The Ransomware Negotiation Dilemma: The Pros And Cons Of Negotiation Strategies - Richard Foster

fantastic so run somewhere we've all had the headlines there's lots of different companies um corporate small businesses there is uh hospitals being attacked you've seen the kind of misery that it's caused by ransomware but have you personally ever been a victim you might have been involved in ransomware as part of your work but have you ever been a actual victim probably not I'm guessing I might be wrong I want you to imagine just imagine there for a moment that you are going to be a victim you're a small business owner okay but just have this thought in your head forget what you normally do you're a small business owner now and you're open for business so what

kind of business have we got' be glad to know of the eagle-eyed members of the audience you're running a donut shop a bakery and you're creating wonderful sugary Delights to be sent out across the internet in the mail and people come to your shop to buy them so one morning you wake up the alarm clock goes off and you're very sleepy very tired but you get out of bed and off you go and you have a shower so just like any other normal day get yourself dressed go downstairs put the cattle on make yourself a nice cup of coffee once you're having this coffee you are thinking about the day ahead as you would in any other normal job so you'd

be thinking thinking about things like Staffing ordering invoices to pay it might be sorting at your kids as well all that kind of other sort of bits and pieces for all those daytoday running of that business and how you just going to manage the day I Hadad so you think fine do you then go brush your teeth some of you may be thinking what you on about Richard you've missed out going having a bit breakfast you see first well quite frankly if you own a dut shop do you really need breakfast I don't know so you check your phone because you briefly getting ready to go out the door check your phone your websites down you're thinking H

something's not quite right here so you go for your email again nothing doesn't seem to be working there's something wrong and you get that horrible gut feeling that today is going to be a really bad day so what do you do you go to your laptop WTF where's the Facebook that's surely what it stands for that is down Facebook your social media logins you can't get in and you've just got this massive problem um so you try to log into the server to see what's going on and you having no joy at all everything is gone you are resilient though so what you do is you will go into work and you will open up that shop you will open up

the bakery you will get started because you've got um people who are relying on you you members of Staff you customers you've got suppliers coming in you've still got a crack on but you trying to do this now manually which is fine cuz that's how you first started off with the I so you start operating this business all of a sudden there is all these questions coming out here from members of Staff who've turned up for work or haven't even turned up for work because they're saying well how am I meant to do new work somebody in accounts is saying well how do I do that and you're trying to feel these questions as well as trying to just do

your normal job how long is this going to take till it's over at the moment you don't even know properly what you're dealing with um what are we going to tell [Music] customers do we tell them without without a Cyber attack do we just tell them the it down what do we tell uh suppliers the same thing we don't know do we um unless you've really thought about this beforehand it's a very difficult one to sort of deal with there and then at the time and to make those right decisions you'll have some members of Staff who'll be really quite worried because they'll seeing these things on TV and they'll be thinking how will I get

paid okay so it's not just affecting you it's affecting lots of different people I would suggest whatever size business you are working in have a little think about these things it doesn't have to be a full tabletop exercise it just needs to be a little thought process and a little plan as to what you might do in those circumstances but definitely what you will need to do is have a way of communicating that with firstly your customers and then with uh your staff and everybody else who is involved in that company so you're trying to find out now what's going on uh you find a ransom note pay up or else that Ransom note You' found on the

server and for those of you who've never been involved in a ransomware nego incident often the threat actor will leave a text file on somewhere on the system or they'll email it to you or they'll get it to you in some different way but it's basically a text file which will tell you what has happened and I'll give you a an example of what that looks like to this is the lock bit the most latest one that they did um and every ransomware group has different ransomware notes that they've created and you can find list of these on the internet I just want to quickly kind of go through this and just explain little elements to it

so the first part of it you've got they're real good at marketing so lck bit 3.0 the world's fastest and most stable ransomware from 2019 your data is stolen and encrypted now for a lot of people in this room because you've got a real healthy interest in it or unhealthy interest you're not worried too much about that but for most members of the public most people who are just running organizations who aren't involved in this they will have a sense of fear they're thinking oh my God stolen encrypted what AM we going to do there's a whole list the browser links which are how to get onto the dark web and where to go to find out more information about

