SECO-Institute webinar write up – May 20, 2020
Criminals are known to never waste a good crisis, and COVID-19 has proven to be no exception. COVID-19 has also made organizations more conscious about losing access to their systems and more motivated to pay the ransom, especially those that are at the frontline of containing the virus.
But even so, what happens when you decide to pay the ransom? How do you get your data back, while dealing with unethical, unpredictable and maybe even uncapable opponents? Can you just assume that (even if they wanted to) they’re able to decrypt your files without destroying it?
A unique perspective on ransomware actors with 2 professional hostage negotiators
Many crisis management situations do not only require high-pressure analyses and decision making but solid communication – and (in worst case scenario) negotiation skills. Sue Williams and Jacob van ‘t Slot, 2 expert hostage negotiators, discuss how negotiation tactics can help organisations mitigate the consequences of a ransomware attack, and what factors to consider when negotiating with adversaries. They position negotiation in the context of Crisis Management and evaluate the differences and similarities of cyber extortion cases and situations where lives are at stake.
Both Jacob and Sue are experienced negotiators operating sometimes in the real-, sometimes in the virtual- but always in the shady world and with a lot at stake. Sue was in charge of the Kidnap and the Hostage Crisis Negotiation Units at Scotland Yard, and advised the UK government on cases of kidnap and abduction. She teaches hostage negotiation tactics at Harvard University, and is still active as a kidnap response and cyber extortion consultant. Jacob has a background in psychology, security and crisis management, and has worked as a kidnap response consultant at the Netherlands Ministry of Security and Justice. Jacob lectures at the Harvard Humanitarian Academy, and develops the SECO-Institute’s crisis management education program.
This write up guides you through the process of a ransomware attack, and how to prepare and conduct cyber negotiations with your opponents. It also highlights the differences and similarities between real life hostage situations versus cyber extortion cases, the role of cyber insurance, and the do’s and don’ts while negotiating with your opponents.
- Receiving the Ransom Note
In a way, ransomware is similar to kidnapping. Once the malware is installed, the organisation receives a ransom note, usually in the form of a message on the computer screen with the ransom amount and a countdown clock.
According to Sue and Jacob, the attacker’s contact details can be considered as an indicator of the attacker’s willingness to negotiate. If the attacker has provided contact details, there may be a chance to engage in a conversation and negotiate a longer deadline or a lower ransom amount, thereby mitigating the damage.
- Assessing the Threat
“The first step is to verify whether you’re facing a launched attack or the threat of an attack. Second, you need to assess how real the threat is” – says Sue Williams.
Your negotiating position may be stronger or weaker depending on whether you’re facing an actual attack or “only” the threat of a potential attack. Whatever the attacker threatens to do (lock down systems, publish sensitive data, etc.), you first need to assess the credibility of the threat.
Before you engage in negotiations, you need to know for sure the attacker is really willing and capable to carry out the threat. After all, there’s also the possibility that you’re dealing with a simple joke. Engage competent technical experts who can assess whether the attacker can actually carry out the threat. Very specific to ransomware attacks you’ll also have to make an assessment on the capabilities of the attacker to decrypt your files without destroying it.
- Assessing Potential Impact
After assessing the credibility and the seriousness of the threat, you also need to assess what impact carrying out the threat would have on your organisation.
“At this point, it’s crucial that you don’t treat the situation as an IT problem” – Sue explains. “You’ll need to make important strategic decisions – the best decisions possible to protect your business, your reputation, and possibly other individuals or organisations. You may rely on your IT, especially your Incident Management Team, to assist with technical issues. But this is a strategic matter. Involve your Crisis Management Team to collect and analyse the information you need to make proper strategic decisions.”
Crisis management professionals are trained in collecting, filtering and synthesising information to enable the best possible decision-making, taking all risks and potential consequences into account. They often possess information the IT teams doesn’t, for example whether you have cyber insurance and whether your insurance will cover the ransom demand.
“You may be tempted to just ignore the threat, but never do that blatantly” – Sue adds. Never ignore a threat without conducting proper risk and impact assessments. You need time to identify and contact the (in-house or external) experts who can help you solve the problem. You need time to figure out if you have backups you can use or if you can work on other systems while the threat lasts. Time alone may not solve your problem, but it gives you a chance to estimate the value of the data or the systems concerned and the potential consequences of the attack. You’ll need all this information to negotiate successfully.
- Deciding on Internal and External Communication Lines
When you’re hit by ransomware, you don’t just need to think about negotiating with the attacker. You also have to decide whom you will inform about the attack, when, how, and how much information you will share. Your Crisis Management Team’s experience in internal and external crisis communications can be of great help here, as your business continuity and reputation are at stake.
“A very important question is whether you should notify the authorities of the threat” – Sue points out. “If there is any indication that the threat is terrorism-related, you must notify the authorities. Paying ransom to a terrorist organisation is considered terrorism-funding, which is a serious crime.”
