Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro Incorporated
  6. News
  7. Summary
    4704   JP3637300009


SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

What To Expect in a Ransomware Negotiation

10/26/2021 | 08:16am EST

This standard introduction shows a level of professionalism, indicating that the ransomware group uses a standard playbook for negotiating staff. While other ransomware families do not start every conversation with the same introductory message, chat conversations from the ransomware families we analyzed typically include a few key points, which we list here.

What was stolen

While the amount and nature of stolen data varies, it always includes items that are critical to the company, including but not limited to financials, contracts, databases, and employee and customer personally identifiable information (PII). The criminals always offer to decrypt some sample files as proof, and in some cases they will provide a file tree of what has been stolen.

Price negotiation

Many victims state that they are willing to pay to decrypt data and prevent it from being leaked, but they simply cannot meet the initial demand. The criminals' main defense or justification for the price includes either the victim's bank account balance or insurance policy information.

Discounts and price drops

We observed price drops from the initial demands that are anywhere from 25 to 90%. Each group appears to have their own philosophy and standard with regard to discounts they will provide. However, what the criminals initially claim as their discount policy does not stay true for long. In some cases, a price is agreed upon and the actors publish the stolen data anyway. In other cases, the final discount goes far beyond what the criminals initially identify as their lowest possible offer.

Shift in tone

There is also a distinct shift in tone at some point in the majority of conversations. The criminals begin by firmly reassuring that the best possible option for their victim is for them to pay. They reinforce their argument by reminding the victim that having their data leaked would result in legal trouble and regulatory fines, or that using a data recovery service is not worth their time and money. During these early stages, they even claim that they are here to help the victims.

However, this approach eventually turns sour as ransomware actors become impatient, pushy, and aggressive. One likely reason for their impatience is that they do not want the victim organization to grow comfortable, forget the severity of their situation, or mitigate the threat without any "help" from the criminals themselves. Their statements thus start from something along the lines of "Please let us know if you have further questions!" to "As you may have noticed, your website is currently unavailable. It's the initial phase of our campaign for your company liquidation...We are well aware you don't have any backup, so we will be waiting while you will be suffering losses."

What potential victims should do

It is generally understood today that for organizations, it is not a question of if they will be targeted by ransomware but when. Knowing and accepting that is critical to preventing a ransomware attack from inflicting severe damage to any organization.

To prepare for the possibility of a modern ransomware attack, organizations of all sizes and verticals should consider the following

  1. Make a plan and just as importantly, test it. Develop a ransomware incident response plan and run simulations or tabletop exercises with all relevant teams. Run it through with the board and C-suites to reach an agreement. Every team member must know their role and how to accomplish it before an actual crisis arises. For instance, one decision that needs to be reached is whether or not your organization is willing to pay the ransom. While we do not recommend paying, should it be the path that your organization opts for, we do advise that you have a plan in place to follow through with financial logistics.
  2. Hire a professional negotiator. Certain organizations specialize in this exact field of negotiating ransom terms on behalf of companies. Based on our observations, most ransomware actors don't care if they are speaking with a negotiator or an employee of the victim organization. However, the Grief ransomware has recently stated otherwise.

The goal of negotiating is often to buy yourself time while you recover data from any of your backups. Indeed, generally victims want to prevent data leakage or further extortion, but they ultimately don't plan to pay the ransom, either. If this is true for your organization's incident response plan as well, then it will be critical to know that and have everyone understand that goal before an attack occurs.

It is also important to be aware that there are multiple extortion models that criminals might use, so it is important to understand and plan for the possibility of double, triple-, and quadruple extortion. Ultimately, of course, preventing a successful ransomware attack is the best option. This requires a comprehensive security plan, which is a challenge for many organizations.

How to avoid becoming a victim

While it is essential to know the plan in case it is needed, organizations would naturally prefer any attack to fail. Still, it bears repeating that all organizations should expect to be targeted and plan accordingly, as doing so is the critical first step to prevention.

One helpful starting place to protect systems against ransomware is to use the National Institute of Standards and Technology's (NIST) framework and ransomware-specific tips, such as the following:

  • Configure hardware and software correctly for your environment.
  • Follow the principle of least privilege and limit administrative access as much as possible.
  • Patch and maintain software updates. Leverage virtual patching when you need time to implement patches.
  • Audit and monitor event logs. Logging security events is only helpful if someone is monitoring those logs against a baseline to know when something abnormal is occurring.
  • Use the 3-2-1 rule for data backup: Create three backup copies in two mediums, with one that is physically separate.
  • Train employees and test systems to make sure your security assumptions are verified when tested.

To help you reach these security goals and protect your organization against a successful ransomware attack, Trend Micro Vision One™ compares detections across the IT environment with global threat intelligence to correlate data and draw actionable conclusions. Named the industry's best by Forrester, the security platform adds the strongest protection against ransomware and other attacks.


Trend Micro Inc. published this content on 26 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 26 October 2021 12:15:11 UTC.

ę Publicnow 2021
07:31aTREND MICRO INCORPORATED : Analyzing How TeamTNT Used Compromised Docker Hub Accounts
11/30TREND MICRO INCORPORATED : What You Can Do to Mitigate Cloud Misconfigurations
11/29TREND MICRO INCORPORATED : Campaign Abusing Legitimate Remote Administrator Tools Uses Fak..
11/29AWS RE : Invent 2021 Guide: Checklist & Key Sessions
11/29TREND MICRO INCORPORATED : Cloud One Network Security-as-a-Service
11/24TREND MICRO INCORPORATED : COP26 Backs Electric Vehicles to Reduce Climate Change
11/23TREND MICRO INCORPORATED : BazarLoader Adds Compromised Installers, ISO to Arrival and Del..
11/19TREND MICRO INCORPORATED : This Week in Security News - November 19, 2021
11/19TREND MICRO INCORPORATED : Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Ema..
11/17TREND MICRO INCORPORATED : Analyzing ProxyShell-related Incidents via Trend Micro Managed ..
More news
Sales 2021 188 B 1 667 M 1 667 M
Net income 2021 34 873 M 309 M 309 M
Net cash 2021 182 B 1 615 M 1 615 M
P/E ratio 2021 26,5x
Yield 2021 2,87%
Capitalization 912 B 8 071 M 8 087 M
EV / Sales 2021 3,88x
EV / Sales 2022 3,60x
Nbr of Employees 6 975
Free-Float 95,4%
Duration : Period :
Trend Micro Incorporated Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO INCORPORATED
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 11
Last Close Price 6 530,00 JPY
Average target price 6 948,00 JPY
Spread / Average Target 6,40%
EPS Revisions
Managers and Directors
Yi Fen Chen President, Group CEO & Representative Director
Mahendra Negi Group CFO, Representative Director & VP
Ming Jang Chang Chairman
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
SEA LIMITED44.72%159 771