The prevailing wisdom from cybersecurity experts is that trying to negotiate with ransomware hackers is a bad idea, but on December 30th, 2020, one victim broke the rules and gave it a shot.
“Help?” they typed into one of the compromised computers.
“Hello,” one of the hackers replied. “Are you ready to negotiate? Your network and all of your data were encrypted by [the] CONTI team. Besides the encryption process, we’ve downloaded a large pack of your internal documents and files that will be published in case our negotiations fail. The recovery price is $8,500,000.”
The haggling commences.
“It’s the price that’s causing us heartburn…” types the victim. Then, after some back-and-forth, an interesting thing happens: The hackers get the mistaken impression that their victims don’t need a decryption key, and just want the files to be destroyed. As a result, the hackers offer to reduce their demand to $2,125,000; a 70% reduction from the original ransom.
In a flash of brilliance, the victim doesn’t correct the misunderstanding and runs with it: “We are still far apart, but we view this as a positive step. Thank you.”
After a break, the victim comes back with a counteroffer: a measly $400,000. The hackers push for $600,000, and finally, a deal is reached at $450,000… except it isn’t. Just before the deal is done, the misunderstanding about the decryption key becomes apparent.
Luckily it was already too late. By this point, the cat was out of the bag about how little the hackers were willing to settle for. After agreeing on an expedited payment, the hackers accepted the offer — a stunning 94.7% reduction from their initial demand.
Learning From Other Peoples’ Mistakes
Most of the time, stories like this don’t see the light of day. The details of ransomware incidents are typically shrouded in secrecy and intentionally kept hidden from the public eye.
But French cybersecurity journalist Valéry Marchive doesn’t like all this secrecy. He thinks all these cloak-and-dagger conversations with ransomware gangs contain valuable insights into how cybercriminals operate, and can be used as a weapon to fight back.
To that end, Marchive spent the past few years compiling an extensive archive of ransomware negotiation chats, and recently made the archive available to the public. This trove of data is already proving useful in fighting back against ransomware. For example, Cyber Threat Intelligence Analyst Calvin So’s recent research report on the data uses stylometric analysis (essentially, the science of writing styles) to help identify individuals and patterns based on their text dialogue.
To aid in this effort, we analyzed a sample set of 50 negotiation transcripts from Marchive’s archives, and some noteworthy patterns and key takeaways emerged.
Don’t Pay the Sticker Price
We looked at the starting ransom demands by hackers and compared them to the lowest negotiated amount from 50 attacks from eight different hacker groups, after which one thing became apparent: People who paid the full ransom amount forked over far more than may have been necessary to appease the gangs.
In fact, in our selection of transcripts, victims were able to, on average, negotiate hackers down to a little over half of the amount that was initially demanded (52.7%).
Out of the sample selection, only one paid the full amount without attempting to get a discount. While not everyone ended up paying, a large portion did, and in selecting our set of negotiations, we used only those transcripts in which either a payment, a negotiation attempt, or (as was often the case) both, were made.
Playing as Professionals
Another interesting pattern among the hacking groups was their adoption of a professional and sometimes semi-congenial dialogue with their victims. Ransomware hackers at times present themselves as Robin Hood types who expose your security vulnerabilities and force you to pay them for the “service” of sharing how they got in and, of course, releasing encrypted data and/or deleting personal identifiable information.
“It was confirmed all your data is erased. So you are safe,” said one ransomware negotiator after their victim paid a Bitcoin ransom, followed by a phrase seen on many a shopping bag: “Thank you for your business.” On the surface, this might inspire some false “honor among thieves” reactions. But in reality, it’s just the tech equivalent of mob guys going to the corner store and asking for “protection” money.
As for the victims, some engaged in friendly banter with their hackers during negotiations. “Have a good night,” messaged one victim to his hackers after agreeing on a ransom price. “Tell your boss that you deserve some time off and a good drink, ” he continued. Another victim messaged compliments, saying, “BTW, the site you guys made is beautiful. Better support than normal companies :)…” It’s hard to say if these instances are a negotiating tactic or some digital form of Stockholm syndrome.