When considering whether you should notify the authorities, you should think about what is at stake and what the authorities may be able to do for you. In this context, you should not only consider how the attack affects you, but also potential impact on other parties, including individuals and other institutions.
Sue and Jacob advise that communication towards employees about a cyber attack should be limited to the minimum.
- Forming Your Negotiation Strategy
You have listed your knows and identified the unknowns regarding the credibility and seriousness of the threat, the potential impact on you and others, and other factors such as who else needs to be notified of the event, what expertise (i.a. IT, crisis management and insurance experts) you have in house, and who you can engage for external professional support if needed.
Sue and Jacob strongly advise you to consider the following questions before engaging in negotiations:
- Is the ransom demand realistic? Here, you should consider not only the amount but also the required payment method. For example, can you pay in bitcoins if the attacker demands the ransom in cryptocurrency?
- What is the goal in your negotiations? To be a successful negotiator, you must establish what you want to achieve through negotiating. Do you want to buy time? Or do you want to lower the ransom?
Aim to buy time
Sue shares an example of a case where the negotiator successfully played time until the victim organisation’s IT department managed to solve the problem: “A large international company received a ransom note on a Thursday morning. (Interestingly, most ransom notes are received towards the end of the week. Sue indicated that this may be because the organization may be understaffed and unable to involve external experts over the weekend) The hackers threatened a denial of service attack, which would have resulted in severe business disruption. Technical teams worked day and night to find a solution, while crisis management professionals engaged in direct negotiations with the attackers. The negotiators’ goal was to talk to the attackers as long as possible. They made promises about the money being wired and used all their skills to keep the attackers there, buying time for IT to do their job. Finally, IT found a way to bypass the threat. Negotiations were broken off, and no ransom was paid.”
The example illustrates the value of gaining time, as well as the power of cooperation between crisis management and IT experts.
Honey trapped – Solve the issue quietly
Another example shared was that of a senior executive from a multinational whom was ‘honey trapped’ and blackmailed with compromising videos. In these situations, the involvement of a large group of experts within and outside the organization is not necessary nor desirable. Establishing proof of the threat and adversaries’ capabilities on the other hand is much easier to establish when compared to a ransomware attack or cyber threat. They either have the video, or they don’t. In this particular situation, Sue acted as an employee of the company and negotiated directly with the criminals. In the end, the ransom was paid and the executive was sent to early retirement.
- Negotiating: Cyber Extortion – versus traditional hostage situations, Do’s and Don’ts
When dealing with cyber cases, Sue takes into account the main differences and similarities between a cyber case and a “traditional” hostage case:
Differences between a cyber case and a traditional hostage case
- Lives are not at stake. In a traditional hostage situation, people’s lives are threatened. Although cyber cases may have a significant impact on individuals’ lives, they don’t typically involve direct threats to individuals’ physical well-being.
- Less emotional burden makes it easier to play for time. In cyber cases, you don’t face the possibility of individuals being tortured, and you don’t have the difficulty of dealing with the victim’s family. Less emotion puts you in a stronger position and makes it easier to stretch out negotiations.
- You don’t know what you’re dealing with. One thing that makes cyber cases difficult is that the negotiator is less informed of the criminal’s identity and the circumstances of the crime. You don’t know where the attack originates, or what the jurisdiction is. Attackers often use Google Translate to mask their identity. In traditional crime, the authorities apply the “follow the money” principle to track down criminals. With cryptocurrency, this becomes much harder.
- You don’t know when it’s over. As opposed to a traditional hostage case, a cyber case doesn’t have a clear end point. You can’t know for sure that your files will be decrypted after you’ve paid the ransom. What is more, you don’t know whether the attacker has installed a backdoor that will allow them to come back and exploit your systems again.
- You rely on IT experts instead of go-betweens. In a traditional hostage case, you rely on the assistance of go-betweens. In a cyber case, you’re completely dependent on IT specialists. Technical expertise is key, as is the negotiator’s ability to work together with those who possess it.
- Unique motivational factors on the criminal’s part. Most cyber criminals have the same motivation as other criminals: financial gain, political interests, or ideological goals. But some cyber criminals are driven by curiosity, and are in it only for the game.
Similarities between a cyber case and a traditional hostage case
- Just like traditional hostage cases, cyber cases demand critical decision-making. Although cyber cases don’t represent direct threats to individuals, the stakes at play can be quite high. Both situations require the ability to make strategic decisions under great pressure, being aware of the potential consequences. You need professionals who are competent to do this and are aware of the difficulties they will face in their role.
- Be aware of media influence. Before 24/7 news and social media, negotiations were not influenced by external parties and opinions. Today, whatever happens, the whole world knows about it. Media can cause distraction and pressure and, if not handled correctly, may have a negative influence on any type of negotiation.
