Infosecurity Europe
4-6 June 2024
ExCeL London

Behind-the-Scenes: How to Negotiate with Ransomware Gangs

Azeem Aleem from cyber-negotiation specialist Sygnia shares how to navigate complex ransomware negotiations amidst a record rise in cyber-threats

The year 2023 could establish itself as a record year for financially motivated cyber-attacks as we experience a revival of the ransomware threat following a slight decline in 2022.

July 2023 alone saw a 153% rise in ransomware attacks compared with 2022, according to research by NCC Group.

Almost every time these attacks happen, victims are enticed by cybercriminals to enter into negotiations in order to avoid a data leak, get their data back or recover parts of their system that have been compromised.

Azeem Aleem, managing director for Northern Europe at Sygnia, took Infosecurity behind the scenes of one of these complex negotiations that his company dealt with on behalf of the victim.

In this real-life scenario the unfortunate target was a manufacturing company whose manufacturing unit had been hit by a cyber-attack from the BlackBasta ransomware gang.

The BlackBasta ransom message sent to the firm demanded 3000 bitcoins – which at the time of the incident equated to $20m – if the victim wanted to avoid the group from leaking or wiping data it had stolen. The victim had been given 72 hours to respond.

“When an organisation is hit by ransomware, it can go two ways: either it is willing to pay a ransom or isn’t. In both cases, negotiation is key,” Aleem insisted.

The War Room: Setting a Secure Channel with the Board

Negotiating with the attacker allows the defenders two crucial moves:

  • Buy back time by attempting to extend the required response time
  • Feed any critical information from the conversation back to the technical team in order to find clues for attribution, remediation or recovery

In this case, attribution was relatively straightforward because BlackBasta was very vocal about identifying themselves. In addition, the communication channel used for the negotiation was hosted on a dark web service owned by the ransomware gang.

“We experienced lesser-known ransomware groups trying to use other groups’ techniques, tactics and procedures (TTPs) or infrastructure in order to confuse their victims, but the most famous groups like BlackBasta, Clop or LockBit are usually transparent on who they are,” Aleem explained.

Sygnia set up a team of eight people working remotely on different areas to help the victim get back up and running as quickly as possible while avoiding too much damage.

Each team member specialised in one field of expertise, including a qualified negotiator who had a PhD in behaviour classification and had been a negotiator in the physical ransom world, Aleem explained.

Before starting negotiations, the first step is to set up the ‘war room,’ a secure internal channel between the Sygnia team, the board of executives and some IT and security decision-makers from the victim organisation.

Building Trust with Your Enemy

Once the war room is ready, the negotiation starts in parallel with other processes. This includes the forensic investigation to identify what has been hit and how; containment measures to protect what has not been compromised; and recovery mechanisms to get the system operational as soon as possible.

Although most ransomware groups Sygnia is dealing with are not native English speakers, they usually want to converse in English.

“The negotiations are in English 90% of the time, although our team can speak 28 languages if needed. However, how the attackers speak English usually gives clues about their location. They usually use slang terms, a specific vocabulary, or broken translations from another language. Since most groups now work 24/7 and have members all over the world, language is a good way of knowing who you are dealing with,” Aleem explained.

During the negotiation, the Sygnia professional uses various tricks to buy back time and collect valuable information to feed the technical teams.

Aleem said this is where the negotiator leverages his knowledge of human behaviour. “For instance, our negotiator can say they’re a woman and that they have to take care of their kids while dealing with the cyber-attack in order to ask for an extension.”

They can also ask the ransomware group to show a sample of the data they have managed to encrypt or exfiltrate. On the one hand, it will show the seriousness of the attacker; on the other, it’s a way for the defender to gather information on the attacker’s methods.

However, the negotiator must also build trust with the attacker for the negotiation to be successful.

“You don’t start negotiations with a ransomware group on a lie,” summarised Aleem.

“Unlike nation-state actors, ransomware groups are financially motivated. Therefore, they will try to make their time worthwhile by getting something – money – out of each transaction, making them more likely to be open to negotiation. They also need to maintain their reputation. So, while they won’t want to give away too much information, they will agree to show evidence they have critical data,” he added. 


Working in a Closed Loop

Feeding back information to technical teams within the victim organisation is also part of the negotiator’s job, but at the same time as they gather information they must remain in the attacker’s good books.

“Everything, every little detail, must be fed to all technical teams working on the case in a closed loop,” Aleem insisted.

“When we’re ready to end it, to say we’re not going to pay the ransom, for example, we know they will retaliate. We must ensure with the war room that we have everything ready to remediate and recover the systems, that we have built the walls and the trenches to protect the victim from another attack.”

Negotiations can last one to two weeks for the most straightforward attacks, but if a recovery process is needed, it can last up to 12 months.

Enjoyed this article? Make sure to share it!

Looking for something else?