Hackers have struck. Your vital data’s been encrypted, and your business has lurched to a standstill. All you have a is text file ransom note left by the criminals, and a whole lot of questions.
But you’ve got a playbook and you know that if things are serious – and they are – you’ve been okayed by the board to enter into negotiations with the hackers. You need to get systems up and running again and protect vital customer data – paying the ransom is worth the risk.
Or perhaps you don’t have a playbook, and you’re making this up as you go along. Speaking to Cyber Daily earlier in the year, Simon Hodgkinson, a strategic advisor with cyber security firm Semperis, said that many companies are simply not prepared.
“In some cases, they’d never had that conversation. Of course, nobody wants to pay a ransom because the money is going to fund more and more criminal activity,” Hodgkinson said.
“But the reality is, if their business was down for a week or a month or what have you; would that change your decision making and maybe negotiate with the actors?”
But what if you don’t have the money being demanded? What can you expect from cyber-criminals that, by definition, cannot be trusted? Will they lower their ransom demands?
Sure, the prevailing wisdom is that paying a ransom not only gives more resources to the hackers to continue to develop their payloads and skills, but also encourages the practice more generally. A ransom payment might also be illegal; not in and of itself – though in some jurisdictions it already is – but because you are sending money to individuals who may be in a country currently under sanctions that restrict the transfer of funds to any sanctioned entity.
On top of everything, there’s still no guarantee that when a hacker says they’ll give you a decryption key and delete the data they’ve exfiltrated, that they’ll follow through. Worse, it’s not unknown for ransomware operators to attack the same target twice.
“These are criminals, so they are generally not very reliable. But again, much of this will depend on the specific group. Unfortunately, there is no transparency in the overall payment for ransoms; those victims that pay typically do not advertise as such,” Rapid7’s chief scientist, Raj Samani, told Cyber Daily.
“This level of transparency is imperative, in my opinion, because it will likely demonstrate why paying ransoms is not the answer that many believe it is. Despite receiving payment, many ransomware groups have a history of either providing decryption keys of insufficient quality, or not providing the keys at all.”
But if you do feel compelled to pay – and if that’s the case, it’s worth noting that for all of the above, you are not alone – here’s what you can expect the process to look like.
The ransom note
If you look at the statistics for which ransomware groups an Australian organisation is most likely to be targeted by, you might expect to be dealing with either Lockbit or RansomHub. However, while they’re historically the threat actors with the most Australian victims, the current reality is a little different.
Lockbit is a shadow of its former self following a series of law enforcement takedowns, and arrests, and RansomHub appears to be on an extended hiatus, possibly while it moves its operations to new infrastructure.
That means that an Australian organisation is, on balance, most likely to be targeted by the Akira ransomware gang, the third most active in the country behind Lockbit and RansomHub, so it’s the communications of that group that we’ll focus on for this article, beginning with its ransom note, which is pretty typical of ransomware operators generally.
“Whatever who you are and what your title is if you’re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups – virtual, physical – everything that we managed to reach – are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.”
That’s a pretty intimidating first paragraph, but Akira immediately tries to calm things down.
“Well, for now let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue. We’re fully aware of what damage we caused by locking your internal sources.”
The note then outlines the benefits of entering into negotiations. Paying up saves time and money in the long run, and victims are also offered a full security audit outlining how Akira got into their network in the first place. The gang even offers to walk its victims through how to access cyber insurance.
Then the threats begin.
“As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes – generally speaking, everything that has a value on the darkmarket – to multiple threat actors at ones (sic). Then all of this will be published in our blog…”
Akira then claims that it is just looking for a quick settlement and provides instructions on how to access the gang’s darknet chat room.
“Keep in mind that the faster you will get in touch,” the note concludes, “the less damage we cause.”
Akira, like most ransomware actors, knows full well that it is likely talking to a victim that has very few plans in place for such an incident, and acts accordingly, offering threats and friendly advice in equal measure. The hackers are banking on their victims already being in a state of panic when negotiations actually start.
The first steps
Once you decide to negotiate, the first step is to decide who in your organisation is going to make that actual contact, and here, the best practice is to immediately seek an external negotiator.
Samani employed an apt analogy about why you should never enter into negotiations yourself.
“The best analogy I could use is: I’m pretty good at cyber security. I’m a pretty decent painter, too, but if you look at my house, I get the experts in to do the painting of the house because they do a really good job – I just can’t do it,” Samani said.
“I’m a smart guy, but I don’t really have the skill to do it, and it’s the same thing with anything in life.”
According to Samani, the smart play is to employ someone who talks to cyber criminals as an aspect of their full-time job – everyone else is just an amateur.
“Ideally, the spokesperson would not be someone in your organisation but rather someone from a reliable third party with experience in such discussions,” Samani said.
