How to negotiate with hackers
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
“Your network has been penetrated,” begins the text file. The message is a ransom note — but instead of requesting cash for the safe return of a loved one, it asks for digital funds for the release of data belonging to a US manufacturer.
The company is one of many to be affected by ransomware — where hackers disable a victims’ files or systems and will only release the decryption key once a ransom is paid. The hackers of the manufacturing company sign off their note: “No system is safe.”
They may be right. The rise of ransomware has been driven by businesses’ growing dependence on technology and data, as well as the development of anonymous digital currencies that allow criminals to move funds without being traced. So what should a company do if they are hacked?
Hackers are holding your data to ransom. What next?
Companies must act quickly to determine the possible damage. There are different types of ransomware — some more devastating than others — and the ransoms demanded range from the low hundreds of dollars to the millions. The most damaging tend to be the new strains that also infect entire systems, including back-up data.
Experts say companies should assess whether it is possible to mitigate the problem without having to pay hackers. For example, can the issue be solved by restoring data from a back-up source? Can security experts “hack back” or attempt to decrypt the data?
The decision of whether to pay a ransom — which the FBI advises against — will include assessing the financial costs of not paying up, and the risk that after paying, the company’s data are not returned.
“Paying the extortion is always a last resort. But sometimes they have an existential decision — do they pay that or do they cease to exist?” says Joshua Motta, co-founder and chief executive of Coalition, a cyber insurance group whose clients include estate agents, dentists and local governments.
Mr Motta says his company handles half a dozen extortion cases for his clients each week, with 80 per cent opting to negotiate with hackers, 10 per cent restoring their latest back up and 10 per cent abandoning the data.
Companies with expertise in responding to such crises can be hired after a ransom is demanded, or be kept on a retainer and be ready to act in the event of an attack.
“Calling in professionals is always a good idea if the organisation can’t restore the systems themselves or doesn’t have an existing plan in place for dealing with ransomware,” says Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42.
Involving law enforcement early is another option, but the consequences of opening the incident to a potentially public audience must be weighed against the resources and expertise they can provide.
How do negotiations play out?
Typically via email, with the hackers using untraceable accounts.
Experts say that companies should ask the hackers for a digital equivalent of a “proof of life”, similar to where kidnappers provide a photo of victim holding a dated newspaper. In the case of ransomware, this would mean having attackers allow the company to decrypt a portion of the files taken hostage.
“Demand that they, as a gesture of good faith, prove to you they can decrypt a file or machine,” says Richard Henderson, head of global threat intelligence at Lastline, a cyber security group.
“If they refuse, it very well could mean that they are unable to do so. There have been many cases where an attacker was outright lying to an organisation . . . they [had] just wiped all [the data] and tried to convince the victim they could get [it] back,” he adds.
When it comes to the style of negotiation, third-party experts may be able to spot actors that they have encountered before and know whether they are easy to negotiate with.
“Playing hardball can backfire,” notes Mr Motta. He recommends instead “using time as a wedge” — for example, saying you could pay the full ransom only if given a lot of time — but that you could pay a portion of the ransom if they wanted something immediately.
“The criminal would much rather get something that nothing . . . they are attacking people at scale,” he says.
What does the ransom handover look like?
Not as dramatic as in heist movies. Payment largely takes place by sending virtual currency to an anonymous digital wallet, although experts also note instances of difficult-to-trace methods such as giftcards.
Most companies do not hold cryptocurrency on their balance sheet, so they may wish to build up a fund in case of an emergency, or get a third party to do so.
How can you prevent it from happening again?
The first step for thwarting potential attacks is to patch the company’s software — in other words, ensure it is upgraded with the latest fixes.
Another is to back up company files and to keep them far away from existing data. “Have a complete back-up program that is physically and logically separated from the network, and tested frequently,” says Jerry Bessette, head of Booz Allen’s US commercial incident response team.
Companies may also want to create a doomsday scenario, and conduct regular stress tests to ensure that it works.
“Ideally, before any ransomware event happens, an organisation would invest in building a major incident response plan with clearly defined roles and responsibilities aligned to different scenarios,” says Rob Robinson, global head of security at Telstra Purple, a consultancy.
Get alerts on Cyber Security when a new story is published
This three-part Cyber Security series covers Ecommerce, Artificial Intelligence and Data.
The final part of the series examines the importance of cyber security for ecommerce. The looming peak shopping period presents more opportunities for hackers; cyber insurance becomes mainstream; and the rise of quantum computing raises questions about encryption methods