this and then what do they put in they say we guarantee sorry what guarantee is there we won't cheat you so they're introducing that fear again that there's no other option other than pay the amount of money there's a lot more blah blah blah they go and have a look to see what Elon Musk is talking about in this particular one they're just trying to convince you and give you social proof but there's an interesting line here it says if you pay we will fulfill all the terms we agree on during the negotiation process so this really goes for all these threat actors they're criminals generally speaking their main motivator is greed and money um

sometimes it's not for the majority of the times it is so therefore they recognize there might be a negotiation process because they were going to come in really high it's like buying a secondhand car there's always going to be a sticker price on the window but you not expected to pay that the chances are there's going to be some form of negotiation and exactly the same happens here what else are they going to say you need to go on to T onto the dark web and cranky people read about this they hear about it on the TV and they think this is very scary so they provide a nice helpful howto guide this is how do you

go on tour how do you access this because they recognize that some of these people want the it electric um personal tour chat link it's been removed from here but you'd be given a code of some description so when you go onto the site the reason they do that is not really so it's your personal bit to get in there to be able to speak to them it's so they know who to pass you on to so in the affiliate scheme of ransomware negotiators they will have lots of different hackers working under the banner for example lock bit and then they need to know when somebody contacts them on the website who do we need to

send them to they need to send them to that hacker who was dealing with that particular attack and that's where that person personal chat link comes in so then you'll be sent on to them you might deal with more than one person as well when you negotiate with them you then have another little snip of your personal ID and they warning you don't mess with these files uh they're installing fear there's going to be problems if you do and do not contact the police or FBI for help don't tell anyone that we we attacked you so that sounds very similar to like kidnaps uh I previously spent nearly three decades in law enforcement in the

police and we see this very often in coercive control within domestic incidents we see it in uh abusive relationships we see it in scenarios where you've got a sex offender for example and they'll and isolate and Silo the victim so they can't speak to anybody else they friends people who may rationally give them some good advice so it's all about the fear so time to negotiate what should you do first anyone anyone from the audience any ideas just throw something out there call the police excellent a really good answer yeah I mean call the police don't stop policeman walking on the street because they will have no idea how to do with this make sure you

actually own the police um a lot of people might say Panic um but you don't want to panic and why is that because the threat actors are trying to hijack the part of your brain that is telling you to panic they want you to make poor decisions whereas what you need to do take a step back take five minutes and just chill out and relax you've got a survival Instinct built into you and that survival Instinct is to stop things like bears and that kind of thing from A Primitive perspective being able to eat you if you see a threat you have fight flight or uh run away uh of or freeze those are the three kind of

options that you've got and that's what they're trying to trigger you need to come back from that and say right rationally what AM we going to do and whatever you do like this chat don't eat the donuts because there your profits um what I suggest you do I'm not saying you've got to do this but I'm making a suggestion create a CMT and I hear you say what is a CMT Richard a crisis management team for the purposes of dealing with this particular incident and you're going have different people and it's going to be a relatively small team now in a big corporate you might have legal departments you might have people uh media departments who are

going to be involved in this you could have instant response teams coming in but as a small business you might not have all those kind of things it might be a couple of trusted people within your business you can pull together maybe a trusted friend you might have a lawyer you might have an accountant who you might wish to call upon you'll probably be asking for some sort of cyber help so whoever the instant response team is that you may call upon you might have to speak to your insurance company if you've got cyber Insurance you might contact the police they might become part of this uh CMT the big piece of advice for whatever

you do now as you move forward is keep some sort of policy log some decision making log just keep it record of what you are doing and the decisions you are making and the time you make those decisions and why you're doing it particularly for a large corporate environment you might get asked lots of questions after the incident it's all very well and good you dealing with it there and then but afterwards you need to be able to deal with it and explain your decision-making processes plus it's a really good way at the very end to have a little wash up and decide how could that have been dealt with better so we need a plan this crisis