However, for whatever reason – and there are very likely good ones – you’re going it alone. Before you even contact the criminals, you’ll want every stakeholder at the table. For one thing, everyone from the board down needs to know, and for another, even if you don’t have a playbook for handling a ransomware negotiation, everyone still needs to be clear-eyed about your goals, particularly if you’re seeking to negotiate your payment down from the initial ransom demand.
The good news is that ransoms are commonly lowered by considerable amounts during the negotiation process; the bad news is that the negotiation process can be pretty adversarial.
The negotiation begins
The first part of any negotiation process with Akira – and many other operators – is establishing bona fides. The first thing Akira’s spokesperson will ask is whether or not you have permission to actually handle the negotiation.
“You’ve reached Akira support chat. Currently, we are preparing the list of data we took from your network. For now you have to know that dealing with us is the best possible way to settle this quick and cheap. Keep in touch and be patient with us. Do you have a permission to conduct a negotiation on behalf of your organisation? Once we get a response you will be provided with all the details.”
All you have to do is say yes, and you’re good to go. The next phase, though, is where Akira provides proof that it does in fact have your data. Akira sends through a listing of all the files exfiltrated during the attack, and asks you to pick three files, which Akira will send as proof-of-hack.
Akira’s spokesperson then asks you to pick a selection of files encrypted during the attack, send them to Akira. The hackers will then send back decrypted versions of those files to prove that their decryptor – the key that will unlock all the data encrypted during the attack.
Once everyone knows where they stand – the hackers have proven they have your data, and proven they can decrypt everything on your end – the hard part begins.
Pay to play
In several of the Akira negotiations observed by Cyber Daily, the victim has made an early effort to convince the hackers to send them the key – this is pointless. The criminals want a payday, and they’re not going to give anything away for free.
The hackers are also not shy about exploiting the data they’ve just stolen.
“So, we’ve gone through your files to define your financial abilities. We’ve been looking through your bank statements, net income, cyber liability limits, financial audits – all the info that might help us to calculate our demand to you.”
In the negotiation we’re going to focus on, Akira determined that the victim could afford a ransom payment of US$1,700,000.
Unsurprisingly, the victim in this instance baulked at the idea, claiming the data Akira had on hand was not the entire financial picture and the company could not possibly pay. The hackers immediately dropped the price – but with a caveat. Pay up now, and we’ll work with you.
“In case you of quick payment, we will be able to consider a discount. We are going to work with seven figures though.”
The victim then asked how they could simply recover their data, and Akira offered a significant drop in the ransom demand – and not the last.
“Our request is quite possible for a company like yours. We both know this. If you need our decryption services only, we can end this incident at $1,000,000. We won’t go lower. This is a good price for getting back to business quick and without troubles.”
Suffice it to say, the business continued to maintain that it could not afford the sum. Through the whole process, Akira’s spokesperson displayed hostility to the negotiator, pressuring them to respond fast and warning that they won’t wait forever for counter-offers. In this case, after the victim appealed to the hackers’ empathy (hint: they have none), the hackers threatened to publish if an outcome is not reached, and the victim offered a ransom payment of US$20,000.
Akira did not respond well. It published news of the hack to its darknet leak site and let the victim know it had done so, before attempting to lay down the law.
“We will never accept such a small amount. You’re offering us 20k against 1M. How do you think we will be able to agree? We will wait a bit more and then will cancel the deal. There is nothing to talk about at the moment.”
Enter, the negotiator
At this stage, a new negotiator enters the chat on the victim’s behalf. They say they’re a more senior employee with authorisation from the boss, but they come across as remarkably well-versed in handling cyber criminals. It’s entirely possible that the company finally brought in a professional third party, but regardless, this is when real progress starts being made.
With the data now published, the new negotiator attempts first to get that data removed from Akira’s leak site, explaining that it would go a long way toward establishing good faith negotiations. The negotiator apologises for the previous low-ball offer and re-focuses the negotiation as one between two parties “here to do business’.
In this part of the negotiation, the negotiator goes out of their way to be polite and positive, emphasising that they are “Looking forward to finalising a deal” and carefully managing expectations for payment. And despite not getting a new ransom offer, the hackers finally relent and promise to take down the data.
“I still do not see any decent offer from your side. We will take the post down later.”
Then, the haggling begins anew. The company offered a payment of US$110,000, which the hackers responded to with a demand of $650,000. This is still a large amount of money, but far short of the original seven-figure demand.
Throughout the process, the negotiator does their best to present themselves as a reasonable middleman, attempting to find a happy medium between what the company is willing to pay and what the criminals will accept. The negotiator shares some more financial data by way of explaining the constrained nature of what the company can afford, and at this point, the Akira spokesperson appears to admit to something quite interesting.
