3 Key Takeaways About Ransomware Negotiation
- Before considering how to negotiate with ransomware hackers, clients should know basic statistics about their cases. You need to know this information in order to set the proper strategy for the overall recovery effort.
- While the average ransomware payment amount is around $80,000, this figure is skewed by a few ransomware types that are significantly more expensive than the others. The median ransom demand is closer to $10,000.
- Every organization, no matter how small or large, has to be buttoned up with several layers of protection to avoid the worst-case scenario with ransomware attacks. 100 percent prevention is not a realistic goal; what matters is how quickly you can recover.
These takeaways can help companies start the ransomware negotiation response process, but keep reading for more insight and tips with Mark and Bill.
Understanding Ransomware Negotiation
Given the prevalence and sophistication of ransomware—not to mention the financial stakes involved in these exploits—it’s no longer wise to leave delicate negotiations to internal staff. We spoke to Coveware CEO and cofounder Bill Siegel about the nuances involved in handling threat actors and why having data at the ready can better inform a company’s decision-making process when it comes to ransomware negotiation.
How Is Coveware Typically Brought Into a Ransomware Situation?
We are usually contacted through one of three channels:
1) Directly by the companies.
2) By insurance companies or law firms representing an end client.
3) By service providers such as forensics firms, incident response firms, or managed security service providers dealing with a case that involves an end client.
We try to balance these channels and still leave a bit of capacity to help small businesses. We do our best to take on at least one or two pro-bono cases each month, where the end client is a charity or religious organization.
What Are Some Issues That Might Arise, Either in Ransomware Negotiation or Payment?
There are an infinite number of permutations that a case could take that can lead to complications. Before considering how to negotiate with ransomware hackers, clients should know basic statistics about their cases, including the expected costs, case duration, likelihood of payment default, and decryption recovery rates. This data should be laid out and discussed with the client at the outset. This information is necessary in order to set the proper strategy for the overall recovery effort.
Our approach is, first and foremost, data-driven. Because we handle a high volume of cases every month, we are able to show our clients data from a sample set of prior cases involving the same type of ransomware and threat actor. This visualizes key aspects of the case, such as how much it will cost and how long it will take to resolve. Ransomware is very patterned, so once we see how a given type of ransomware is being used by a threat actor, we can generally provide a high-conviction path forward for the end client. Without this data, it would be akin to flying blind.
What’s the Largest Payment You’ve Ever Facilitated?
We don’t favor aggrandizing large ransomware negotiation payments. We are more proud of the negotiated discounts we are able to achieve for our clients and make these statistics available on our website, so the trend in each type of ransomware is pretty clear. We also don’t price our services off of the amount of the ransomware payment, as we don’t want to align the financial success of our company with higher ransom amounts. We aim to deliver value by minimizing both financial cost and downtime costs.
We can lower the aggregate risk of data loss in an incident by helping our clients make more informed, data-driven decisions and by negotiating firmly and efficiently on their behalf. The outcome of those efforts are the statistics we are proud of advertising. When it comes to large payments, we are able to leverage a diverse set of cryptocurrency sources. We also have lending facilities in place so that clients in need of help on nights, weekends, and holidays are not bound by banking hours.
Do You See a Trend With Ransomware and Associated Demands for Bitcoins and Cryptocurrency Payment?
While the average ransomware payment amount is around $80,000, that figure is skewed by a few ransomware types (Ryuk in particular) that are significantly more expensive than the others. The median ransom demand is closer to $10,000. It really depends on the ransomware type and threat actor group. With Ryuk, for example, the demands have gone vertical. With Dharma, some variants have increased, while others have remained flat. With less prevalent types, the demands have been pretty stable.
Do the Threat Actors Typically Deliver on Their Promise to Provide the Decryption Key?
We see huge variations in default rates between ransomware types and threat actor groups. This puts a massive premium on leveraging our data. For example, there are certain threat actors within Dharma that have flawless track records of delivering working decryption tools and others that always default. If you can’t differentiate one from the other, you are taking huge risks with your company’s data and capital.
What Prevention or Mitigation Suggestions Do You Offer Your Clients?
We publish advice almost weekly on best practices to deal with this ever-changing threat. Every organization, no matter how small or large, has to be buttoned up with several layers of protection to avoid the worst-case scenario.
It’s also important to realize that 100 percent prevention is not a realistic goal. What matters is how quickly you can recover. The absolute musts from the outside in are:
- Regular security awareness training for employees.
- Solid AV and endpoint hardware and software.
- Least-privileges principals on administrative access; Two-Factor Authentication (2FA) on administrative access to anything close to domain control and backup systems.
- Properly partitioned backup systems that are off the primary network.
How Do Your Analytical Services Help Clients?
We take all the lessons learned from our cases and try to give bespoke, pointed advice to help clients be proactive about avoiding emerging threats. Clients that wish to keep us on retainer are offered ongoing research, monitoring, and service level agreements for incident response planning should an issue arise.
Ransomware distributors use the same TTPs until those TTPs stop working. When we see a trend, we let everyone know. If you can stay just ahead of the common exploits, you can lower the odds of an attack.
The Importance of Having a Data Breach Response Plan
We want to thank Mr. Siegel and Coveware for sharing their insights into the ransomware negotiation process. Ransomware is increasingly driving cyber insurance claim payouts from the cyber risk insurance carriers we support.
To bolster what Bill mentioned, we’ve learned firsthand from these carriers and other data breach response plan experts, including Breach Coach® lawyers, that the extortion payouts have grown exponentially since 2018. They now cost several hundred thousand dollars and can be upwards of $1 million—and we expect the same trend moving forward. Having an actionable data breach crisis plan—one that your management team can access at a moment’s notice—is now a must-have standard of care.
Visit this page to learn more about Mark Greisiger.
To learn more about Bill Siegel and Coveware, visit their website at Coveware.com.
Get a 30-Day Free Trial of Breach Plan Connect®
You don’t have to leave the security of your data to chance. Start your 30-day free trial of Breach Plan Connect®, a turnkey solution for incident response planning that can help your business properly prepare for a cybersecurity breach to mitigate damage from a security event and recover more quickly.