10/26/2021 | News release | Distributed by Public on 10/26/2021 06:13
This standard introduction shows a level of professionalism, indicating that the ransomware group uses a standard playbook for negotiating staff. While other ransomware families do not start every conversation with the same introductory message, chat conversations from the ransomware families we analyzed typically include a few key points, which we list here.
What was stolen
While the amount and nature of stolen data varies, it always includes items that are critical to the company, including but not limited to financials, contracts, databases, and employee and customer personally identifiable information (PII). The criminals always offer to decrypt some sample files as proof, and in some cases they will provide a file tree of what has been stolen.
Price negotiation
Many victims state that they are willing to pay to decrypt data and prevent it from being leaked, but they simply cannot meet the initial demand. The criminals' main defense or justification for the price includes either the victim's bank account balance or insurance policy information.
Discounts and price drops
We observed price drops from the initial demands that are anywhere from 25 to 90%. Each group appears to have their own philosophy and standard with regard to discounts they will provide. However, what the criminals initially claim as their discount policy does not stay true for long. In some cases, a price is agreed upon and the actors publish the stolen data anyway. In other cases, the final discount goes far beyond what the criminals initially identify as their lowest possible offer.
Shift in tone
There is also a distinct shift in tone at some point in the majority of conversations. The criminals begin by firmly reassuring that the best possible option for their victim is for them to pay. They reinforce their argument by reminding the victim that having their data leaked would result in legal trouble and regulatory fines, or that using a data recovery service is not worth their time and money. During these early stages, they even claim that they are here to help the victims.
However, this approach eventually turns sour as ransomware actors become impatient, pushy, and aggressive. One likely reason for their impatience is that they do not want the victim organization to grow comfortable, forget the severity of their situation, or mitigate the threat without any "help" from the criminals themselves. Their statements thus start from something along the lines of "Please let us know if you have further questions!" to "As you may have noticed, your website is currently unavailable. It's the initial phase of our campaign for your company liquidation...We are well aware you don't have any backup, so we will be waiting while you will be suffering losses."
What potential victims should do
It is generally understood today that for organizations, it is not a question of if they will be targeted by ransomware but when. Knowing and accepting that is critical to preventing a ransomware attack from inflicting severe damage to any organization.
To prepare for the possibility of a modern ransomware attack, organizations of all sizes and verticals should consider the following
The goal of negotiating is often to buy yourself time while you recover data from any of your backups. Indeed, generally victims want to prevent data leakage or further extortion, but they ultimately don't plan to pay the ransom, either. If this is true for your organization's incident response plan as well, then it will be critical to know that and have everyone understand that goal before an attack occurs.
It is also important to be aware that there are multiple extortion models that criminals might use, so it is important to understand and plan for the possibility of double, triple-, and quadruple extortion. Ultimately, of course, preventing a successful ransomware attack is the best option. This requires a comprehensive security plan, which is a challenge for many organizations.
How to avoid becoming a victim
While it is essential to know the plan in case it is needed, organizations would naturally prefer any attack to fail. Still, it bears repeating that all organizations should expect to be targeted and plan accordingly, as doing so is the critical first step to prevention.
One helpful starting place to protect systems against ransomware is to use the National Institute of Standards and Technology's (NIST) framework and ransomware-specific tips, such as the following:
To help you reach these security goals and protect your organization against a successful ransomware attack, Trend Micro Vision One™ compares detections across the IT environment with global threat intelligence to correlate data and draw actionable conclusions. Named the industry's best by Forrester, the security platform adds the strongest protection against ransomware and other attacks.