Why Using Ransomware Trading Services Is Worth Trying
Ransomware victims face the difficult decision of whether to pay the ransom or take a chance with the fallout. The FBI, Treasury Department, and others advise against paying the ransom, but in reality, it’s not always feasible.
For organizations that have decided to pay, ransomware negotiation services are an option.
What are Ransomware Trading Services?
Ransomware denial services are third-party brokers hired to act as an intermediary between the victim organization and the ransomware group. These services often operate as part of the incident response supply chain.
“If you decide to pay a ransom, I strongly recommend that you do not negotiate on your own,” said Gartner analyst Paul Furtado. “You don’t know what a ‘good’ bargain looks like. If you don’t deal regularly with this group and these bad actors, you don’t know whether you should accept their offer of 30% off or a 5% discount. Or should you expect a 90% discount?”
If a do-it-yourself negotiation goes badly, the band or the bad actors can just walk away. “You run the risk of angering them,” Furtado added. “They might walk away from the table and say, ‘I’m done talking to you, you have to pay full price. “”
Why Consider Ransomware Trading Services
As specialists in the field, ransomware negotiation services have a better understanding of how to work with threat actors and a better chance of achieving the desired results.
First, they have the upper hand and often know the credibility of the bad actors involved, for example, if they drive double extortion schemes even after paying a ransom.
“Do [ransomware groups] do what they say they’re going to do, or are there examples of victims who paid and had their data released anyway?” Furtado said.
Additionally, by managing communications with bad actors, trading services can delay how quickly the company must respond to the ransom demand and any eventual payout, said Daniel Kennedy, an analyst at 451 Research. “At least one ransomware group has warned victims against engaging a third-party vendor, which is a form of endorsement on some level that these negotiators are successful with their methods.”
Drew Schmitt, an analyst at GuidePoint Security, a Virginia-based cybersecurity consultancy, said trading services act as if they are part of the victim organization. “As soon as [bad actors] hear about you using a third party, they will cut off communication or increase the ransom.”
Some companies work with a federal agency and still pay the ransom. CNA Financial, for example, paid a $40 million ransom while working with the US Secret Service because it was the best option to protect its business and stolen data, Furtado said.
Overall, complexities arise in ransomware scenarios that organizations and their incident response teams may not be aware of. This includes knowing how to communicate on a specific platform, using cryptocurrency for payments and more, Kennedy said.
The ransomware negotiation process
At GuidePoint Security, Schmitt explained, ransomware negotiation services are called upon after an organization discovers ransomware on their system and the readme file containing the ransomware group’s demands.
The company’s consultants provide digital forensics and incident response assistance, starting with determining the best negotiation process based on the ransomware group and its history.
“A lot of times we have a good idea if they’ll be open to negotiations and price reductions and what that might even be,” said Mark Lance, senior director of cyber defense at GuidePoint Security. “These threat actors are signing on because while they’re not trying to take as little money as possible, they also don’t want to walk away from the money, in most cases.”
Once the initial research is complete, the communication and negotiation processes begin to determine whether the ransomware group can be trusted to provide a legitimate decryption program. Once a price is agreed, the ransomware trading service handles the brokerage process and obtains the appropriate cryptocurrency to pay the ransom.
Finally, consultants assist in the ransomware recovery process and monitor to ensure the threat actor does not upload company data online in a double extortion attack.
Ransomware vs Cyber Insurance Negotiation Services
Trading services have been around for a while, with some being available before ransomware cyber insurance. That said, the two aren’t completely separate, said Dave Gruber, an analyst at Enterprise Strategy Group, a division of TechTarget. “Some cyber insurance providers are working with negotiation experts to help reduce claims payouts.”
Organizations with cyber insurance need to secure their contracts. Schmitt said many threat actors are cyberinsurance savvy and seek contracts to use that information when negotiating. “On their end, they’ll say, ‘We know your policy covers $250,000, so that’s the amount we want,'” Schmitt said.
No ransomware negotiation process is perfect
Although there is no guarantee that the ransomware negotiation processes will work, organizations have a better chance of achieving optimal results if the services are enlisted. This is especially true because of the details of the attack and the attacker that consultants know, which victimized organizations may not know.
“Dealing with small nuances with communication and ransomware may not be something companies want their internal incident response teams to do when there is an active deadline for when ransomware operators take negative action,” Kennedy said.
If an organization decides to pay a ransom to protect its customers and critical company data, it is worth considering ransomware negotiation services to prevent the process from going down a bumpy road.