“When some sort of attack has occurred, a request is transmitted – and this is invariably done through a web hosting discussion board where the threat actor puts their requests and there is a clock that keeps you going. shows how much time you have left to deal with it, “he said.” Sometimes they create emails, but [whichever format] that they use, we communicate with them through that.
âThere’s a misunderstanding about the word ‘negotiations’ though, because everyone thinks you’re negotiating the price and we’re only here to get the lowest price. In fact, it is far from that. We engage with attackers to get as much information as possible to enable the client to do an enhanced risk assessment.
Read more: What is really fueling cybercrime?
STORM strives to encourage customers, where possible, to engage with attackers to obtain this information and thereby increase the quality of their threat assessment. True ransom negotiations are usually in the late stages of any engagement, he said, and STORM is actively working to examine all available options, rather than just paying the demands. By engaging with attackers, he can gain valuable information, for example, which group the attackers are related to, the geographic location they may be based in, and the likelihood that they will abide by the terms of any agreement.
âThe natural thing is that it gives us time, because time always flies,â he said. âSo while we engage, we can negotiate deadlines through natural conversation. And, the negative side of that is that if you don’t engage, you really don’t know what the real threat is and you miss the opportunity to gain intelligence. You also don’t know what attackers are likely to do, when they’re likely to do it, or if they’ve done something like this before – that’s what we’re finding out.
Shah encourages clients to engage in these conversations when appropriate, and he noted that it tends to be appropriate in the majority of cases. Exceptions include the rare occasion when a customer is convinced that the threat they face is minimal and that business continuity is within reach within days. Getting involved doesn’t mean the ransom will be paid, he said, and for a multitude of reasons, the preferred option is always not to pay.
Of course, he said, if a client thinks this is the right course of action for them, then the team will work with that and try to help them pay as little as possible, but it’s very rare. Back then it was with STORM, for example, far less than 1% of the ransoms for cyber attacks were paid, and when they are, it’s at the customer’s request.
Read more: Pen Underwriting Cyber ââManager Explains How To Tackle Ransomware Scourge
Having your business held to ransom in this way is incredibly stressful for the business involved, he said, whether you are a giant institution or a small family business. And there is real complexity to negotiating a cyber ransom; from reading the profile of the threatening actor, to prolonging conversations as long as possible, to discerning the right course of action.
Given this complexity, Shah’s warning to companies looking to engage with a cyberspace negotiator is to pay close attention to the people you hire and their experience in the market.
“What I see [in this market] there are a lot of people who are only trained in the area of ââlow-level suicide intervention, who go into the private sector and sell their skills as a negotiator for much more complex things, âhe said. he declares. âAnd they are not at all properly trained and certainly not experienced enough to handle complex negotiations. And it’s not just in ransomware, I see it in the world of kidnappings and extortion as well. Therefore, [my advice] is that this space is quite small, so it is important to select a suitably trained and experienced negotiator.