You’ve been successfully hit by a ransomware attack. What do you do? Assuming you decide to pay ransom –a choice that, at least in the Americas, remains covered in shades of gray–, it’s likely that you’ll call a ransomware negotiator.
Like it happens with hostage situations, ransomware attacks can become a dainty and dangerous dance for the parties involved. Attackers want to get paid as handsomely and as quickly as possible, while victims would rather get the situation over with in a prompt and uncostly manner.
Negotiators like Maxwell Bevilacqua –Chief Negotiating Officer at Mindful Negotiating– know this and develop strategies that allow companies who have been hit by a cyber attack to disengage from their attackers while paying as small a ransom as possible.
In this Q&A session, Mr. Bevilacqua shared with NSAM some of these strategies, as well as the ins-and-outs of ransomware negotiations in general, providing an insightful view into the state of mind of both targeted companies and threat actors who’ve been successful in their attempts to breach an organization’s cyber defenses.
NSAM: According to your LinkedIn profile, you“demystify” negotiations. What does that mean?
Maxwell Bevilacqual: I think “negotiation” is a word that complicates more than what it clarifies; it’s not a helpful word. I try to take the fields of economics, game theory, psychology and international relations and, to some extent, bring them down to their simpler concepts, which have a lot to do with being human and existing in the world.
My definition of negotiation is people pursuing their interests, what they want. This becomes complicated because people don’t always know what their motivations are, and we have mixed motivations also. Negotiations happen inside of us.
I see the world as the product of ongoing negotiations. Everything that happens, explicitly or implicitly, is a negotiated outcome. My theory is: if we can do better about being more mindful of the ways we’re negotiating, in terms of finding value instead of destroying it, then we can all be better off.
NSAM: When it comes to ransomware negotiations, where is the convergence point between threat actors and the targeted companies?
Maxwell Bevilacqua: It’s super difficult, and complicated ethically and legally. It’s fair to say that even paying the ransom is a big ethical and legal question, because you don’t know who you’re financing.
Not only is it a tense relationship, it is also difficult because there’s no human exchange. We don’t see the people, we don’t hear the tone of voice; in fact, we might be communicating in a language that isn’t our first language. The fact that we’re negotiating via text or online restricts the ability to foster trust, which is something a negotiator aims for. You don’t talk someone out of a situation; you listen them out of it.
In this scenario [a ransomware attack], the threat actor doesn’t want to share anything. It’s a pure threat. And sometimes, they will frame what’s happening in different ways. Some terror actors might say something like “If you want a company back, pay us by this time or else”. It is more likely, though, that they’ll make it sound like a business proposition. It often takes this tone of phony professionalism.
You don’t talk someone out of a situation; you listen them out of it.
What brings people to the table is opportunity for a threat actor to get money and, depending on how afraid the victim organization is or how bad the compromised data is, they want their systems back online; or maybe they don’t want certain data out there; or they don’t want to trigger legal or financial consequences. To some extent, especially if personal data has been compromised, and depending on which country the company is sitting in, they could be on the hook for even more than what they’re paying to the threat actor.
There’s a range of reactions. From a victim saying “Fuck ‘em. I don’t care” to “OMG. This is the end of the world. We should reach out.”
NSAM: Is there an expected reaction depending on the size of the company and the industry they’re involved in?
Maxwell Bevilacqua: From my perspective, it is much more about the leadership team.
I remember this one guy from an Italian AI company. They were hit and he was very calm, collected; they were able to rebuild their systems. I think that when there’s a company where you’re the founder, that would change things dramatically.
I would attribute the differences in reactions more to the differences in people’s upbringings and reactions to stress than to the size of their company.
NSAM: Take us through the process of ransomware negotiations. A company’s been hit; they contact your firm. What follows?
The first thing is that we hope that there hasn’t been other correspondence; meaning that they have not reached out to the threat actor and started negotiating. We’ve heard stories of people panicking and saying they’ll give them any amount of money.
