Ransomware Negotiators Stay Busy as Attacks Escalate

Written by Edward Gately
October 2, 2020

After getting a ransomware payment from a company, the cybercriminal may return for more.

It’s a busy time for ransomware negotiators with cybercriminals targeting more businesses and demanding bigger payments.

Ransomware attacks and ransom payments are on the rise, with ransoms now more likely to exceed $1 million, according to recent research by Barracuda. There’s been a significant increase in ransom payments in the past year. And many ransomware victims have not prepared enough, so they end up paying the ransom.

On Thursday, the U.S. Treasury Department published guidelines for special circumstances where a ransomware payment may break U.S. sanctions. The guidelines apply when an individual or company has had its data encrypted by a ransomware gang that is either sanctioned or has affiliations with a cybercrime group sanctioned by the Treasury Department in years past.

So, how do ransomware negotiators work? Should organizations always try to negotiate?

Cytelligence’s Ed Dubrovsky

To find out more, we spoke with Ed Dubrovsky, COO and managing partner of Cytelligence. The company handled ransomware negotiations until Aon acquired it earlier this year. It now works with third parties and helps them handle negotiations.

Channel Futures: When do ransomware negotiators step in?

Ed Dubrovsky: Threat actors come in and they impact as many systems as they can to cause a very big impact on an organization. With a small organization they will … encrypt all systems. And with a large organization, they will deploy an automatic means to encrypt all the data. And then you basically have to go and talk to them because your ability to do anything else is diminished. Even larger organizations with backups may still be compelled to negotiate with these threat actors because the amount of time to recover and the cost to the business to be down for that duration could actually be higher than making a payment to the threat actors, and then both recovering from your backups … and decrypting files.

CF: Are many cybercriminals willing to work with ransomware negotiators? Will they accept a lesser amount?

ED: It’s very difficult to negotiate with certain threat actors because of perhaps language or they’re set in their ways in terms of, “We believe you’re making that much money and hence we want that much money, and we’re not going to negotiate.” But it’s not just about the initial demand and the final demand, and whether you need a negotiator to decrease that number.

You could potentially negotiate with them and say, “You give me the data and I’ll pay you for it.” Or you could basically say, “We’re not paying you; go ahead and publish.” That costs zero to the client and then the bad guys go and publish. Yes, it’s in the public domain. But the client didn’t really care because the data did not contain any personally identifiable information about individuals. So it was not secret information. But what was more important was getting back to business. So every case is a little different.

The majority is always about how can we minimize the final demand. But it’s also about how fast we can get to that final demand. It’s costing money, and potentially loss of business and reputation and so on. So it’s definitely a time-sensitive process.

CF: What happens once cybercriminals and ransomware negotiators agree on an amount?

ED: The threat actors will …