management team it's got to be flexible because I'll guarantee whatever plan you come up with it's going to change you've got to be flexible decide what your objectives are now everyone's going to be different when I was in the police a lot of the objectives tended to be around gather evidence try and identify people can we get the evidence to lock them up in a corporate environment it's not going to be that it's going to be minimizing loss how quickly can we get going again how much money are we losing a day or all these other aspects and then you've got legal ramifications and how you're going to manage those you certainly want to plan to

increase the time for the demand and try and reduce the amount reduce any medor exposure need to start thinking about the instant response and what backups you may have you may not have tested but you might want to have a crack app and see what you that capability is the reason it's important from a negotiation point of view of knowing if your backups are working is because if they are happy days that's one element you don't have to worry about yeah they may leak it out to the public on the D web but if you've got no backups and you've got lost all your data things could be a lot more serious for you and

your risk appetite on how much money you may decide to pay is changeable so has anybody ever bought any crypto currency RS up yeah about half way it's not as easy as it first seems is it uh it used to be really quite tricky I got in very long time ago but it takes a long time and there's a lot of processes and it's a stag incremental thing particularly when buying large amounts of cryptocurrency so if it's a big call being has lots of money that becomes very tricky uh so you want to think about these things early do so plan for the best but prepare for the worst so the next thing we need to

consider is to pay or not to pay and the ethics of that hands up who we think we should pay some money to these people one person possibly two three I'm in who thinks we shouldn't pay yeah that's more like it uh so a lot of people say do not pay whatever it's a bit like the whole you're funding terrorism and crime so let's have a quick little look at the ethics the more victims that pay the more threat actors commit ransomware attacks it's just self-perpetuating is it because they think you pay well we'll count on hacking you them and we'll hack other people CU we're going to get the money um you could be supporting crime

or terrorism you'll definitely be doing certainly crime and possibly terrorism you could make things worse and what do I mean by that how could this be any worse well you could pay the money and not get anything back because funly enough these people are criminals and they're not always that trustworthy they don't always hold their word it's not a gentleman's handshake where they'll say yes definitely there are some who recognized that by going against their word it looks bad for them from a publicity point of view so a lot of them will go ahead and do what they say but there are definitely scammers out there who will just seek to gain the money from you or they'll lie and

they'll give you part of it because they haven't got everything so on the ethical side of things your company's been locked down and your business might fail remember this is your small donut business it might totally fail as a result of this something you've worked on maybe 10 15 years your staff are all unemployed they rely on these jobs pay their mortgages pay for food you might lose the house due to secured loans against your business and as a result of that I know Mrs F will be very disappointed having decorated the house then for it to be repossessed on the back of this so you can look at ethics on both ways I'm not going to suggest which way

you should definitely go what I would say is yes to negotiate um a bit like the ransom though there's an expectation they would expect you to negotiate the key thing is negotiating does not mean pay them negotiating means open up a dialogue have a conversation with these people it will give you time and time is absolutely vital for the instant response teams to work in the background for testing the backups that could be critical um in getting you back up and running and by the time you know the state of play in a couple of days time or a week's time that could be very different from when you first open those messages so definitely start that negotiation

process you might also gather intelligence that could be totally vital post incident and what I mean by that is you might have evidence that could convict these people even though you might not know it at the time and you may well obtain a reduction in the demand and very often there is some form of reduction during these negotiations so is it legal to negotiate I think probably most people are aware that yes it is legal to negotiate but what you've just got to be a little careful with on a legal perspective is sanctions there's lots of sanctions they're listed on the.gov website as to countries that we can officially trade with and send money to and in particular

individuals who are on sanctions list who we not allowed to do any sort of trade or send money to in any shape or form you will commit criminal offenses um so you need to check those lists and a lot of these threat actors are Russian uh or they're coming from the Ukraine Russian speaking languages and you've just got to be very careful however a lot of the threat actors have recognized they're not going to get any money if they advertise the fact they are Russian um or coming from another state where there sanctions against them so a lot will avoid telling you they are Russian so you won't necessarily know but you've just got to keep that

