As hackers have grown more sophisticated over the last decade, ransomware has emerged as their preferred attack vector. Ransomware is one of the most efficient ways for them to extort massive amounts of money in a short period of time.
This trend has been recognized globally, demonstrating a profound increase in sophisticated ransomware incidents focused on targets in critical infrastructure organizations, according to the Cybersecurity & Infrastructure Security Agency in a joint cybersecurity advisory with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).1
Ransomware continues to ravage the bottom lines of the hacker's victims, as well as cyber insurance carriers. By threatening to publicize their victims' most sensitive data if their demands are not met, ransomware attacks often lead to victims paying six-to-seven figure extortion payments. Hackers may even reach out directly to individuals whose data is held hostage, such as the organization's key clients or employees.
But extortion payments represent just part of the financial losses. Downtime costs, which may include lost business and extra expenses, can dwarf the extortion payments.
The role of the ransomware negotiator
One of the most critical steps an organization can take to mitigate the financial and reputational harm that almost always follows a ransomware attack is to have a strategy in place before an attack occurs.
The first step is to assemble an internal incident response team, comprising cross-functional roles that span many departments, including risk management, IT, legal, operations, communications, compliance and the C-suite. This team should align with key external breach response vendors, often provided through a cyber insurance policy via a pre-approved panel. They can include breach coaches, IT forensics investigators, credit monitoring firms, call centers and the all-important ransomware negotiator.
Ransom negotiators may be employed by IT forensics investigation firms, but sometimes operate as independent vendors. They play key roles in ransomware response, including:
- Collecting and analyzing cyber threat intelligence
- Analyzing the blockchain of transactions associated with hackers' digital wallets
- Reverse engineering and analyzing ransomware strains and exploitation tool kits
- Documenting for Office of Foreign Assets Control (OFAC) compliance reports
- Collaborating with law enforcement
- Opening communication with a hacker
- Negotiating reductions in ransom demands
- Providing immediate access to cryptocurrency
- Facilitating payment to hackers
Arete, a leading IT forensics investigation and ransomware negotiation firm, has investigated and negotiated over 2,500 ransomware attacks. It found that a wide variety of industry sectors have negotiated and paid ransoms, with payments ranging from $130,000 to $2,600,000.