importance of not only having preventive measures in place but also a comprehensive response strategy.

Should an organization find itself in the unenviable position of facing a ransomware attack, knowing how to respond to a data breach and engage with threat actors becomes paramount. And while prevention is the best cure, a robust response mechanism is the necessary safety net for the times when prevention falls short.

Flashpoint recently hosted a webinar to guide security professionals through the context, best practices, and tools needed to engage with threat actors and negotiate the best possible outcome for their organization. Here are five of the top takeaways to be had for teams looking to bolster their response strategy.

To learn more about the specific groups, intelligence, and processes that can help you in the face of a ransomware attack, watch the full webinar.

Across the Negotiation Table: Lessons from Threat Actor Engagements

Data extortion is king

Data extortion has become a common tactic that threat actors use to hold victims’ data ransom. Extortion—which entails the threat actor stealing and possibly publicly posting sensitive data in order to pressure victims to pay—provides unique benefits that data encryption—which occurs when ransomers encode sensitive data and demand payment to provide the decryptor and restore an organization’s access to their data—cannot.

Better leverage during ransom negotiations

Threat actors understand that for most organizations, there are two main concerns when it comes to damage from a ransomware attack: financial or operational damage, and reputational damage.

Extorting data, as opposed to only encrypting it where it is still technically in the organization’s possession, allows ransomers to adjust the pressure on victims and manipulate them to adhere to deadlines or other requirements. They may threaten to leak a portion of the stolen data if an agreement is not reached quickly enough, or make other threats that they believe will help negotiations fall in their favor.

Stolen data can influence payment

Depending on the ransomware victim’s sector and the type of data being extorted, organizations may be more likely to make a payment if they know that sensitive information is at stake. Victims in the health care or financial industries, both of which are often dealing with personally identifiable information (PII) and other confidential information, may feel greater pressure to comply with threat actors’ demands in the hopes of rectifying the situation with minimal damage.

Backups are irrelevant

Backups are a common defense and mitigation measure for organizations to minimize damage if a threat actor encrypts their data. But in cases of data extortion, backups do little to stop the threat actor from releasing their data or publicly naming their victim.

Double or triple extortion techniques

Data extortion can be combined with data encryption and DDoS attacks to make an attack more aggressive and push victims to comply with demands.

Client pressure

If threat actors extort an organization’s client lists, they can threaten to contact clients and make them aware of the victim’s attack, wreaking havoc on an organization’s relationships with their customers and damaging their reputation.

If the victim agrees to pay the ransom in order to stop their clients from being contacted and prevent their clients’ data from being released, it can also indicate to the threat actor that their victim’s clients have data that they would be willing to pay to protect. As a result, they may choose to target the clients next in order to potentially force them to pay as well.

Know your objectives before engaging

When a ransomware attack occurs, it’s important to remember that the threat actor does not have the final say over the outcome of the situation. Before communication with the threat actor occurs, security and response teams should discuss the following questions in order to understand their priorities and negotiate with their goals in mind:

• What is the goal for this investigation and negotiation? This may change as the investigation continues, but there should always be an objective to work towards.
• Is this situation embarrassing, or is it terminal? No organization wants to be a ransomware victim, much less have the attack publicized. But beyond that, it is critical for the security and response team to understand the scope of the attack, and whether it is severe enough to potentially shut the organization down.
• Is recovery possible? Depending on the forensic investigation, timeline, nature of the encryption or extortion, and specifics of the incident, teams should evaluate the prognosis of the attack to better understand their options to move forward.

Before communicating with the ransomer, organizations should thoroughly analyze the potential value of talking to the threat actor, and determine whether it is worth it to engage. Questions to discuss include:

• What is there to learn by engaging in conversation?
• If the conversation were to leak, is that okay?
• What is driving the conversation?

Follow the intelligence

As teams consider whether to negotiate, pay the ransom, involve law enforcement, and other major questions, they should leverage intelligence related to the ransomware group, previous attacks they’ve carried out, and legal regulations to make decisions.

Not all ransomware groups are the same, and in some cases, a specific threat actor group may have an unreliable reputation that prevents even other threat actors from working with them. If the security team discovers that this is true for the group responsible for attacking them, it should call into question whether their assurances can be trusted.

Attribution can also be difficult to ascertain, and an organization’s confidence in their ability to confirm that the threat actor or group is who they claim to be can influence whether payment should be considered. There are legal sanctions, which can depend on geographical location of both the victim and the threat actor, the specific ransomware group, and the payment amount, among other factors, that must also be heeded.

Understand your timeline

Depending on the severity of the attack, an organization may not be able to conduct business until they have resolved a ransomware incident. This can present dilemmas over how to proceed if the ransom amount is lower than the cost to halt operations for days or weeks to negotiate with the ransomware group.

Determining where threat actor engagement falls under the incident response plan being followed, whether it should be conducted early on or only after other steps have been taken, can also impact how long an attack will last. Breach notifications, which can be obligatory in certain circumstances and will affect the response timeline, may factor into an organization’s decision to negotiate, comply, or seek external support.

To pay or not to pay

Before an organization decides whether to pay the ransom or not, they should evaluate their expectations. Due to the nature of some encryption techniques, it can often take several weeks to de-encrypt affected data, and there may be corruption of files, systems, and architecture left behind. With this in mind, it may not be worth it to pay when there will also be a potentially significant amount of rebuilding required to fully restore infrastructure.

There are also questions of how an organization will pay, and what exactly they can guarantee from a threat actor if they comply with demands. It is critical that organizations talk with their financial institutions about what will happen in the event of a ransomware attack, before an attack occurs. If there is no plan in place and an organization makes a request to their bank to pay a ransom, the bank may not deem it permissible to support the payment, which can impact the organization’s ability to comply with demands.

Once a payment has been made, there is no way to fully guarantee that the ransomware group will follow through with their side of the deal. They may promise that all extorted data will be deleted, but it’s difficult for the organization to know for sure.

Watch the full webinar

Watch the full webinar hear about the specific groups, tactics, and trends that are presenting risks to organizations, and learn from the experts about the extortion workflow process and response best practices that can help security teams effectively navigate ransomware negotiations and achieve the best possible outcome for their organization. Download the full webinar here.