decision log as to what research you've done how have you decided how you come to that decision that you are going to make a payment you don't believe them to be on the sanctions list got to consider money laundering uh because this will be criminal proceeds and where money's going through various accounts shouldn't cause a massive issue um there's going to be regulatory reporting as in financial services but certainly if there's pii personal identifiable information that's been taken or leaked or they're saying they've gotten they're going to leak there's going to be Ico reporting possibly so those are them sort of legal considerations that you just need to think about so who should be The

Negotiator are we thinking it should be someone in the media team if you've got a media team because they're very good at speaking people aren't they um should it be sales because again they're great at negotiating uh should it be the CEO because they've set the company up and they can make fantastic decisions or should it even be the police because you might have like we said call the police to start off with they might be helping you on it well if you are chief wigam he may state that your donut shop is critical National infrastructure and therefore you get the five star service and will help you out no end and throw everything at this but the problem is

with the police and all law enforcement is they've only got a finite amount of resources and the chances are you may not get the assistance you're hoping for often people report to action fraud which is where you first report these things to and it might take weeks for you to get any sort of response and in the meantime you've got to manage this because your business will be by the time they get and deal with it so we need to just have a little think the key takeway for this is not the decision maker whoever is going to deal with this you don't have the decision maker because you've got nowhere to go when there's a negotiation taking place if

the threat actor is saying well I want you to send a so much money and as a decision maker you're saying well I can't do that I say well yes you can and you no want to turn to it's easier to say well I'll put that to the board of directors or I'll speak to the management get them to make the decision I'm not the decision maker what's that giving you giving you time you can build this time in you don't have to say right the start need more time um what we do need to do is select the right person for this uh you could consider a professional someone who's got experience who's done it before like

myself lot of instant response compies they've got experienced people on their books who've been involved in Ransom way negotiations um but they need to be someone who is calm they can control their emotions uh they're able to listen they're used to dealing with a bit of conflict and don't get sort of flustered by that they've also got to have some basic computer skills things like going on tour and recognizing what links are and how to navigate around that world because you don't want someone who's going to make it worse by infecting other systems giving away information that we don't want to give them someone who's confident and comfortable in dealing with criminals as well because they can be very

intimidating you might think I've got this no problems whatsoever but when these people start speak you they're quite horrible and they they will want you to sell your grandma's house to get the money they don't care to them this is a job they're trying to get their money so this reminds me of being back at school it's not you it's me so when girlfriends used to break up before the days of Tinder and texting and ghosting they used to come out with a line saying it's not you it's me that's why we're breaking up uh what I mean by this is you need to see it from the attacker's point of view you need to park any egos you might have

and think of it from the point of view of the attacker if you're going to do that negotiation element to it you need to see it from their point of view and it can be really difficult because you'll be really angry and you'll be wanting to tell them how you're really feeling but you need to hide that you need to put that down you need to see it from their point of view and let them be heard and let them be understood and understand where they're coming from the way I would describe it best is you don't have to like what they're saying you don't have to agree with them you just have to have a little bit of empathy and see it

from their side of things so what's the negotiator's pretext going to be so you need to think about are you going to say you're an instant response company you're going to say you're the police i' probably say no to that one that's probably a really bad idea um you might say you're the CEO you might say you're burying sales you might say you're marry on the frosting Department whatever it might be you just need to have a think about who you're going to be and how that's going to pan out as you go on with the negotiation I'll give you a short demonstration in a second so it's going to be your choice whatever you decide the profile

of this person is going to be who's doing the negotiating because they may ask you questions like what's your name all those kind of things boy or girl men or women who's going to be better at negotiating hands up who think women are better negotiators there's some very clever BLS in there have put their hand up men who's better at negotiating men no anyone sort of undecided on that one I don't want to show that hand fair enough that's right okay well I'll show you why so on here the bottom right hand corner you've got someone tapping around a keyboard that's how you're going to do most of your negotiating probably over the tall web browser that's generally