Step one, really, is to take a deep breath. We try to get on the phone with the company’s leadership team as quickly as possible; say something to the effect of “Sorry for meeting you under these circumstances. We’re going to try to take away as much of the pain as possible.”
The idea is, especially with a larger scale negotiation, that you can’t win. You win by not getting into them. Once your data is compromised, and if you really need it or not having business continuity is going to cause great losses, you’re in a difficult position. I see it as being on the ground, getting beaten up and looking for ways to cover your head and survive, as opposed to winning.
The first thing that we usually try to do, before putting numbers out there, is to very politely disappoint them [the threat actors].
After that, we want to have a sense of what it costs this particular company per day to not have their data. Do they need it? What was actually taken? Can they rebuild any of their systems? If we know that the company needs the data and is willing to pay for it, then we need to speed things up; get the crypto ready. If the company wants to buy time, because there’s a chance of rebuilding, then we’re going to buy time.
The good news is that, whether you want to speed things up or buy time, your behavior is going to look similar: you will ask basic questions.There’s a standard set of norms now of what you’re entitled to when you get hacked, in terms of asking for a detailed security report, asking for a file tree. Like with a kidnapping, you ask for a proof of life; in this case, you ask for what they say they have.
Another important thing is asking if the threat actors know who they hit. They’re probably looking at ZoomInfo for total income revenue. That’s probably the information they’re anchored to, so you’re trying to make sure that the people you’re communicating with are actually the people you should be communicating with.
What follows depends on how the threat actor initiates. Often they’ll start with a demand. They might start with a special price, a 20% off or something, as an attempt to stop negotiations. We call this “positional haggling”, where we’re doing this dance in which the threat actors hope to meet us somewhere in the middle, where we’re trying to anchor each other.
The first thing that we usually try to do, before putting numbers out there, is to very politely disappoint them. Tell them how smart they are, how impressive what they’ve done is and say “I know that you think the company makes US$100 million in income. I want to let you know that that’s not our liquidity. The number that we have is closer to X.” What we do from our end is try to work backwards and ask the company how much is this actually worth to them and let them know that we’ll try to save them as much money as possible.
The more well known the threat actor is, the more likely it is that they will comply and delete your files [once paid], because they have a reputation in the marketplace.
That’s why working with a cybersecurity firm is important. You need to make sure the extent of the damage, because you’re also negotiating the value of what that data is worth. Maybe the attackers have 100 GB worth of data, but it’s mostly someone’s family vacation photos. But if it’s personally identifiable information that you’re legally bound to protect, that’s different. Also, you don’t know the amount of access they have. Maybe they were able to stay within your system.
There’s this irony that the more well known the threat actor is, the more likely it is that they will comply and delete your files [once paid], because they have a reputation in the marketplace. If you pay and they don’t deliver, word gets out. If they hit you, why even work with them?
NSAM: Who participates directly in the negotiations? Is company leadership involved or at least present?
Maxwell Bevilacqua: In my experience, the thing that’s going to vary the most is company leadership. Is it C-suite? Is there board involvement? Do they have someone from legal? Roughly speaking, in an ideal world, you would have their CEO or their President and someone that can play a CFO role. You also want legal there, in some capacity. Depending on the size or sophistication of the organization, you have a larger or smaller group [present in the call].
That’s the first thing negotiators manage; getting everyone together on the same side of the table. The first negotiation is: who we’ll need on the call?
When I’ve been on calls, you have one or two people from leadership. Then you have someone from the cybersecurity firm handling the actual testing of the decryption tool, and if there’s data transfers or a crypto exchange, they’re the ones actually clicking the buttons. I’m on that call with the cybersecurity firm and the victim, setting the tone and the pace, identifying strategy.
Generally, we also set expectations too. This is an ethically gray area, I suppose. We don’t tell companies what to do; we tell them what we would do. They ultimately have the decision. They can veto anything.
NSAM: Does volatility in the crypto market affect the nature of ransomware transactions?
Maxwell Bevilacqua: It could be a feature. Threat actors will not want to give any information; certainly not a bank account. And even receiving payments in bitcoin opens them up to a certain level of traceability. That’s why some threat actors prefer monero, because it is virtually untraceable.
