Web Analytics Made Easy - Statcounter

Frequently Asked Questions

Should I negotiate with ransomware threat actors?

It’s generally advised against negotiating with ransomware threat actors as it can further incentivise criminal activity and there’s no guarantee that paying the ransom will result in data recovery. However, organisations can be placed in an impossible position by ransomware, by negotiating, it can give back some control to the victim. We recommend negotiating with ransomware threat actors as the ransom demand should not be the only goal, and we can help advise on the risks and moral dilemmas when the only option appears to be payment.

Why should we not just negotiate with the threat actors ourselves?

You could negotiate yourselves. Attempting to negotiate directly with ransomware threat actors carries several significant downsides and risks:

  1. Exposing Vulnerabilities: Engaging with threat actors directly could expose your organisation’s vulnerabilities, potentially leading to further exploitation or attacks.

  2. Lack of Expertise: Negotiating with criminals requires specific expertise in handling such situations, including understanding encryption, legality, and cybersecurity protocols. Most organisations lack this expertise.

  3. Legal and Ethical Concerns: Direct negotiations may raise legal and ethical issues. Paying ransomware demands might violate regulations or support criminal activities, which can have legal repercussions.

  4. False Promises: There’s no guarantee that the threat actors will honor their promises even if a ransom is paid. They might provide faulty decryption tools or fail to provide the necessary keys to restore data. Criminals will often lie and not honour a promise.

  5. Continued Targeting: Engaging with threat actors might mark your organisation as a potential target for future attacks, as they may view you as a reliable source for payment.

  6. Escalating Demands: Interacting with threat actors might lead to increased ransom demands if a positive rapport is not maintained, prolonging the negotiation process and potentially escalating the situation.

  7. Law Enforcement Involvement: Negotiating directly might complicate law enforcement involvement and hinder efforts to track and apprehend the criminals involved. WE have direct contacts within Law Enforcement if required.

  8. Exposing Networks: Engaging with threat actors directly could expose your organisation’s computers/network vulnerabilities, as the threat actor may try to further exploit the computer being used to negotiate with.

Given these risks, it’s generally recommended to involve law enforcement, legal experts, and cybersecurity professionals to handle ransomware incidents rather than attempting direct negotiation.

What are the risks of negotiating with ransomware threat actors?

Negotiating with threat actors can result in funding illegal activities, no assurance of data recovery, potential repeat attacks, and may expose sensitive information. The threat actors have also turned to disclosing negotiation chat logs online, so it is important to really consider what is written and the implications for your organisation if made public.

Are there alternatives to paying the ransom?

Yes, exploring data recovery options, restoring from backups, consulting cybersecurity professionals, and using decryption tools can be viable alternatives.

What precautions should I take before negotiating (if necessary)?

Consult legal and cybersecurity experts, assess the impact and value of the encrypted data, isolate affected systems, and ensure all possible recovery avenues are explored before negotiation. The negotiator needs to have a standard operating procedure and appropriate equipment to prevent any further compromise.

How do I communicate with ransomware threat actors?

It’s strongly advised to engage law enforcement, dedicated ransomware negotiators such as Brainstorm Security Ltd and cybersecurity experts for any communication with threat actors. Communication is normally not face to face, but normally takes place over email, instant messaging apps, private live chat websites created by the threat actors on the dark web accessed by the software TOR, and on occasion over via voice calls. The communication is often encrypted. It can be easy to be pressured into quickly making decisions, unless trained for these situations. Direct communication can be risky and may lead to further compromise.

Is it legal to pay ransomware demands?

The legality of paying ransomware demands varies by regions and countries and the specific situation.‘Negotiating’ is normally always legal and very different from making payments that could breach laws, sanctions, regulations and policies. Consult legal experts to understand the legal implications before making any payments.

How can I prevent ransomware attacks in the future?

Regularly update software, use robust antivirus/anti-malware programs, conduct employee training on cybersecurity best practices, implement strong access controls, and maintain secure backups.

Should I report a ransomware attack to authorities?

Yes, reporting ransomware attacks to law enforcement is important. They can provide guidance, track threat actor activity, and contribute to overall cybersecurity efforts. You may also need to report the incident for compiance and insurance reasons. The case of the Lockbit ransomware gang being taken down by the NCA and FBI under Operation Cronos, in February 2024 ( https://www.brainstormsecurity.com/blog/lockbit-ransomware-operations-seized-in-operation-cronos-what-you-need-to-know/ ) shows how important it can be, to help build a large intelligence picture for Law Enforcment to act on, and be able to assist victims with decryption keys and tracing of bitcoin and cryptocurrency payments.

Don’t the police or authorities negotiate with the threat actors?

Maybe, reporting ransomware attacks to law enforcement is important, but they have limited resources and may not be in a position to help your organisation in the short term.

Are ransomware attacks increasing?

Our experience is yes they are increasing. The ransomware trends report 2023 ( https://www.veeam.com/ransomware-trends-report-2023 ) that surveyed 1200 companies in multiple countries stated, Ransomware attacks increased in (2023) by more than twelve percent over the previous year (2022), when 76% of organisations reported at least one attack. That’s more than TWICE the global rate of inflation.

How many cyber insurance companies paid the ransom in 2023?