how mostly it works sometimes you might have a mobile app that you get sent to and some encrypted form of communication it might be on the tox protocol that a lot of these hackers are using because they feel very safe and confident there or quite frankly you might be on the old email off to the inbox uh and we've seen that many occasions where they will just do this negotiation on email believe it or not but could you take a phone call you're the negotiator now could you take a phone call going to be a little tricky if you've said you are Mary when really you are barry uh because as soon as they pick up

the phone and you start speaking you've been caught out in a lie all credibility of what you might have said before is lost they're not going to believe you they're not going to trust you you're going to be at that top end scale of whatever the money is and any time you've been able to gather has probably gone now be very careful of what you say if you're going to have a pretext as to how you're going to negotiate so the tactics of making phone calls are being used to speed up the response and threaten victims so I've seen it on a couple of occasions where threat actors and their phoning companies often because they're F hiding these little

text files within encrypted uh computers and people don't know where to find them uh so they make a phone call and say hm you having problems with your it you need to speak to us you need to have a look here and they're quite menacing and threatening if you get one of them kind of calls you need to start writing down what was their accent how did they speak what time was the call all those kind of things because that's part of going to be your intelligence picture and it's also to try and bring that fear on speed things up so let's negotiate let's have a little look at a bit negotiating a bit good and bad this

so we'll start off hopefully this will work so your systems are compromised we've encrypted your data the only way to recover it is to pay a ransom of 10 Bitcoins 72 hours 10 Bitcoins currently price about half a million coin at L this is unacceptable we will not negotiate with criminals sounds a bit Karen I would suggest um probably not the best way to go you're not being very friendly there towards the hackers we have your employees personal information customer date and financial records if you don't pay we will leak this info in hours so again very threatening they're talking about having that pii that's a bluff you won't do that so now you're threatening the criminal

you're you're saying you're not going to do that Golding them not a great start

so we've already privately shown you three test data files to prove our point we are patient people but time is running out so very often they will give you a sample of things that they've taken just to prove a point we need more time it's the weekend and the banks are shot so you're asking for more time but you're given a good reason for it because you say it's the weekend never going to be able to get that sort of money moved around there's loads of reasons why you might want to increase the time span that's a good bit of negotiating we can only allow you a maximum of five days after that we'll publish your data and you will have to

pay data protection findes you have until blah blah blah so they're giving you exact time spans which is great you already got an extension of time things are getting better already you're starting to take a bit of control back which is a lovely feeling when you're in this position um you're responding in a nice pleasant nice way thank you the new date and time is noted I will let the owners know so again you're saying you're not the decision

maker so can you show us all the files you've stolen this is a very good technique uh what we would call in law enforcement proof of life if you have a uh kidnapping and you've got a hostage you need to know that that hostage is still alive and is still worth going after if they haven't got the data or they've destroyed it already what's the point if it's been leaked why are you paying for it so in this occasion there's a private link that they've sent to which shows a file tree which is perfect so that's given us a really good example of all the data we've got then respond thank you that is very

helpful I'll need some time to check the data again we're doing that time thing check the data it is yours we will not lie so again they're trying to give social proof as to why you should trust them and there is an element of building Trust on both sides as the negotiation continues then finally we have a backup plan we can restore our systems probably not best way to go uh we just sort of bragging we're giving them information we don't need to give them they're then saying your backups are also encrypted and if they weren't rebuilding them will take weeks by then the damage will be done basically so that that's fair enough if they're saying even if your backups

aren't encrypted that may suggest something that they don't really know do they so you need to kind of analyze everything that's been said and words matter words really matter in these negotiations and that's on both sides then there's a veil threat from The Negotiator we will involve law enforcement and to be fair most of these hackers don't care that put things in place to try and prevent being identif so we'll quickly go through those key points so don't panic create CMC negotiate doesn't mean pay them who will negotiate set your objectives plan what is like it worse legal sanctions you need to listen more than you chat and be nice even though inside you might

