Pulling back the curtain on ransomware negotiations

A recent presentation from Kaspersky APAC, Ransomware groups negotiation tactics: what you need to know, explained for webinar participants how the ransomware ecosystem looks and operates today, the tactics being used and the negotiation steps which seem to be common from one attack to the next.

That said, the Asia-Pacific regional division of the global cybersecurity and digital privacy company notes that each ransomware group operates differently when it comes to negotiations. “You have to stay aware about the negotiation tactics used by the ransomware gang groups. They’re not all the same,” says Marc Rivero, senior security researcher, global research and analysis team, with Kaspersky.

He also strongly advocates for companies to do tabletop exercises ahead of any attack to be better prepared to assess the situation and respond should the need arise. “The tabletop exercise will help the company to be even more mature and able to assess or reply effectively to all types of compromise, like a ransomware attack,” he says.

The ransomware ecosystem

In addition to the ransomware gangs themselves, Rivero lists several on the company’s radar at the moment, he says ransomware affiliates with different roles will often work for multiple groups at once. Some affiliates are using common tools to transmit the data they are able to obtain to common control servers. Rivero also describes how the tools work, searching for office, pdf and database files before chunking or splitting the files for exfiltration before they are reconstructed at their destination.

Initial access broker teams are those which search to exploit and compromise company systems before selling the access to those who will spend the time to compromise the data, steal and encrypt it. “Those initial access broker teams are really specialized, really skilled and they know really well how to do what they do in terms of exploitation,” he says. “We can see how they are using zero days but also all exploits.”

He adds that it is incredibly important for companies to review and check their attack surfaces to address all vulnerabilities. “Basically, they will try to scan passively your infrastructure. We can do the same,” he points out.

Tactics: Ransom or destruction?

Ransomware operators, meanwhile, are not always rushing to encrypt data today, but they are working behind the scenes to exfiltrate as much of it as possible before making contact. “A new trendy thing that is being executed by some of the groups – they are not encrypting the data, only stealing the data because they know the company probably has a good backup structure or methodology,” Rivero says. That said, he adds that attackers know companies will be afraid of penalties related to the exfiltrated data. “That’s why they are putting a lot of effort to exfiltrate all the possible data that they can.”

Leaked credentials are also a problem, as are habits like reusing credentials from one website to the next.

Finally, he says destructive ransomware, designed only to destroy data sources, is a relatively new approach. “Try to figure out which are the objectives behind the attack that you are suffering,” he suggested.

Negotiations

Rivero notably encourages engaging the help of someone involved in ransomware negotiations if they haven’t already. Although all negotiations are different, he says they typically break down into common steps: First the ransomware organization will identify themselves and establish a means of communication.

“We will find a note on the desktop or C: drive that says ‘you are affected by ransomware by this ransomware family. These are the instructions to contact us,’” he says. Next companies will open communications (important to do, he says), demand evidence and arrive at an agreement.

“It is important to open a communication channel with the attackers. If you don’t open any channel, it means you are not willing to speak with them. They may publish the data without saying anything else,” he says.

Although email is an older method of communication used by attackers, Rivero says today a live chat function is more commonly offered by attackers.

“It’s quite important that every time someone is opening a channel to discuss with those operators, it’s important that person is able to make decisions,” he says. “You have a short period of time to negotiate.” He also says an incompetent negotiator can also inspire a ransomware group to publish the data in their possession. “It’s so important to take this part really seriously,” he says. “It’s also important to follow the rules (established by the ransomware groups responsible).”

During negotiations he says it is important to verify that those negotiating are actually the ones responsible for the attack by asking for a critical file. Rivero says it is better to select an important file rather than a random one.

“It’s important to understand the negotiation like a business process,” he concludes. “What are the demands, how much can we negotiate, also know how to negotiate.”