Dos and don’ts in ransomware negotiations
- Ask for “proof of life”. In hostage situations, it’s common practice to demand “proof of life”, i.e. evidence indicating that the victim is alive. Sue and Jacob emphasised the importance of following the same practice when it comes to cyber attacks. For example, ask the attacker to decrypt a few files to prove they can actually restore your data or systems if the ransom is paid.
- Make sure you’re not dealing with terrorists. Sue reiterated the importance of practicing due diligence to exclude the possibility that you’re negotiating with a terrorist: “In cyber cases, you don’t know if you’re dealing with a mentally disturbed person, a former employee driven by personal vengeance, a criminal or a terrorist. Listen carefully to what the attacker has to say and how they say it, and analyse the information. Don’t forget that terrorism-funding is a serious crime and companies can be prosecuted for wiring money to terrorists.”
- Don’t offend the attacker. Whatever your goal is (to buy time or to lower the ransom), you need to make sure you can engage in a conversation with the attacker. Approach the attacker with respect and keep a professional tone.
- Never mention that you have cyber insurance that covers cyber extortion. If you have cyber insurance, you should keep it a secret at all times. Your ability to pay up easily may encourage attackers to ask for more money or to repeat the attack. Insurance policies will actually have that as a hard condition in their terms of agreement.
- To pay or not to pay? Many advocate against paying ransom, mainly because attackers can’t be trusted to hold themselves to their word. It’s also often pointed out that paying ransom encourages criminals to launch more attacks. On the other hand, risking sensitive data or major business disruption is often not an option for the victim. Sue and Jacob advise to be realistic and focus on negotiating whenever you can.
- Key Takeaways
- Be prepared will in advance of an attack: Don’t treat this as an IT Problem. Acknowledge the difference between an Incident and a Crisis. Prepare and exercise a crisis management plan well in advance of an incident. Formulate emergency shutdown procedures and instructions for employee communication, ‘out-of-band’ communications (voice systems may be down during a cyber- attack)
- Invest in your Crisis Management Teams to deal with these responses. They should be the experts in dealing with high-stake situations, making strategic decisions under pressure, and communicating tactfully. Make sure that you can engage risk assessment and communication experts who can help you make the best possible decision based on the best possible information
- Make sure that you also have the required external resources at your disposal: Most incidents will occur right before the weekend. We can not prove it, but we think that attackers are deliberately targeting these days because they’re still able to connect with their victims but it will be difficult for the organization to mobilize external resources over the weekend.
- Require ‘Proof of Life’ in the broadest sense of the definition: Are they able to execute the cyber- attack they are threating with? And in case of a ransomware attack: Are they able to actually decrypt your files, even if they decide to do so? There are a lot of poorly designed ransomware products on the market that can actually destroy your data. As a negotiator, ask them to decrypt a test file.
- Define clear objectives for your negotiation strategy: Are you buying time while the IT Department is solving the issue? Are you aiming to mitigate the damage, to lower the ransom?
- Make sure that you’re not dealing with terrorists: In that case, paying ransomware is a crime.
- Always try to negotiate, but do take into account legal or other factors render negotiation impossible. Take note of the Do’s and Don’ts in negotiations highlighted in the previous section.
- Don’t threat a ransomware attack like a traditional kidnapping: If it’s your loved one who’s been kidnapped, they’ll want to deal with you, directly. In a kidnapping case, you would be the only ‘buyer’ in the market for the hostage, giving you some leverage. With ransomware, attackers may have hundreds of scams running simultaneously. They don’t have to harbour or feed the hostage and could easily swift to a new attack model, victims and also decryption keys!
- Don’t offend the attacker: There should be some level of mutual trust between you and the attacker to get the best possible outcome. Take a ‘we’ approach with the attacker, as you both may have a different objective but a mutual interest of a good outcome. Threat it like a normal business deal: Don’t let your emotions get the best of you, keep a professional tone and make sure that you don’t make promises that you can’t keep. There’s examples out there where the attackers got furious and published all data because promises were not kept or agreed deadlines not met.
- Cyber Insuranceis not your get out of jail free card: Many organizations will just presume that their insurance will cover the damages. Sometimes even in real live hostage situations, which can sometimes be heart-breaking. But also in cyber- extortion cases, organizations must look beyond just the bottom line, and factor in their obligations towards and potential impact on employees, stakeholders and sometimes even society.
- Never mention that you have cyber insurance: It could make you an attractive victim and most policies will not pay out if it turns out that you have done so.
- Use lessons learnt during a crisis to improve your overall security posture
Want to learn more?
Resources for Negotiation techniques:
1 DAY Workshop for Crisis Management Teams
SECO – Institute has developed 2 workshops where we dive deeper into these topics, and really start working on testing and sharpening your skillset; both individually as well as a team. As a general rule we offer these workshops In Company only and preferably to multidisciplinary Crisis Management Teams. In some cases we allow participants from different companies to attend, with some restrictions towards the target audiences. For more information you can contact us