The Deadline Is Flex
An extended deadline is probably the easiest thing for victims to negotiate. It costs the hackers nothing, so long as the victim appears willing to come to the table and consider paying. With that, a big tell for hackers was how often they proposed to reduce the ransom as long payment was posted quickly.
This often served as the first gesture at the beginning of negotiations—hackers want transactions conducted quickly but are willing to push the deadline when they feel headway is being made or when the victim is busy securing funding.
Wolves in Sheep’s Clothing
“So far, it looks as your main objective is to f*ck with us,” types one hacker who doesn’t believe their victim’s financial excuses and pleas.
Beneath the facade of civility, an undercurrent of veiled and explicit threats simmers. In one tense exchange, a hacker challenges a victim, taunting them: “You want to show me your steel eggs? We have stronger ones.” This continues as they scoff at the victim’s counteroffer, issuing an ominous ultimatum: “We’re not interested in your funny offer, and if you don’t offer better, you will be published.”
In another exchange where negotiations reached an impasse over a victim’s counteroffer, the teeth come out again: “If your leadership wants to destroy the business for $1.2 [million], it’s his choice.” Then, as a reminder of how little they have to lose: “If we don’t reach an agreement, we’ll just shorten our profit. And on [the] other hand, you would be ruined.”
Don’t Deal With the Devil
While that anonymous company rep might have gotten away relatively unscathed, you shouldn’t take that as a sign that it’s worth negotiating with ransomware groups; quite the contrary, actually. “Whenever anyone asks me about what to do if they get infected with ransomware, I’ll always say: don’t pay the ransom,” says PCMag’s Lead Security Analyst Max Eddy.
While our sample set of transcripts didn’t show hackers reneging on their promise to release the hostage data once the victim paid, you have to bear in mind that they are criminals, and even if they release the data, there’s no guarantee they won’t make a copy of it to sell to others. As Max explains, “There’s no incentive for the bad guys to follow through. They got the money, and for them, that’s mission accomplished.”
This probably goes without saying, but one way to stick it to ransomware groups is never to fall prey to them in the first place. Fortunately, some best practices can help prevent individuals and companies from falling prey to hackers. To start, PCMag recommends implementing password policies requiring unique passwords of at least 20 characters. This is an easy and essential policy that should be in place for all employees’ work accounts and also for your personal accounts. To that end, we suggest using a reliable password manager to help create and manage your passwords across your various account.
You should also ensure all on-work-premise devices, such as smartphones and tablets, are properly configured with security features enabled. And simply make sure to patch and update your software and operating system regularly, and back up your data frequently. Finally, we recommend a variety of ransomware protection apps to help you stay safe.
You’re Not Alone
Ransomware hackers use tactics to isolate their victims and threaten them if they ask for help. This perpetuates the notion that no one is coming to help, and that the whole affair is an embarrassment to the victim that should be handled behind closed doors. But this couldn’t be further from the truth. There are many ways to seek help in the case of an attack.
The US Cybersecurity and Infrastructure Security Agency (CISA) offers an official Stop Ransomware Guide with plenty of helpful tips to avoid falling victim to hackers. It also provides free vulnerability scanning to help identify and address potential threats. Additionally, the FBI offers resources in prevention and where you can report cybercrime and get assistance.
A final observation: While some ransomware groups appear to be in a state of flux in light of the war in Ukraine, a recent report from Malwarebytes shows that attacks over the past year have increased, with the US taking the brunt of global attacks (at 43%). And increasingly, hackers are targeting public service sectors such as hospitals and schools.
We can count on criminal tactics evolving into the future—for example, the emergence of AI hackers. But whatever the future holds for ransomware criminals, the best policy is to stay a few steps ahead of them.