Ransomware negotiation: Don’t try this at home

Is it legal to pay a ransom request in the UK?

It is legal to pay a ransomware request unless the individual or group requesting the ransom is subject to sanctions from an applicable jurisdiction that prevents them from making funds through these types of payments. In the case of the UK, the government's position on this is clear; "Breaches of financial sanctions are a serious criminal offence and can carry a custodial sentence and/or the imposition of a monetary penalty."

The full list of sanctioned entities is available on the UK government's website. The purpose of sanctioning entities involved in ransomware is to further the prevention of cyber activity, which:

• Undermines, or is intended to undermine, the integrity, prosperity or security of the UK or a country other than the UK.
• Directly or indirectly causes, or is intended to cause, economic loss to, or prejudice to the commercial interests of, those affected by the activity.
• Undermines, or is intended to undermine, the independence or effective functioning of an international organisation, or a non-governmental organisation or forum whose mandate or purposes relate to the governance of international sport or the internet.
• Otherwise affects a significant number of persons in an indiscriminate manner.

The role of ransom negotiators involves uncovering information about the individuals or group that has made the ransomware request and finding out if they are sanctioned. Part of the negotiators' specialism is being able to undertake relevant due diligence checks and cross-reference their own threat actor databases to assess who might be responsible for the attack.

The key areas that will be examined include Indicators of Compromise (email addresses, IP addresses, etc) and the tactics employed by the threat actor. This will be compared with the negotiator's intelligence and existing sanction lists to accurately assess if the threat actor or connected people and entities are sanctioned. Once the view on sanction status is clear, the negotiator can advise the insured on whether negotiations should proceed.

View from the negotiator: How do threat actors know how much to ask for when setting a ransom?

"We've observed that threat actors have become a lot more strategic in their approach to setting ransom expectations when carrying out a cyber-attack. They will base their research on open-source information. For example, they could go to ZoomInfo and look up the victim organisation to see what their perceived revenue is and set the ransom to be a percentage of that revenue.

In other cases, we've seen threat actors specifically search for cyber insurance policy documents or financial information during their hack. With this information, the threat actor can see that a business will be insured for "X" amount on ransom payments. This information will be co-opted as leverage during the negotiation process. They are very intelligent in how they do this. They are looking for payment and will go into negotiations with a clear picture of what their victim organisation can reasonably afford to pay."

View from the negotiator: How do people get into ransomware negotiation?

"The majority of consultants in our team have worked in defensive or offensive cyber security. Those from defensive security would include digital forensics or incident response experts, meaning they have experience of operating in a live environment and securing networks against threat actors. Those from an offensive background will typically have worked on legitimate penetration testing, with experience in government and military backgrounds.

Personally, I started out in the industry through digital forensics before taking work from law enforcement agencies and then moved into the private sector, where I work today. During my time in law enforcement, I specialised in disrupting threat actors in the cyber crime space as well as responding to national cyber incidents in the UK. My specific role involved developing technical exploitation capabilities to interact and disrupt cyber criminals. This skillset lends itself well to the type of work I'm involved in today."

View from the negotiator: Is there anything that has surprised you in your line of work?

"To be honest, working in a dynamic cyber crime environment means that you become a little numb to the unexpected after a while! Having said that, cyber criminals have evolved the tactics that they use to put pressure on their extortion victims. This is typically in search of leverage. We have seen incidents where cyber criminals have been able to hijack printers inside victim organisations to print off physical ransom notes. We've also even recorded hackers notifying the governing bodies and authorities that organisations have fallen victim to a cyber attack. This obviously comes with its
own repercussions for the victims.

We have a whole list of examples of what we've seen over the years, but the theme is that threat actors are always looking for different ways to leverage and apply additional pressure to victim organisations in their search for a ransom payment."

View from the negotiator: What kind of trouble could an organisation get into if they tried ransomware negotiation themselves?

"The threat actor could become annoyed and frustrated pretty quickly if a victim organisation attempted to negotiate without knowing the ins and outs of the preferred communication method. This could encourage the threat actor to launch subsequent attacks to name and shame their victim or release sensitive data if negotiations don't progress quickly enough.

Professional ransomware negotiators have a pre-planned negotiation strategy, which is agreed upon with the insured organisation and Breach Counsel for these types of incidents. This strategy will be executed in accordance with how specific incidents develop to ensure the best possible outcome can be found for the victim."

Leave ransomware negotiations to the professionals

Ransomware negotiation is a subtle and nuanced skill that requires a combination of experience, instinct, and industry knowledge. Organisations shouldn't be left with the burden of negotiating themselves, which is why we partner with experts to ensure support for a ransomware attack is on hand 24 hours a day, 7 days a week.

The threat from ransomware is set to continue, but we have the team to support our insured organisations if they're affected.
Find out more about our cyber cover here.

Public link

Please use the above public link if you want to share this noodl on another website.