The Australian Cyber Security Centre received nearly 500 reports of ransomware attacks against Australian organisations last financial year. CERT NZ received over 70 reports during the same period. The actual number of cyber extortion attacks is much higher. This post discusses why victim organisations might wish to open a channel of communication with their attackers for reasons other than paying a ransom. It then outlines principles for staying safe during this engagement.
Every year, my team responds to hundreds of cyber attacks against Australian and New Zealand organisations. We monitor – and skirmish with – cyber criminals every day. And we help organisations respond, repair and rebuild after they’ve been hit by ransomware and cyber extortion attacks.
Nearly every organisational leader facing a cyber extortion attack asks me the same question – should I pay a ransom?
But this isn’t the most important question, or even the first question, which a victim organisation needs to consider. There are other reasons why we engage with cyber criminals, aside from negotiating a payment. And, depending on what the victim organisation aims to achieve, engagement can start at all stages of an attack – not just at the point of resolution.
Why victim organisations engage with their attackers
In our experience, key objectives of attacker engagement include:
- To stop the attacker conducting further malicious activities
- To confirm what information was stolen from the network
- To know when the attacker plans to publish stolen data online
- To confirm the ability to decrypt data, for example by obtaining decrypted copies of ‘sample files’ from the attacker
- To learn more about the attack to help the immediate response, or to help protect the organisation in future.
Of course, the word of a criminal should never be the sole basis of an investigation, reporting or security remediation. In CyberCX’s experience, attackers are often inaccurate or incomplete with the information they provide. But information solicited from an attacker can complement evidence recovered by forensic investigators.
There is one final set of reasons for engaging with an attacker:
- To negotiate the purchase of a decryption program to recover files and systems
- To obtain agreement that the attacker won’t post stolen data online, or
- To obtain agreement that the attacker won’t carry out further malicious activities.
Again, the word of an attacker can never be completely trusted, even in situations where our experience shows they have a strong track record of being true to it.
While CyberCX does not condone paying cyber criminals, we recognise that, in some situations, victim organisations feel compelled to consider paying a ransom.
There are reasons for engaging with an attacker other than to negotiate a payment, including:
Influence attacker behaviour
Learn about the attack
If you’ve decided your best approach is to engage with an attacker, keep in mind:
Don’t take it personally
Obtain professional help
Make intelligence-informed decisions
Principles for success
Regardless of the reason for engaging with a cyber criminal, there are strategies victim organisations can use to engage with their attacker successfully and safely.
‘It’s not personal, it’s just business’
Cyber criminals generally want one thing: to monetise their attacks with minimal effort and conflict. They often apply the ‘it’s just business’ approach to their communication and negotiation. We have found that adopting a similar approach helps organisations achieve the best outcome, whether they choose to pay attackers or not.
Obtain professional help
Victim organisations will be best supported by a professional services firm with experience both assisting victims and engaging with cyber criminals, and with access to high-quality threat intelligence.
Organisations are often more inclined to pay ransoms in the early stages of an incident when the perceived impact is most dire. Some attackers employ tactics to create pressure on the victim organisation to pay at this stage because they know the more time that passes, the higher the chance the victim organisation chooses alternate paths to resolution.
Make intelligence-informed decisions
Cyber intelligence can inform decision-makers about:
- Who the cyber criminals are
- How they are known to operate
- What to expect in response to the victim organisation’s actions.
While intelligence about a cyber crime group is valuable and should be factored into decision-making, it doesn’t provide certainty. Many of the major cyber crime groups are composed of affiliate members, so even subsequent engagements with the same group can play out in different ways.
Protect organisational and individual privacy
If an attacker provides a link to an online chat function on their dark web site, anyone with that link can often see the transcript of the discussion. This could simply be an employee who found a copy of the ransom note on another system. It is therefore worthwhile asking attackers to move communications to other channels.
Additionally, cyber criminals won’t identify themselves – neither should you. They only need to know they’re dealing with someone who is authorised by the victim organisation to deal with them. Personal safety is important.
Remember that cyber criminals are just that – criminals
While cyber criminals may provide assurances, and some even have strong reputations for keeping their word, they can’t provide absolute certainty regarding their actions. It’s important to remember that you’re dealing with criminals, therefore there are no guarantees.
Nick Klein is the Executive Director, Digital Forensics and Incident Response.
The above is an edited extract from the CyberCX Best Practice Guide: Ransomware and Cyber Extortion. The Guide provides practical tools for people at all levels of an organisation to understand and manage the risk posed by ransomware and cyber extortion. The full Guide is available for download here.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.