“Thank you for the report but it seems like a trick, we were waiting for verified signed documents. Anyway, even if it is true, we do not have real picture (your savings, your investments, your net assets etc.). We believe we’re asking for a fair amount and are willing to close the deal.”
This flies in the face of what the hackers said back at the start of the negotiation, which was days ago at this point. Here’s what they said earlier.
“So, we’ve gone through your files to define your financial abilities. We’ve been looking through your bank statements, net income, cyber liability limits, financial audits – all the info that might help us to calculate our demand to you.”
Basically, the spokesperson admits that they do not, in fact, have all the details necessary to establish what the victim can afford – they’ve been negotiating in poor faith this entire time.
Negotiations continue from here, but it seems clear the negotiator is closing in on an acceptable figure. A figure of US$250,000 is finally settled upon, which the negotiator carefully confirms is for both a decryptor to unlock the data on the victim company’s network, and for Akira to delete the data.
Once that’s settled, negotiations move into the final stage.
Everybody gets what they want… Eventually
Now that a sum has been agreed upon – US$250,000 haggled down from US$1,700,000 – the victim and the criminals get down to the nitty gritty of transferring funds and decrypting files. And, of course, there’s a new wrinkle.
The issue to be aware of here is that hackers like to be paid in Bitcoin, and purchasing BTC comes with a commission, which in this case takes the amount the company in question needs to spend from US$250,000 to up to US$275,000. The negotiator employs a clever tactic here – they say up front that, sure, they can pay that, but it will take more time, and already the hackers are getting antsy about payment.
Alternately, the negotiator says if the hackers are willing to drop what they receive by the cost of the commission – that is, by $25,000 to $225,000 – payment can be processed right away.
“Are you able to send $225,000 today? If so, we’re willing to accept.”
And like that, the deal is done. In this case, the hackers suggest, smartly, that the victim send a test transaction – a small sum so that both parties can see that the correct wallet address has been provided and everything is above board.
Happy endings?
Both the victim and the hackers are almost done with the negotiation. The ransom has been transferred, Akira is happy with the sum, and now it’s time for the hackers to share their decryptor, but – perhaps unsurprisingly – even this process is fraught.
In this case, the hackers shared the wrong unlocker, though, eventually, they appear to have provided the correct one. Then the password provided for decryption is incorrect, but, again, that is eventually provided as well. At this point, the negotiation is almost mundane, a perfect example of less-than-stellar customer service as the Akira spokesperson sheepishly admits mistakes on the ransomware gang’s part.
The final step is proof of deletion, which Akira provides, and the promised ‘breach report’… Which is the most generic list of cyber security protocols imaginable, and not at all tailored to the breach in question.
As the negotiator notes, “I must say the breach report looks quite generic and not specific to us”.
There’s one more back-and-forth about providing the correct passwords, but, eventually, after 170 discrete messages passing back and forth, the negotiation is complete, and all parties are, if not happy, at least somewhat satisfied.
Should you pay?
“Well, to put it bluntly, don’t do it. Firstly, you are supporting organised crime, but also there is no guarantee there will be any successful conclusion to the negotiation,” Samani said.
“There are professional firms that do this all of the time, so if you feel you must pay then use a legitimate organisation to handle the negotiations. Also, remember to check NoMoreRansom – a decryption key may be available.
For every expert who decries ransomware payments and says they should never be made, there are always exceptions. As a rule of thumb, no, we should not be paying criminals to fix problems they created in the first place. No, we should not be giving in to extortion and contributing funds to a criminal ecosystem. No, just because they’ve been clever enough to hack you, it does not necessarily equate to the fact that the hackers are capable of helping you decrypt your files, even if negotiations do succeed.
In this case, the company in question went through two negotiators and a not insignificant amount of both time and money to achieve the outcome they were hoping for. With just a small amount of planning and forethought, a decent backup would have solved the decryption problem and taken away one of the key bargaining chips the hackers held.
And in a convoluted cyber-criminal ecosystem, even after files have been recovered and the exfiltrated data has been deleted from the hackers’ systems, there’s simply no guarantee you’re off the hook. The hackers may attempt a second attack now that they know the company is willing to pay; other criminals may follow suit, or the data could later emerge and be maliciously remonetised despite the promises otherwise.
There is, simply, no way to know for sure. So, don’t pay a ransom… Unless you absolutely feel you have to.
The majority of experts we’ve spoken to admit that in some cases, paying the ransom may seem the smarter play. If the data you know has been compromised is particularly sensitive – patient data, for instance, or if critical systems have been taken offline and business continuity requires a ransom to be paid – then perhaps it’s the best move.
However, if negotiations are ever entered into, it’s worthwhile to know what to expect, the pressure tactics criminals employ, and that the final price is never the final price.
