Home Malware How ransomware negotiations work | CSO Online

How ransomware negotiations work | CSO Online

Ransomware has been one of the most devastating malware threats that organizations have faced over the past few years, and there’s no sign that attackers will stop anytime soon. It’s just too profitable for them. Ransom demands have grown from tens of thousands of dollars to millions and even tens of millions because attackers have learned that many organizations are willing to pay.

Many factors and parties are involved in ransomware payment decisions, from CIOs and other executives to external counsel and insurance carriers, but the increasing need to make such payments has created a market for consultants and companies that specialize in ransomware negotiation and facilitating cryptocurrency payments.

What happens when ransomware hits?

In an ideal world a ransomware attack should trigger a well-rehearsed disaster recovery plan, but unfortunately many organizations are caught off guard. While large enterprises might have an incident response team and plan for dealing with cyberattacks, the procedures for dealing with various aspects specific to a ransomware attack—including the threat of a data leak, communicating externally with customers and regulators, and making the decision to negotiate with threat actors—are typically missing.

“Even in large publicly traded companies that do have IR plans, they don’t usually cover details related to ransomware,” Kurtis Minder, the CEO of threat intelligence and ransomware negotiation firm GroupSense, tells CSO. “Once we get to the process of decryption negotiation, of making that business decision, who should be involved, a lot of that is not documented. There’s no messaging or PR plan either. None of that exists for most companies that we get brought into, which is unfortunate.”

Even for companies that have practiced their IR plans and have procedures in place, it’s still sort of a blind panic when ransomware hits, according to Ian Schenkel, former vice president for EMEA at threat intelligence vendor Flashpoint and director of sales, EMEA, for VMRay. “We’re not just dealing with a piece of ransomware encrypting files and encrypting an entire network. What we’re seeing lately is sort of this second factor where they’re actually trying to extort more money out of you by saying: ‘If you don’t pay the ransom, we’ll leak all the information we have about your organization’.”

In other words, as more ransomware groups adopt this double-extortion technique by combining file encryption with data theft, a ransomware attack that is ultimately a denial of service also becomes a data breach that’s subject to various regulatory obligations depending on where in the world you are and what type of data was compromised. While in the past private companies didn’t have to publicly disclose ransomware attacks, they might increasingly be forced to because of this data breach component.

Source link

Related Articles

Leave a Comment