Knowing this, certain threat actors will attach premiums. If you pay with monero, it’s US$500,000. If you pay in bitcoin, it’s US$750,000 because they would be giving more information. If it’s directly to a bank account, then it’s a million.
There’s these differences in how crypto is handled because, at the table, the FBI is often called. The FBI would prefer that you not pay, or that if you do, you use something more traceable. But if you’re the business owner, why would you pay US$250,000 more just so the US government gets more information? The FBI argues that, with more traceability, there’s a higher chance of recouping those funds, which can be the case. It’s a gamble all around.
Upfront, if you think you need to pay, or even if you’re buying time, you want to negotiate a number plus currency.
If you don’t identify currency upfront, you’ll probably have a fight over which one will be used, depending on if the valuation was higher or lower at the time. Upfront, if you think you need to pay, or even if you’re buying time, you want to negotiate a number plus currency.
Currency value adds to the dynamic too. Negotiations often take days, if not weeks, so prices are going to fluctuate.
Generally speaking, threat actors are trying to get as much [money] as they can as quickly as possible. So, your basic response as a company is presenting yourself as the lowest value possible, as being a really difficult victim to work with, from which they won’t be getting a lot even with all the energy spent. That’s what we try to convey.
NSAM: That sounds like a poker game.
Maxwell Bevilacqua: For sure. There’s some extent of wondering how likely is the other person to walk to their alternative; how likely are threat actors to sell my data; how likely is it that they’ll double the ransom if I don’t pay by this time. And they’re probably evaluating how likely it is that you’ll actually walk away and not pay anything. There’s some element of playing chicken, of wondering about bluffs. What’s difficult about that type of negotiation is that people often bluff, and it’s not advised. Maybe you say “This is my last, last, last offer”, but you just said that two rounds ago. You’ve communicated that you shouldn’t be trusted, that there is more money. It can be more like a poker game.
In my perfect world, I try to frame it as something else, which is: here is the situation we’re both in. We’re not super happy about it. It would be worth this much for us to get out of here, and then try to sit on the same side of the table. But if I were a business owner, I wouldn’t be excited about that strategy. You want to figure out how to beat them and get the money back.
Often they [threat actors] will start with a demand. They might start with a special price, a 20% off or something, as an attempt to stop negotiations.
You also wonder how to involve law enforcement. In the case of US companies, they have to wonder if law enforcement has to be involved; I don’t think you have to report it, which is a problem relative to the EU.
And if you take a step even further back, there’s the idea that the marketplace of cybersecurity and cyber insurance is all kinds of fucked, because it lends itself to people paying. If you’re paying for cyber insurance, my understanding is that you’re going to pay [ransom]; that’s why you’re paying a premium for.
At the table, with the threat actor, is a checkers game. But it has to be a game of chess beyond it.
NSAM: Most cybersecurity certifications and government agencies do not recommend ransomware payments. What’s your take on those “best practices”?
Maxwell Bevilacqua: I’m not a lawyer or legal expert. I would look at OFAC. You want to be careful about transferring money to an entity that would get you in legal trouble. I think the intention behind those laws is good, because I’m in favor of not funding terrorism.
The open question is: you’re a small business owner, and your company’s been hit. And you won’t survive if you don’t get your systems back online. Do you pay? The answer depends on where you sit.
If I’m sitting with the victim, I struggle to blame anyone for trying to survive. From my perspective, there needs to be private-public cooperation. But the public sector has, by and large, said “Don’t pay them” without a real solution. When you think of people’s motivations in a negotiation, survival is a very real one. There has to be some way of dealing with that.
My perspective as a negotiator is: can I make this situation better? I’m against payments. I don’t want that money to go to a threat actor, and in that way we’re aligned with the victim, who would prefer to pay less.
It’s an imperfect thing. It’s shitty that it happens. But if you’re that business owner, or a part of that team, you want someone to make it less terrible rather than handling it on your own.