Accurate data can be difficult to obtain, but from the report, 41% had a “Do not Pay” policy. However, out of those organisations questioned who had suffered a ransomware attack, 80% of organisations had paid the ransom. It’s challenging to provide an exact number of companies that pay ransomware demands as this information is not always publicly disclosed or easily tracked. Many organisations choose not to disclose such payments due to legal, reputational, or ethical concerns. Additionally, reporting practices vary across regions and industries. However, it’s known that some companies do opt to pay the ransom to regain access to their data or systems, despite the associated risks and recommendations against doing so. The exact percentage or number remains largely unknown due to the clandestine nature of these transactions.

Does paying the ransom work?

Paying the ransom doesn’t guarantee you get your data back, or that the threat actor will not release your data to others. 1 in 4 organisations pay the ransom and never get their data back. This could be due to various reasons, such as mishandled negotiations, difficulty with decryption keys, or threat actors may provide faulty decryption tools. Threat actors often fail to be honest on the actual data stolen for example. At the time of writing, our own experiences at Brainstorm Security have shown a 100% success rate from negotiation, at reducing or removing the demand and an increase in the time available.

Do you guarantee a reduction in the demand?

No. When dealing with criminals and other threat actors, nothing can be guaranteed. We do however currently have a 100% success rate in reducing the demand, or the client not making payment at all.

Why don’t you offer like other ransomware negotiators, pricing terms based on a percentage of the total ransom demand reduction?

We offer a simple fixed day rate for our services (plus any expenses as required) which is the most ethical way of charging for this type of service. This prevents any possibility of a threat actor working with a negotiator (under duress or not), to extort money from clients. We will always be working to maximise the best deal for your organisation.

What’s the average impact of an attack?

IT leaders say that 45% of their production data was affected in an attack, which means that, 2 out of 5 pieces of data your company relies on was affected, including,

  • DATABASES
  • SENSITIVE FILES
  • EMAIL ACCOUNTS
  • CLIENT DATA
  • SUPPLIERS DATA
  • PII (Personally Identifiable Infomation)

Which are lost in the average attack.

Am I safe from ransomware If I have a backup?

It will really help if your data is backed up. However, Over 93% of ransomware attacks explicitly target backups. 3 in 4 backup repositories are affected in a ransomware attack. Many threat actors recognise that backups will stop payment, so they have changed tactics, including ‘double extrotion’ to steal data, prior to encryption, so they can ensure payment by threatening to release the data publically to competitors, to damage trust and reputation, to embarrass the company, knowing regulators will punish companies with large fines for loss of PII (Personally Identifiable Information) to name just some reasons.

How quickly do organisations recover from a ransomware attack?

The average time-to-recovery after a ransomware attack was 3.4 weeks. That means the average attack causes 136 business hours of downtime. This time can vary widely depending on the incident and the network. For example a case study ( https://www.local.gov.uk/case-studies/gloucester-city-council-managing-cyber-attack ) of a ransomware attack on Gloucester City Council (UK), shows the recovery of the incident took 2 years!

During testing, Will you remove items from our facility?

Do not worry, we would take nothing from your premises without your consent. We work with you before any testing takes place to iron out any potential problems before they occur. Listening to any of your concerns we will suggest the best course of action for your test and provide a written scope of work that all parties will sign before the testing takes place. During some previous physical penetration tests we have conducted, we have taken items of uniform, electronic devices, keys and ID badges to assist the penetration tester. This helps us to fully report to the client and explain how these items if not protected, can be used against you. Another example is dumpster diving (Checking the bins), and are staff throwing away information into a shared waste bin? That can be huge security risk if paperwork from the office is being thrown into general waste, and then we find that people’s sticky notes can be thrown away. Maybe a password sheet is trashed without being shredded? We even consider used printer ribbons and the data they may hold. Of course, any items removed are all returned at the end of the penetration test.

Do your staff have a DBS check?

At Brainstorm Security Ltd, we make it policy that all employees also have a current basic DBS check and certificate when working with customers on site or carrying out physical penetration testing or training sessions. This is, over and above, the rigorous background and vetting checks we do with all employees to ensure our customers can feel confident and secure when allowing us to enhance their security.

Are you a memeber of any trade associations?

As the founder of Brainstorm Security Ltd, providing front line security consulting, testing and training, I am proud and honoured to be a member of the International Professional Security Association (IPSA). The IPSA logo isn’t just a hallmark of distinction that ensures your security credentials stands out from its peers, the Association also offers real benefits which ensure you have the tools to stay ahead in the competitive security industry. IPSA Membership is the symbol of quality and professionalism in the security industry. link

Why do you not list your prices for negotiation services, assessments or training?

Physical Penetration Tests All of our assessments or training are done on a bespoke basis. We will always have a consultation with the client to discuss how best we can serve you. We will then formulate the best training package or physical penetration / social engineering assessment for you. We then price this in accordance for the amount of work required, amount of staff needed, and this is all given in a detailed proposal, so you the customer have a clear understanding on how much any work will cost BEFORE you commit. Brainstorm Security aim to provide value for money and an excellent ROI (Return on Investment)to all its customers.

Ransomware Negotiation Pricing All our negotiation services are priced on a simple day rate. Are we expensive? Yes, but we have decades of experience and aim to provide a service to individuals, companies and organisations, that saves a substantial amounts of money. You only ever pay for the time we have worked on the incident, all pricing is agreed before any work commences. We always keep the client up to date on hours worked with regular updates.

Do you provide your negotiation services on retainer?

Yes we do. Please get in touch to discuss your needs.