Dancing with the Devil -- Ransomware Negotiations
- Published: Tuesday, Nov. 30, 2021
Your important files are encrypted. Many of your documents, photos, databases and other files are no longer accessible because they have been encrypted.
A document appears on your desktop. Upon further reading you discover that you are a victim of ransomware. There will be a declaration of the impossibility to recover your files without paying a ransom to obtain a decryption key. The ransom demand is normally accompanied bya countdown clock. The clock will give a time limit for responding to the attacker. If time runs out, either the payment amount will be increased or the files will be permanently lost.
This action is bad enough, but let's pretend that you did not follow security best practices to try to defend against this attack. As a result, the attack has spread to multiple end points, wiped out your backups and left you facing days upon days of recovery. After examining the extent of the damage and the cost and time of recovery and returning to business as usual, your organization has decided to pay the ransom. There are certain tactics that work to negotiate the terms and cost involved.
- First, there is a way to maximize the time clock countdown. If you discover you are a victim by the telltale signs of encrypted files and unresponsive systems, you can begin some forensics without opening the ransom note. Once the ransom note is opened, the countdown begins.
- Research the hacker group responsible for this offensive. You may learn how they have negotiated with past victims.
- Remember that this is a business transaction. Treat the crook like a business entity and enter into respectful discussions.
- Some bargaining points should be to request more time. Offer to pay in installments. Convince the criminal that you can't pay the full amount.
- After an agreement has been made, request a test file be decrypted to ensure they are able to provide this service. Ask for proof that the files stolen are deleted. Ask the villain how they performed this attack.
Hopefully you will never have to face this scenario. Follow best practices to prevent the possibility of victimization.