In 2023, more than 2,200 networks across United States hospitals, schools and government organizations, as well as thousands of private businesses, were breached by cybercriminals. With another record-breaking year for ransomware and data extortion in the rearview mirror, organizations of all sizes are preparing for when they’ll need to make their big payout in 2024. But what if paying the ransom wasn’t the only way out?
There’s often room to negotiate with threat actors or, in some instances, the option not to pay the ransom at all. From a legal and ethical standpoint, not paying is the only option — law enforcement would support this approach. Unfortunately, a negative business outcome might outcompete ethics, especially for ill-prepared organizations. In fact, in many cases the right thing to do may cost much more than just paying the ransom.
As with any cybersecurity incident, preparation is key — ransomware is no exception. In fact, an ounce of prevention is worth a ton of cure.
Establish a ransomware incident response strategy
By now, we’re all familiar with the security cliche, “It’s not a matter of if you will be breached, it’s when.” Preparedness is critical in all facets of security, and ransomware is simply another operations disruptor. Treating ransomware as you would staff shortages or network disconnection, where plans are in place in case of worst-case scenario, is the only way to successfully handle these attacks.
That’s why it’s so important for organizations to not just wait for an attack to strike to decide whether or not to pay. A detailed playbook that explains step-by-step what to do and the players involved — including who is notified, who will inform the board, who will talk to press — needs to be written out, understood, and accessible to the team mitigating the problem.
This playbook should answer questions like:
- Does paying a ransom violate the company’s code of ethics or core values?
- Is it more beneficial for the business to pay, and how much is the right amount?
- Is it actually legal to pay the ransom?
As part of your incident response plan, get to know the regional law enforcement officers in your area. They can help prepare, and they prefer to meet you before that urgent “the house is on fire” call.
Understanding the ransomware blast radius, or the impact an attack will have on the organization, will be key in determining how to handle the situation. This is unique to every organization, but if a business is prepared and their data is backed up accordingly, there is absolutely no reason to pay. A disaster recovery and business continuity plan will not only make the negotiation more seamless but will keep your business afloat and moving forward.
Learn to navigate the nitty-gritty of negotiation
This next step may seem obvious, but there’s a good reason for it: Verify you were attacked. It’s not uncommon for threat actors to bluff, and being able to call them on it can be a complete game changer. Better yet, you can choose to completely ignore them and move on entirely.
If you were attacked and your files were encrypted, that’s when the real negotiation starts. The dynamics of how to approach the situation are very dependent on who is involved in your incident response strategy — representatives from the executive team, outside and internal legal counsel, a cyber insurer and communications teams. It’s best to avoid having company executives negotiate solo, and it’s also important to determine who will be handling efforts behind-the-scenes to keep the team aligned on the best course of action.
Negotiating can often be like a long match of tennis — volleying numbers back and forth before reaching an agreement. Here are a few things you need to determine:
- If any private or sensitive data has been compromised;
- Which cybergang is involved, if applicable;
- How the data will get back online after payment is resolved;
- If law enforcement (i.e. the FBI) has decryption keys available from previous attacks.
Understanding the attack and starting a dialogue with the threat actor will allow you to negotiate for a better deal or understand when a threat actor is exaggerating their power.
Be prepared for change; it’s inevitable
The evolution of software and rise of generative AI is positioning ransomware to be more sophisticated than ever. Large language models (LLMs) are even being poisoned so threat actors can turn an outside attack into an insider threat. And now, threat actors are using regulations against us, threatening to disclose attacks to the SEC if a ransom isn’t paid. Simultaneously, the FBI and CISA are working stringently to continue to update guidelines that will help disarm threat actors during a ransomware attack. The FBI has even recently encouraged victims to jot down the Bitcoin address attackers provide to pay the ransom to help track the cybergangs more effectively. Change in tactics, regulation and guidance will be a constant — and it’s up to organizations to best prepare for such change.
The key to a successful negotiation is to stick to your playbook. The strength of your negotiation and response strategy shouldn’t be dependent on the attack itself. The art of negotiation is timeless and adapts to the constant changes of the cybersecurity landscape. With time, we might see a world where non-payment is the only response, and ransomware becomes obsolete. Unfortunately, that’s not the case today, and every organization needs to be prepared for the day they may be forced to pay.