The key differentiator between physical and cyber extortion is that with the latter, the hostage is data, or a system rather than a human being.
It follows, therefore, that the relationship between the extortionist and the victim is entirely different. It is often dangerous to over-simplify, but effectively, whilst both are criminal, the ransomware-extortionist’s approach tends to be purely transactional: ‘give me money and I’ll give you a decryption key’. Meanwhile, the kidnapper’s tends to be along the lines of ‘give me money or I’ll kill…’, still transactional – but with a radically more affecting lever.
Perhaps because it glamorises what we do in the eyes of Hollywood producers and the uninformed, we over-use the word "negotiation" in the Response world. The reality is that when a life is at stake few, if any, of us would ever choose to walk away (which is a valid option in traditional commercial or bazaar-negotiation).
In physical extortion, acting under extreme duress, victims are engaged in coercive bargaining in order to save a life. So, once dialogue with a kidnapper is chosen as the response option, the victim has already decided that a concession of some kind will be made. The ensuing "negotiation" is simply designed to limit the rate of collapse and the financial cost of any concession. Can this approach be adopted in relation to a cyber/ransomware extortion?
The critical issue when responding to a ransomware extortion is likely to be an assessment of the financial (including operational, legal and reputational) consequences of not paying, balanced against the risk that data is not subsequently unlocked. Essential also to decision-making at this juncture is knowing what "Plan B" is: i.e. what are we going to do if we pay something and don’t get our data back?
There might be some useful response weapons available to a victim who, whilst unable to control events, can set some conditions, and define some parameters. Worst case, choosing to enter a dialogue with an extortionist allows you to take control of the associated business decision of how much to pay.
Some tools and techniques to consider include:
- Resist: Resistance to extortion is, morally, the right thing to do. It is also a natural impulse and so most extortionists expect it, and expect to have to use pressure, deadlines and to vary the demand up/down accordingly. Resistance sends a clear signal that you are not a "soft touch" and may help mitigate the risk of being targeted in the future.
- Be prepared to walk away: Make sure you know the financial trigger which will cause you to walk away from the negotiation.
- Make it human: Speak to the extortionist (via your incident responders) if possible and treat them as a human being not as an invisible and sinister bot. People can hide behind email and tend to be braver than they would be in conversation (like all internet trolls). After all, in many cases they are likely to know more about hacking than they are about coercive bargaining! A conversation allows you to use an empathetic approach, potentially to your advantage.
- Demand proof: Demand "Proof of Data" as a pre-condition to any payment (akin to Proof of Life in traditional kidnap). ‘Prove you actually have this data; prove it can be successfully decrypted; and prove you won’t come back for a second dip’.
- Use time: Use a combination of scarcity of resource and time to your advantage: e.g. ‘USD 1 million in Monero is going to take me a very long time; however, I can pay USD 15,000 today’.
- Don’t go it alone: Finally, don’t enter a cyber-negotiation on your own. Ensure an experienced incident responder is part of your response team. They’ll have dealt with many more cases of this kind than you and will be able to leverage that experience to your advantage by overseeing a structured negotiation.
There can be no "one size fits all" approach when it comes to negotiating with a threat actor, and this stands true for all extortions. To ensure your negotiation strategy is suitable for the threat at hand, a full threat and risk assessment should be conducted at the start of such cases. As part of this, all options open both to the extortionist and the victim, should be considered. These might range from ignoring the attack, to negotiating with a view towards making an agreement, all the way to negotiating with a view to delay and entrap the threat actor with the police involved. Ultimately, the decision is for the victim to make, guided by the experience and recommendations of the incident responders.