Cloud Hosting

Get exclusive insights from a real ransomware negotiator who shares authentic stories from network hostage situations and how he managed them.

Ransomware is an industry. As such, it has its own business logic: organizations pay money, in crypto-currency, in order to regain control over their systems and data.

This industry's landscape is made up of approximately 10-20 core threat actors who originally developed the ransomware's malware. To distribute the malware, they work with affiliates and distributors who utilize widespread phishing attacks to breach organizations. Profits are distributed with approximately 70% allocated to the affiliates and 10%-30% to these developers. The use of phishing renders online-based industries, like gaming, finance and insurance, especially vulnerable.

In addition to its financial motivations, the ransomware industry is also influenced by geo-political politics. For example, in June 2021, following the ransomware attacks on the Colonial Pipeline and JBS, the Byden administration announced that ransomware was a threat to National Security. The administration then listed critical infrastructures that were "off limits" to attackers.

Following these steps, a number of threat actors decided to change course: declaring they would not attack essential and fundamental organizations like hospitals, power plants and educational institutions. A few months later, the FBI reported they had attacked prominent ransomware group REvil:

The attack garnered a response from the Conti group, which reflected their ideological motives:

Managing a ransomware event is similar to managing a hostage situation. Therefore, to prepare for a ransomware incident, it is recommended for organizations to employ a similar crisis management structure. This structure is based on the following functions:

According to Etay Maor, Senior Director Security Strategy at Cato Networks, "We're seeing more and more companies offering bundles of these ransomware services. However, it is recommended to separate these roles to ensure the most professional response."

Professional negotiation is the act of taking advantage of the professional communication with the hacker in various extortion situations. The role comprises four key elements:

In 90% of cases, the attack is financially motivated. If it is politically motivated, the information may not be recovered, even after paying the ransom.

For example, by finding out what the local time is for the attacker, the negotiator can identify where they came from. This can be used for improving negotiation terms, like leveraging public holidays to ask for a discount.

For example, one company was able to buy 13 days through negotiations, allowing them to recover their information and relinquish paying the ransom altogether.

Etay Maor comments, "Ransomware is not an IT issue, it's a business issue. "The decision whether to pay or not is a business decision, influenced by many factors. While the official FBI policy is not to pay, they enable companies to do so, if the CEO decides.

For example, in one case an online gaming company was losing more money than the ransom request every hour their operations were down, influencing their decision to pay the ransom as quickly as possible while minimizing negotiation time. US lawmakers have not banned ransomware payment either. This shows how complicated the issue is.

Ransomware is becoming more prominent, but organizations can protect against it. Ransomware relies on phishing attacks and unpatched services. Therefore, it is recommended that CEOs meet their IT team regularly to ensure software and infrastructure are patched and up-to-date and that all important information is backed up. This will significantly reduce the chance of ransomware being able to exploit vulnerabilities and penetrate systems.

To learn more about ransomware attacks and how they are managed in real-time, watch the entire masterclass here.

Continue reading here:
Winning the Mind Game: The Role of the Ransomware Negotiator - The Hacker News