be really really angry get help you're not alone so last two slides here your help police your Regional organized crime unit cyber teams they may be able to assist you National Crime agency I put on their action for because that's where you'll be your first Port of Call but just be aware this isn't going to be a quick call back saying we've got this we're coming down to your business now you might consider professional negotiators instant response companies able to help you s are going to cost money cyber insurance companies if you've got insurance they may be able to assist you've got youve got no more ransomware do org which is a site that you can go to which has decryption keys

on there again you need someone with a little bit of technical knowledge to assist you with that but that could be an option and you've got the ncsc who will be able to provide advice uh and help put this slide on here just very quickly if people want to take a shot of that or you can Google it Financial Times Ransom way negotiation just type that into Google when you come to this basically it's a little game and it's really good fun if you want to have a go at being a ransomware negotiator have a click of this and you can go through and practice really good fun um and you'll realize actually it's quite tricky um

even I found it tricky on this game um that's it we're up questions so sorry if I've gone on I think 5 minutes too long but we've still got time for questions so hands on yes J question um so you and have your Tech team do your negotiations with you really sorry s that have your Tech team do the negotiations well it's I I personally wouldn't but a lot of companies the IT team kind of fall into the role of being The Negotiator because they they can do the it role so for me personally I see it as there two distinct roles there this is a human element and you're looking at emotions and psychology and there's a lot of

other elements I would suggest have someone who's probably better at the talking bit but have someone from the IT team in your CMT to assist so that that in mind just because someone could hack your system does that make them good the best negotiators in their part so what I'm trying to say do do the hackers pass you on a negotiation or Sal team in their department to get the best result because there might be nor diverse they might not be able to B communication eras like understanding culture from like Russia for example UK would it be like B to have the hackers pass it on another service like some exil person tries to is that a thing or is Hackers

do directly the team often it is just hackers who are negotiating with you some of the big players have recognized that they can get more money things that I've identified in doing this is they will have CP sheets and they will send out nearly sort of uh sales literature to the hackers to say if you get asked this question this is a good way to deal with it and they're going through check sheets you might be starting to get somewhere and have built a rapport with someone and then all of a sudden you get put onto a different hacker and then you want to build up the report and you can tell even though you're not talking to

them on the phone just by the text that's going on you know you're already speaking to someone different and you've got to build that Rapport again so it can be quite tricky but very often that it can be their downfall that they're not geared for this they're good at the hacking not necessarily good at the negotiating any other questions yes um my best is just paying nothing and I've had that on a number of occasions now where we've just not paid for various reasons but it's normally after a long engaging negotiation with these people I would typically aim for at least a reduction of half but often it's sort of that 75% Mark um but anything off that full fat

figure is really what you're after um but you might find that you don't have to pay anything because of the way the negotiations gone and what you find out during it so any other questions yes right at the back

second

there is a number of sites that track the ransomware actors which I follow and there will often be ransomware negotiation transcripts that sometimes get published by the hackers that's become another method that they will do and you can kind of track what initial amounts were and then what reduction amounts were there isn't really anywhere that I've seen where people are saying this particular hacker group will definitely decrypt but what you do find is it's very bad for business if they are just ripping people off because people will talk so from a business model from the hacker perspective it's really poor just to keep sort of knocking it on the head and saying we're just going to scam you and

take your money because no one will end up paying them the problem comes and I think the reason there isn't the big intelligence picture is because a lot of the hacking groups are using individuals who buy into an affiliate scheme and just use the banner of a hacking group but they're acting independently in effect so you might even have a scenario where negotiations just totally broken down so because that report is not there in the slightest they've just decided we're not going to give them the encryption key key um or decryption key so to answer your question no there isn't but there is some intelligence out there that you can gather uh but it's not necessarily about who will give you

the decryption Keys hope that answers your question okay thank you very much