This standard introduction shows a level of professionalism, indicating that the ransomware group uses a standard playbook for negotiating staff. While other ransomware families do not start every conversation with the same introductory message, chat conversations from the ransomware families we analyzed typically include a few key points, which we list here.
What was stolen
While the amount and nature of stolen data varies, it always includes items that are critical to the company, including but not limited to financials, contracts, databases, and employee and customer personally identifiable information (PII). The criminals always offer to decrypt some sample files as proof, and in some cases they will provide a file tree of what has been stolen.
Many victims state that they are willing to pay to decrypt data and prevent it from being leaked, but they simply cannot meet the initial demand. The criminals' main defense or justification for the price includes either the victim's bank account balance or insurance policy information.
Discounts and price drops
We observed price drops from the initial demands that are anywhere from 25 to 90%. Each group appears to have their own philosophy and standard with regard to discounts they will provide. However, what the criminals initially claim as their discount policy does not stay true for long. In some cases, a price is agreed upon and the actors publish the stolen data anyway. In other cases, the final discount goes far beyond what the criminals initially identify as their lowest possible offer.
Shift in tone
There is also a distinct shift in tone at some point in the majority of conversations. The criminals begin by firmly reassuring that the best possible option for their victim is for them to pay. They reinforce their argument by reminding the victim that having their data leaked would result in legal trouble and regulatory fines, or that using a data recovery service is not worth their time and money. During these early stages, they even claim that they are here to help the victims.
However, this approach eventually turns sour as ransomware actors become impatient, pushy, and aggressive. One likely reason for their impatience is that they do not want the victim organization to grow comfortable, forget the severity of their situation, or mitigate the threat without any "help" from the criminals themselves. Their statements thus start from something along the lines of "Please let us know if you have further questions!" to "As you may have noticed, your website is currently unavailable. It's the initial phase of our campaign for your company liquidation...We are well aware you don't have any backup, so we will be waiting while you will be suffering losses."
What potential victims should do
It is generally understood today that for organizations, it is not a question of if they will be targeted by ransomware but when. Knowing and accepting that is critical to preventing a ransomware attack from inflicting severe damage to any organization.
To prepare for the possibility of a modern ransomware attack, organizations of all sizes and verticals should consider the following
Make a plan and just as importantly, test it. Develop a ransomware incident response plan and run simulations or tabletop exercises with all relevant teams. Run it through with the board and C-suites to reach an agreement. Every team member must know their role and how to accomplish it before an actual crisis arises. For instance, one decision that needs to be reached is whether or not your organization is willing to pay the ransom. While we do not recommend paying, should it be the path that your organization opts for, we do advise that you have a plan in place to follow through with financial logistics.
Hire a professional negotiator. Certain organizations specialize in this exact field of negotiating ransom terms on behalf of companies. Based on our observations, most ransomware actors don't care if they are speaking with a negotiator or an employee of the victim organization. However, the Grief ransomware has recently stated otherwise.
The goal of negotiating is often to buy yourself time while you recover data from any of your backups. Indeed, generally victims want to prevent data leakage or further extortion, but they ultimately don't plan to pay the ransom, either. If this is true for your organization's incident response plan as well, then it will be critical to know that and have everyone understand that goal before an attack occurs.
It is also important to be aware that there are multiple extortion models that criminals might use, so it is important to understand and plan for the possibility of double, triple-, and quadruple extortion. Ultimately, of course, preventing a successful ransomware attack is the best option. This requires a comprehensive security plan, which is a challenge for many organizations.
How to avoid becoming a victim
While it is essential to know the plan in case it is needed, organizations would naturally prefer any attack to fail. Still, it bears repeating that all organizations should expect to be targeted and plan accordingly, as doing so is the critical first step to prevention.
One helpful starting place to protect systems against ransomware is to use the National Institute of Standards and Technology's (NIST) framework and ransomware-specific tips, such as the following:
Configure hardware and software correctly for your environment.
Follow the principle of least privilege and limit administrative access as much as possible.
Patch and maintain software updates. Leverage virtual patching when you need time to implement patches.
Audit and monitor event logs. Logging security events is only helpful if someone is monitoring those logs against a baseline to know when something abnormal is occurring.
Use the 3-2-1 rule for data backup: Create three backup copies in two mediums, with one that is physically separate.
Train employees and test systems to make sure your security assumptions are verified when tested.
To help you reach these security goals and protect your organization against a successful ransomware attack, Trend Micro Vision One™ compares detections across the IT environment with global threat intelligence to correlate data and draw actionable conclusions. Named the industry's best by Forrester, the security platform adds the strongest protection against ransomware and other attacks.